- Two-thirds of business associates are not prepared for the evolving health data protection measures, specifically in relation to HITRUST standards, according to a recent KPMG survey.
KPMG surveyed 604 industry professionals, and only 17.4 percent said that they were in the planning stages for a HITRUST CSF assessment. Furthermore, 7 percent said they are completely ready and 8 percent reported that their organization was "well along implementation."
“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers," Third-party Risk and Assurance Leader for KPMG's Healthcare practice Emily Frolick said in a statement. "These vendors are able to accomplish this through a SOC 2® + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information."
While neither assessment is currently mandatory under federal law, Frolick explained that it is important for healthcare to reduce cybersecurity risks associated with third parties.
The survey also found that 47 percent of respondents do not believe their organization has the "right staff with the right level of skills to execute against the HITRUST CSF." In fact, staffing was the top listed barrier to HITRUST CSF readiness, followed by cultural, technological, and financial concerns.
Nearly one-quarter of those surveyed - 26 percent - said that the largest benefit from HITRUST was assurances about overall security, followed by standardized reporting (24 percent). Respondents also said that progress toward HIPAA compliance and having a blueprint for cybersecurity risks were also key benefits.
Business associates cannot ease up in their approaches to health data protection, and covered entities must ensure that they have comprehensive and current business associate agreements in place to keep patient data secure.
Covered entities must “obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website.
A failure to do so could not only result in a healthcare data breach, but also financial fines from the Office for Civil Rights (OCR).
For example, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay $650,000 as part of its OCR HIPAA settlement earlier this year. CHCS provided management and information technology services as a BA to six skilled nursing facilities.
OCR found in its investigation that from the HIPAA Security Rule’s compliance date to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.”
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said OCR Director Jocelyn Samuels said in a statement.
OCR also recently clarified that business associates cannot block provider PHI access or terminate that access under the HIPAA Privacy Rule. Typically, if a business associate blocks PHI access, it has “engaged in an act that is an impermissible use under the Privacy Rule,” the OCR website reads.
“For example, a business associate blocking access by a covered entity to PHI (such as where an Electronic Health Record (EHR) developer activates a ‘kill switch’ embedded in its software that renders the data inaccessible to its provider client) to resolve a payment dispute with the covered entity is an impermissible use of PHI.”
Whether a business associate looks toward HITRUST CSF or another guideline toward health data protection measures, it must ensure it adheres to all areas of HIPAA compliance, including the requirements put forth in its business associate agreement.