Healthcare Data Security: Focus On 'Business Associates'
Healthcare professionals don't trust service providers' handling of patient data, study shows. Cloud services aim to help providers take control of those relationships.
8 Data Centers For Cloud's Toughest Jobs
(Click image for larger view and slideshow.)
With regulators seeking tighter control over the role of external contractors in assuring healthcare privacy and security, other third parties are offering to help audit those relationships with services from the cloud.
Under the Department of Health and Human Services (HHS) HIPAA Final Omnibus Rule, contractors and subcontractors who work with healthcare providers, insurers, or other services that process patient health information (PHI) must meet HIPAA privacy rules. Referred to by regulators as "business associates," these external parties also include IT service providers. Despite the mandate that business associates meet HIPAA requirements, 40% of healthcare professionals are "not confident" and 33% are only "somewhat confident" in their partners' capacity to manage patients' sensitive data, according to Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy & Data Security, released on March 13.
Many business associates are falling short, said Larry Ponemon, chairman and founder of the Ponemon Institute, during a conference call to discuss the report. "I don't think it's malicious or deliberate, but I don't think they're doing everything they need to do to comply with the Omnibus rule and HIPAA requirements," he said.
IT service providers pose the biggest threat, according to 75% of those surveyed. Claims processors took second place with 47%, and benefits managers came in third at 33%. Nearly 20% of respondents cited pharmacy benefits managers as the greatest threat. Fewer than 10% of respondents also listed data analysts and consulting, accounting, and legal services.
Their concerns may be well founded. Although the deadline for compliance was September 2013, a survey that month showed that 60% of third-party service providers were somewhat or not at all sure of their responsibilities under the Omnibus Rule -- and only 44% were compliant. Only 36% had been asked to sign a new business associate agreement, according to Coalfire Systems, which sponsored the report.
Large healthcare organizations often have hundreds of business associates, Rick Kam, president and co-founder of ID Experts, pointed out. Updating, reviewing, and maintaining those contracts is time-consuming -- but on the other hand, the costs associated with a poorly designed program can be both huge and public.
"The key variable is to know the organizations that you've contracted with, [and] to make sure they've stepped up to the plate in ensuring the data you've entrusted them with," said Ponemon. "Are they compliant with other generally accepted good practices? There's a lot that can be done." For example, he suggested, providers can conduct audits, centrally manage agreements, and buy adequate amounts of the right insurance.
Creating conviction Despite overwhelming distrust on the part of healthcare professionals, IT service providers want to resolve the credibility gap when it comes to handling patient data, according to Coalfire, a 13-year-old company that provides cloud-based IT audit, risk assessment, and compliance management systems and services to various vertical-market healthcare, financial, and retail customers.
Coalfire's HIPAAcentral, a cloud-based compliance exchange, is designed to help covered entities, business associates, and subcontractors manage, maintain, and exchange regulatory compliance data. Under the exchange, business associates assess their own compliance and share the results, explained Andrew Hicks, director of Coalfire's healthcare practice lead, in an interview. Covered entities can centrally manage their partner relationships. The company's compliance-as-a-service offering includes a free entry-level assessment, with paid tiers of service such as Rapid HIPAA for risk tolerance. Business associates can disclose their compliance and controls -- such as meeting minutes or policies -- to healthcare providers.
When investing money at a bank, Hicks said, you look for cameras, vaults, and security systems. When healthcare providers share patient data, they want to ensure partners have invested in security systems and policies. "CEs want to know, 'Hey, this is my data. How are you securing it? How are you going to keep it safe?' "
Convenience and risk reduction are two reasons HealthShare Montana recently signed on with Coalfire, according to Brad Putnam, executive director at the electronic health information exchange for the state of Montana.
"Many healthcare organizations, especially those smaller facilities located in rural and frontier areas, updated their BA agreements but do not have the internal capacity or acumen to effectively manage the due diligence responsibilities associated with them," he explained. "Coalfire's HIPAAcentral provides a very low-cost way to help healthcare organizations with the understanding of what is now required to manage BA relationships and a single location from which to do it. HIPAAcentral can easily reduce costs and provide ROI by reducing the risk of significant fines for not properly managing BA relationships as well as making the entire process of managing those relationships far quicker reducing the labor costs associated with complying with the [Omnibus] Rule."
For its part, Kroll Advisory Solutions developed the Business Associate HIPAA Self Assessment Risk Management (BA HSRA), a self-guided assessment available through Kroll's client portal. The tool includes on-demand access, collaboration capabilities, unlimited access for 12 months, and reporting review. The final report documents an organization's completion of the assessment, overall scoring, and full responses to each question.
Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.
Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio
Healthcare Data Breaches Cost More Than You ThinkHealthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.