Assessing Business Associate RisksUnder HIPAA Omnibus, BAs Must Conduct Thorough Analysis
Now that business associates are directly liable for HIPAA compliance, they need to ensure they perform a thorough risk analysis to identify gaps in their controls, says Andrew Hicks, of the security consulting firm Coalfire.
"The biggest thing [BAs] need to do is understand what their PHI [protected health information] and ePHI inventories look like," says Hicks, director and healthcare practice lead at Coalfire, in an interview with Information Security Media Group [transcript below].
"They should consider their data inflows and outflows," he says. "In this day and age, they should consider databases, mobile devices, thumb drives and all the different areas where PHI could reside."
After identifying where PHI is located, business associates should then conduct a risk assessment. "It's really the No. 1 requirement of the HIPAA security rule," Hicks says.
"The [analysis] would allow [business associates] to understand where their gaps are in controls, where they're not compliant, where they have residual risk and identify a remediation roadmap for gauging their compliance efforts going forward," he says.
In the interview, Hicks also discusses:
- The kinds of business associates having the most HIPAA Omnibus compliance trouble;
- Steps business associates can take to improve their overall HIPAA compliance;
- Suggestions for covered entities about HIPAA Omnibus compliance efforts involving business associates.
Hicks has more than 10 years of experience in IT governance, including responsibilities specific to IT security, risk management, audit, business continuity, disaster recovery, and regulatory compliance. His experience also includes implementing and managing IT internal control programs relative to maintaining Sarbanes-Oxley, HIPAA, HITECH Act and PCI regulatory compliance.
Compliance Challenges for BAs
MARIANNE KOLBASUK MCGEE: Based on Coalfire's recent survey, what sorts of challenges are you seeing business associates having in complying with HIPAA Omnibus, and why are they having that trouble?
ANDREW HICKS: I would say probably the biggest thing is that many of these business associates and subcontractors don't even know that they're in scope for HIPAA. They may be far removed from the healthcare industry and the day-to-day. But their relationships with their covered entities put them in scope for HIPAA [and] they may not know that. As a result, they don't have any knowledge of the regulations. They may not know how to interpret or implement the required controls. I see those as the biggest issues in this area.
Where to Focus Attention
MCGEE: Where do you think business associates need to focus the most attention?
HICKS: The biggest thing they need to do is really understand what their PHI and ePHI inventories look like. They should consider their data inflows and outflows. In this day and age, they should consider databases, mobile devices, thumb drives and all the different areas where PHI could reside. After they understand that, they should perform a risk analysis, which is really the No. 1 requirement of the HIPAA security rule, which would allow them to understand where their gaps are in controls, where they're not compliant, where they have residual risk and identify a remediation roadmap for gauging their compliance efforts going forward.
MCGEE: What kinds of business associates are having the most trouble complying? For instance, do compliance difficulties differ based at all on the kinds of services that a BA offers?
HICKS: I would say the further you get removed from a covered entity, the more likely that they will not understand what HIPAA compliance is. These are organizations such as billing companies, cloud service providers or even law firms, for example. They have no tie to the healthcare industry, but now, as a result of HIPAA, they may have PHI in their environments, which they're required to maintain by the requirements defined both in HIPAA/HITECH and the Omnibus Rule.
MCGEE: What are the biggest mistakes that business associates are making when it comes to their HIPAA Omnibus efforts?
HICKS: The biggest mistakes are they foresee this as just another regulation, another checklist. As a result, they feel like they can just whip something up overnight just to satisfy compliance, to wave their hand and say, "Hey, I'm HIPAA compliant." The truth of the matter is it's really something that can't be done overnight. It takes a lot of planning; it takes a lot of understanding of what the requirements are. For implementation, obviously it's required by HIPAA and should be done, a fluid process all the way through the compliance deadline. They need to satisfy the requirements and understand what they are, how to best implement them and identify the proper controls.
Steps to Improve HIPAA Compliance
MCGEE: What other steps can business associates take to improve their overall HIPAA compliance moving forward?
HICKS: They definitely need to get an understanding of what the regulations are. They need to identify a roadmap for closing gaps, for assessing their risk levels and identifying and understanding all their data flows and where the data resides in their systems. After they do that, then they can really begin to start targeting the proper controls that should be in place to satisfy the requirements and ultimately reduce the risks of those different areas.
Tips for Covered Entities
MCGEE: What do you think covered entities should know about business associates and HIPAA Omnibus compliance that they may be otherwise overlooking when it comes to these vendors?
HICKS: I would say that covered entities under Omnibus absolutely have the right to understand their business associates' compliance efforts. There's a couple of ways they can do this. One is they could require BAs to answer questions as part of a vendor management tool so the CE can really understand and engage their overall compliance posture. The second would be that CEs could require BAs to complete third-party assessments and do internal reporting, various different activities to help the CE feel comfortable with the overall level of risk with their data that's at the BA's location.
Slow to Acknowledge HIPAA
MCGEE: Were there any other surprising findings that you saw in the survey?
HICKS: The biggest thing is that BAs and subcontractors are fairly slow to acknowledge HIPAA. They're fairly slow to understand that they're required to comply. I expect to see the same kind of transition that we saw when the HIPAA security rule initially came out. Many organizations didn't jump on the bandwagon and say, "We absolutely have to comply with this." They were very slow to transition. It took the enforcement of penalties and fines to get everybody up-to-speed with what the requirements are and that OCR is serious in terms of compliance and enforcement.
MCGEE: Any final advice for business associates, as well as their subcontractors and covered entities, regarding HIPAA Omnibus?
HICKS: They shouldn't take HIPAA lightly. Compliance is not a flip of a switch kind of activity. They shouldn't take it lightly. Ultimately, implementing a good, solid HIPAA security program that's able to respond to increased risk levels and changes in the organization helps them satisfy the requirements and compliance forward-looking.