By designing the systems, implementing them, and acting as the check and balance against complacency, you will become invaluable.
HIPAA and HITECH: Risks and rewards
Helping customers with HIPAA and HITECH regulations brings risks and rewards for security solution providers. The risks arise when a solution provider works with a customer who is considered a covered entity (CE); in this case, the solution provider is considered a business associate (BA) and must be compliant with HIPAA or potentially face stiff penalties. The opportunities arise from the thousands of customers in the U.S., including thousands of HIPAA business associates, who, since the 2010 changes to HIPAA, are now struggling to become compliant as fast as they can; there are more potential customers in need of HIPAA compliance support than ever before.
The list of tasks that must be done by CEs and BAs is long. All BAs must appoint a security officer, provide training to all employees on a regular basis, and develop and enforce written policies and procedures. BAs and CEs must do complete reviews of the risks of possible breach, corruption and destruction of protected health information (PHI). They must protect the systems required to keep PHI accurate and make it available for treatment and disclosure when required. The tasks include dealing with anything that could put the privacy, reliability and integrity of PHI at risk. Both CEs and BAs must deal with administrative, physical and technical safeguards as prescribed by the regulations. They must also be prepared to adequately report on all disclosure of electronic health records (EHR) if requested by a patient or government auditor. BAs must report breaches to their CEs within a prescribed time and the CE must then report any and all breaches of PHI to the patient. The CE must also report breaches to federal and (in most cases) state officials.
So where’s the specific opportunity, you ask? It is in a support role that you can provide, from guiding the risk assessment to remediating the risks identified and, finally, monitoring and maintaining the system to ensure the client is not only compliant, but can prove compliance in the event of a breach or random audit by the Office of Civil Rights (OCR).
HIPAA security checklist: Potential service offerings
Here are just a few examples of HIPAA compliance services that a solution provider can offer to customers:
- Technical risk assessment: This requires looking at all aspects of risk, from physical and logical access, flood, fire and connectivity issues to hack and disaster resistance.
- Policy and procedure development: Developing accurate and complete policies and procedures that cover all of the categories of regulation is a daunting task for customers. They need guidance and support creating a viable balance between the need for security and privacy and the functional needs of the health care operations. This can not be done by simply filling in off-the-shelf templates. It requires professional knowledge of the tools and protocols that make their enforcement possible, without interfering with clinical activity. Policies are only half the equation; procedures that enforce the policies are just as vital and necessary.
- PHI inventory and classification: This is one area where many organizations fall short. They develop security and privacy plans without fully understanding the data they possess, how data flows through the organization, how it is currently protected and stored, and how it should be protected.
- Access control implementation: Help the customer classify data and employee roles, and then institute proper controls to be sure only authorized employees have access to data. Also implement access controls for physical systems including cameras, key card access and facility intrusion management systems.
- Breach and disaster contingency plans: These are potentially massive undertakings that are often left undone or completed with only a narrow focus and not in compliance with regulations. You can help customers understand what they must do, and then be there to support the implementation and the ongoing updating and testing as required.
- Security monitoring: Preventing and identifying illicit activity and data loss through security monitoring can be a significant role for any security solution provider. Most organizations do not have the in-house expertise to choose, implement and support a viable vulnerability and penetration/intrusion prevention program. In fact, I believe having the process of breach and log management handled by internal staff is misguided and fraught with conflicts of interest. Because IT is also a source of risk, this should at least be verified by outside security solution providers.
- Network configuration: Transmission security and reliability through proper WAN and LAN configuration and encryption are a key requirement of HIPAA. This is a natural place for a security solution provider to offer support or be the outsourced provider.
- Document storage: Integrity controls, secure document management, and onsite and offsite disaster storage are massive and vital needs for all CEs and BAs. Due to long-term storage requirements in HIPAA regulations, and the need to quickly access the secured documents, providing a robust and secure system that meets the long-term needs can be a business in itself.
- Auditing and logging: Audit and logging controls and reporting are a major challenge for even the most dedicated and sophisticated CEs and BAs. HIPAA requires a CE or BA be able to identify who looked at or modified records, and when. For these systems to have integrity, they must involve offsite vaulting of the logging data, and the final review should be conducted by independent individuals. This is a great place to stake your flag.
- Change management: Managing changes and documenting the systems from all aspects is a major challenge health care customers face. It is tedious and unglamorous work that requires diligence and commitment. This is one area that you can support customers and build a long-term reliance on your services. By designing the systems, implementing them, and acting as the check and balance against complacency, you will become invaluable.
If you get with the program and become a real expert in understanding the HIPAA/HITECH world, you can find real and sustained opportunity. You can do this while supporting a vitally important part of our society, the health care industry, and you can be compensated handsomely for doing it right.
About the author:
Kevin B. McDonald is Executive Vice President and Director of Compliance Practices at Alvaka Networks, a 27-year strong Network Services and Security leader in Irvine, California. He is a trusted technology and security consultant and public policy advisor to some of America's most influential people and organizations. He serves as a senior advisor to businesses, state and federal legislators, law enforcement leaders, charitable boards, abuse prevention professionals and municipalities. He is a sought after presenter, panelist and commentator. McDonald consults on the issues surrounding advanced technology, physical and logical security, regulatory compliance, organizational development and more.
McDonald is a HIPAA Privacy and Security Expert and a member of the CompTIA HIT, Advisory Council. He is Chairman of the Orange County Sheriff/Coroner's Community Technology Advisory Council (C.T.A.C), Chairman of the Board for Orange County Crime Stoppers and a member of the High Tech Crimes Consortium. He has written for, or been interviewed, in dozens of national and regional publications and he has authored the novel, Practically Invisible.
This was first published in February 2012