This is
Part two of a two-part series on HIPAA compliance for digital customer
engagement. Click here for part one, which covers HIPAA fundamentals and the
role of the software vendor.
HIPAA
compliance is far from simple, and any vendor that says otherwise is likely not
offering the degree of security and/or shared responsibility that you need to
engage safely in digital patient communication. Here’s a run-down of what you
should look for when assessing a vendor’s HIPAA compliance, in line with typical risk assessment items covered by third-party assessors.
Security and Encryption of
PHI
Patient engagement software vendors primarily provide solutions actively involved
in the transmission and storage of PHI, so the security and encryption processes
that they have in place should be stringent.
Encryption
is an important aspect of PHI security, as in the event a breach were to occur
from a malicious third party, encryption ensures that the data they could
access would not be legible or identifiable to an individual.
Here’s what
to ask:
- Does encryption apply to data “at rest” or stored in a vendor’s server – for example, chat logs? Amazon’s RDS encryption algorithm which utilizes an AES 256-bit encryption is recognized as a gold standard in this respect.
- Does encryption apply to data “in transit”, or while it is being moved from one location to another – for example, when a patient submits PHI through an ongoing chat? Encryption through HTTPS and TLS protocol is standard in this instance.
- Is there a complete logging and monitoring system that operates as a safeguard against unauthorized access?
- Are the vendor’s server farms compliant with state-of-the-art security measures such as SSAE 16, CSAE 3416, and ISAE 3402 standards?
- Are anti-malware and intrusion detection/prevention systems in place?
- Is PHI held on laptops and mobile devices used by the vendor also encrypted?
What to watch out for: Check that the vendor takes responsibility for secure storage of data in all forms. For example, if they insist on you deleting data from their servers and transferring it to your own, the vendor is essentially shifting responsibility for the security of data at rest to you. That means if you were to not delete and move your data regularly enough and it was intercepted by a malicious third party in an attack on the vendor, you could be held liable.
- Are physical security systems also in place, for example, is access to
the vendor’s physical office location restricted by keycard and are
workstations secured appropriately?
HIPAA-specific Policies
and Procedures
Vendors
should have clear policies and processes in place to ensure that PHI is handled
in a secure and consistent way throughout the organization.
Here’s what
to ask:
- Have identity management and access
controls been implemented to ensure employee access to PHI is appropriately
restricted?
- Are system activity logs regularly
checked and reviewed for unauthorized or inappropriate access?
- Are there defined processes for
responding to and reporting data security incidents and data breaches?
- Has a comprehensive list of all
places where PHI resides or passes through been compiled and accounted for in policies
and procedures?
- Do policies protect PHI from
improper alteration or destruction?
- Is PHI securely and completely
disposed of after an appropriate timeframe?
- Are policies version-controlled and
continuously improved, evidencing improvement and refinement in processes over
time?
What to watch out for: Ensure that a range of policies allows for best-practice security processes to be applied generally, as well as HIPAA-specific policies to be applied specifically. Vendors should be able to articulate a range of policies that demonstrate information security processes, access control plans, disaster recovery plans, breach notification policies, network configuration standards, as well as risk assessments that assess compliance to these policies.
Employee HIPAA Awareness
& Security Training
All of the
vendor’s employees should undergo two different types of training –
HIPAA-specific awareness training, as well as general security standards
training.
Here’s what
to ask:
- Are both sets of training managed by a HIPAA Compliance, Privacy, or Security Officer?
- Is documentation kept to confirm that training has been completed by all staff members?
- Is training administered on an annual, rolling basis to all staff?
- Are partners, employees and independent contractors included in the training?
- Do workers with high degrees of data access have job-specific training on privacy and security procedures?
- Have all staff read and legally attested to following HIPAA policies and procedures?
- Has the third-party assessor interviewed staff to check their skills, knowledge and training?
- Is the training supported by a wider security awareness program that reinforces best practices throughout the year, for example through the use of motivational slogans, login access banners, videos, posters or other awareness materials?
What to watch out for: Check that training records are appropriately stringent, and don’t allow any employees to fall through the gaps. For example, ensure that new employees receive training as part of their onboarding, as well as being delivered to all staff through annual top-ups.
Business Associate
Agreements (BAA)
HIPAA-compliant
vendors should be happy to sign a BAA acknowledging their liability for the
security of a healthcare provider’s PHI. The vendor themselves should also
ensure that any third-party firms they could transmit PHI to (for example,
Amazon Web Service servers or Google Dialogflow’s language processing services)
also acknowledge their responsibilities as a BA.
Here’s what
to ask:
- Are BAAs standard or custom for each
healthcare provider the vendor serves? If so, what are the differences between
the agreements?
- Does the vendor charge for standard
or custom BAAs?
- Has the vendor identified all other
third-party firms they could potentially transmit PHI to and ensured that they
also signed a BAA?
What to watch out for: Where the vendor uses third-party firms who also need to agree to a BAA, ensure that those firms have acknowledged their responsibility for the security of PHI clearly and in writing, with reference to the specific processes they themselves agree to.
Breach Notification Processes
If a breach
occurs, patient engagement software vendors have a responsibility to notify
affected parties. HIPAA’s Breach Notification Rule lays out specific
requirements. Vendors should therefore have a strict Breach Notification
Process which should explicitly include several key criteria as outlined in the
Act.
Here’s what
to ask:
- Are there guidelines for the
timeliness of notification?
- Are clear methods for notification
outlined, for example written notice?
- Are there guidelines for
notification content?
- Does the process provide
notification to each individual involved in the breach?
- Are there differentiated processes
for breaches involving individuals versus larger-scale breaches?
What to watch out for: HIPAA also includes a plain language requirement to ensure that any language used in breach notifications can be easily understood and interpreted by all parties, including the affected patient(s). Ensure this is accounted for in the vendor’s policy.
- Does the process acknowledge the role of appropriate law enforcement in
breaches?
Wrap-Up
No two
patient engagement software vendors will have the same processes, so when
evaluating, ensure that at a minimum you ask for a copy of their BAA and most
recent third-party risk assessment report. These documents will enable you to
compare and contrast each vendor’s take on HIPAA compliance, their technical
and operational capabilities, and the amount of responsibility they are willing
to accept.
We hope
that when it comes to protecting PHI, this guide provides a clear, transparent
picture of what to expect from your patient engagement software vendor –
allowing you to build a trusting and fruitful relationship that will endure for
years to come.
