Breaches and fines have been big news recently. Community Health Systems (CHS) has been in the news lately because a malicious hacker, or group of hackers, was able to gain access to health records for 5.4 million people (CHS is a large system). The current speculation is that CHS could face fines up to $150 million levied by OCR. The cause of the CHS breach was a vulnerability in SSL discovered and made public over 4 months ago. CHS had not patched all of its servers. I assume CHS manages its own servers and likely has many, many applications; but, Heartbleed was a very public vulnerability and I’m surprised production systems were unpatched. At Datica we updated all of our systems the same day the vulnerability was discovered.
Looking at the CHS case, it should be OCR that is investigating the cause of the breach and determining the financial penalties. For covered entities (CE), OCR enforces HIPAA. That’s because covered entities are the ones that ultimately own the ePHI; we’ve written about data ownership and inheritance of compliance from covered entities to business associates. And OCR anticipates many more investigations and fines over the next 12 months. In addition to OCR, states are increasingly cracking down on health data privacy and security, complicating compliance for both covered entities and business associates. For the purpose of this post, our focus is more on OCR than states.
While we have a few large CE customers like Blue Shield of California and the VA, the majority of our customers are business associates (BAs) and our customers customers are covered entities. Datica is a business associate or subcontractor, depending on our customers. Business associates and subcontractors handle or process ePHI in some way for CEs or other BAs. While OCR investigates potential breaches of BAs, what you realize pretty quickly as a BA is that you have very little interactions with OCR and HHS in proving how you comply with HIPAA. As a BA, HIPAA is largely defined by covered entities that are your customers.
We often help our customers when they get to the compliance and security point of selling to a large CE (hospital or payer typically). Our team has a lot of experience selling and managing contracts with large CEs. We still do work directly with large CEs today, and have even signed BAAs directly with CEs that are customers of our customers; this provides additional protection for our customers and transfers more of the compliance burden onto Datica. In our experience, we’ve seen the CEs interpret HIPAA rules for BAs. CEs put this interpretation onto BAs through spreadsheets, checklists, and long questionnaires on security, compliance, and privacy. It’s interesting in that these security and privacy questions vary from CE to CE, though there is always some overlap (things like “When did you last test your disaster recover plan?” and “What form of encryption do you use for data at rest?”).
In these questions CEs are interpreting HIPAA for BAs. Many of our customers are more interested in closing contracts with CEs than completing full HIPAA audits, so CE interpretation trumps OCR interpretation much of the time. And there are things that CEs ask that aren’t required by HIPAA, like stating ‘all business associates need to have hardware firewalls’; we’ve seen this with several customers, and is the reason we host on AWS, Azure, Rackspace, and IBM SoftLayer.
These CE security and compliance questions are typically part of the contracting process, or at the very least the implementation process. They can significantly slow the closing and sales process for BAs, especially smaller startups using modern, cloud-based technologies. At Datica, we offer both HIPAA compliant infrastructure and content (white papers, audit reports, policies, etc) that helps our customers show compliance to their customers. We also assist customers in completing these questionnaires and spreadsheets as well as joining phone calls with security and compliance officers for our customers.