SecureState rolled out a new audit program, called the HIPAA Gap Assessment. The program is similar to seals of quality offered by the Better Business Bureau or Good Housekeeping—it’s a logo that companies that have passed an audit are able to display on their website, or other marketing materials. The hope is that, over time, the seal will become an instantly recognizable testament to the privacy protection standards in place at that location.
About eight months ago, network security consulting firmBrian Dean, manager for audit compliance at SecureState, discussed the basics of the program.
24×7: What is the Seal?
Dean: The seal is a logo that lets healthcare providers, hospitals, service providers, and others show they have demonstrated regulatory compliance.
24×7: How does an entity obtain the Seal?
Dean: We use a framework to benchmark against the control to determine if proper controls are in place; for example, the National Institute of Standard and Technology framework can be used to review HIPAA compliance. Assuming you have all the controls in place, we can attest to that. We then issue a report, often up to 40 pages long. If controls are met, a seal can be issued. If controls are weak or missing, a remediation roadmap is constructed.
24×7: What does the audit process look like?
Dean: Step one is an audit. Coming out of the audit, you get a report. About 70% do not pass the first audit. We help create a remediation plan and the program is re-audited. Once they have the passing audit, they get the seal.
24×7: Who is the seal intended to be seen by?
Dean: When we put this program together, our core target audience were business associates. For them, the Seal can be a competitive advantage. For example, HIPAA requires covered entities to share data with business associates to perform work on their behalf (for example, a large hospital might provide patient data to printer to create and sending billing details to patients). They are required to perform due diligence on those third parties, before giving them patient health information. The seal performs some of the due diligence in selecting those business partners; it should let those companies with the seal rise to the top.
24×7: Other seals of quality, like the Better Business Bureau seal, are geared toward consumers who might not be well-versed in what makes a given product or service a good one. The seal you are offering seems to be geared toward experts. Why is a seal still valuable in this situation?
Dean: Patients should be taking an active role in protecting their confidential data. But similar to the privacy policy that financial institutions give their clients annually, few take the time to read the policy. The seal, helps reduce the step of reading and interpreting, by providing a third-party attestation that they are good security controls. It works the same for business associates, the seal should reduce their due diligence efforts.
The analogy does falls apart in that the BBB doesn’t have any clout, such as mandatory regulatory compliance. It’s just an impartial, outside observer. The seals that we provide when we go look at controls are up against federal regulations. It’s more analogous to the PCI attestation of compliance in the credit card industry.
24×7: Is the HHS’ own enforcement of HIPAA rules inadequate?
Dean: HHS is not in the audit service business. There is a compelling reason to institute a third-party audit program unless you have a very robust internal program. Fines can be expensive. Having someone validate your system is valuable. The competitive advantage is being able to tell your clients you protect data. Getting the seal doesn’t mean you’re bulletproof, but it shows that you’re serious and that you’ve done due diligence.