- Should vendors that say their products and services are “HIPAA compliant” also have a “Buyer Beware” sticker attached for healthcare organizations? Every other healthcare IT security-related press release adds that the product is HIPAA compliant. But seeing as there’s no Department of Health and Human Services (HHS) certification that organizations can obtain from vendors to ensure their offerings are within HIPAA regulations, the market has become a bit saturated and confusing.
Earlier in the week, HealthITSecurity.com spoke with Joseph Lorenzo Hall, Center for Democracy and Technology (CDT) Senior Staff Technologist about HIPAA business associate agreement (BAA) trends. However, Hall also chatted about No. 6 in the CDT FAQ on HIPAA and cloud computing – How important is it for health care providers to choose CSPs that claim they are “HIPAA compliant”? It’s not easy to weed out mature products that really do follow government data protection rules from those that tack on “HIPAA Compliant” before the product name without really knowing what the words mean. Here’s the text from the FAQ:
“HIPAA compliance” is not a certification or compliance regime formally recognized by the Department of Health and Human Services. Accordingly, health care providers should be wary of overreliance on claims from CSPs that they are “certified” or otherwise “HIPAA compliant.”
The CSP should be willing to enter into a business associate agreement and acknowledge its obligations to comply with HIPAA and other applicable regulations. Health care providers will need to carefully choose a good CSP that has a track record of working securely with PHI and is familiar with obligations of business associates under HIPAA. Claims of “HIPAA compliance” should be appropriately vetted. That being said, there are standard purpose-specific types of certifications that a health care provider should consider when selecting a CSP, including: PCIDSS (credit card transaction standards), SSAE 16 (financial reporting standards), ISO 27001 (information security standards), and FIPS 140 (cryptographic module standards).
As stated above, plenty of vendors have made news by claiming HIPAA compliance. One such instance was this past spring, when Box, a Platform as a Service (PaaS) file-sharing solution, said its product fell under HIPAA guidelines. To help determine what features to look for from a HIPAA-compliant offering, Hall said this is another spot where HHS could step up to the plate for healthcare organizations.
HHS could say “Here are some salient features to look for when you hear someone claim ‘HIPAA compliance’.” Credit card information standards (PCI-DSS), information assurance standards (ISO 27001), cryptographic module standards (FIPS 140) are the ones we listed that people struggle with. Some of those are extremely expensive, but worthwhile. There are probably others that we missed, but I wish HHS could offer more guidance here too, such as ensuring exactly what the vendor should cover in a NIST-style risk assessment. Timing is important here too, because some things you really can’t change down the line.
This lack of clarity of what needs to be included within vendor products can be confusing, said Hall.
You need to be wary when you hear “HIPAA compliance” because that phrase incorporates a ton of baggage. What you’re looking for is specifics, such as what encryption is being used and who has vetted that. This is why HIPAA has been a boon for consultants.