Compliance with the Health Insurance and Portability Act (HIPAA) initially appears to apply only to the healthcare industry. However, HIPAA also requires healthcare provider business associates to maintain security and privacy controls over protected health information (PHI) and electronic PHI (ePHI). For payer organizations, this requirement means aligning data security protections to HIPAA.
What is a “Business Associate”?
Under HIPAA, a business associate is any individual or entity who provides services to a covered entity. This definition includes explicitly billing and repricing. If you’re working with a covered entity and offering payment processing, then you also need to be HIPAA compliant.
What are the PCI DSS requirements?
Payment processors already understand stringent and prescriptive security and data regulations. The Payment Card Industry Data Security Standard (PCI DSS) prescribes twelve different requirements for securing data. PCI DSS focuses on protecting payment card information such as account number in conjunction with either cardholder name, the card’s expiration date, or its service code. At its core, PCI intends to protect cardholder data (CD) so that no one can steal it and spend the payee’s money.
What are the HIPAA requirements?
HIPAA requires business associates to maintain control over information including but not limited to demographic information, medical history, test and lab results, mental health conditions, and insurance information. At its core, HIPAA intends to protect people’s private health information which often includes more data points. Those additional pieces of information can enable a malicious actor to create a false identity.
Why PHI is more valuable than CD
Health information records contain more data points than cardholder data. Although a credit card or personal account can lead to unauthorized charges, health records incorporate date of birth, social security number, and additional identifiers that can allow malicious actors to create false tax return filings or create new bank accounts. Ultimately, unauthorized access to CD leaves a person’s financial identity at risk while unauthorized access to PHI or ePHI places the individual’s historical identity at risk.
Where PCI lacks HIPAA protection
The HIPAA Security Rule focused on ePHI and created three primary safeguards: technical, administrative, and physical. Additionally, HIPAA incorporates a Breach Notification Rule and Privacy Rule. Although PCI compliance aligns to some of the Security Rule requirements, it does not meet the Breach Notification and Privacy requirements.
Thus, payment processors seeking to work with HIPAA covered entities must incorporate additional controls and processes.
How HiTRUST enables payer security
HIPAA compliance for business associates rapidly becomes overwhelming.
The Health Information Trust Alliance (HiTRUST) brought together all the relevant standards that enable HIPAA compliance into a single common security framework (CSF). The HiTRUST CSF enables covered entities and business associates to work within a single program that creates a certification process for both groups. As such, the certification allows a business associate, such as payment processor, to “assess once, report many.”
This process provides continual assurance that, as a vendor, the payer security processes maintain the integrity and confidentiality required for HIPAA compliance.
What are the types of HiTRUST CSF assessments?
A business associate can choose to engage in either the self-assessment process or the validated assessment process.
The CSF self-assessment uses the methodology, requirements, and tools contained within the CSF Assurance program. After an organization submits a self-assessment, HiTRUST engages in limited validation.
The validated assessment begins with a self-assessment but then requires a certified CSF assessor to conduct and score the assessment. Once validated by the CSF assessor, the organization’s controls can be deemed CSF certified.
Why obtain HiTRUST Certification?
The HiTRUST Third Party Assurance Program allows organizations to create a streamlined reporting and validating process that eases HIPAA compliance across the supply stream.
Engaging in the CSF self-assessment offers insight into control management. However, since it does not incorporate the same level of external assurance over program effectiveness, it lacks the weight of certification.
HiTRUST CSF certification incorporates both the HIPAA risk assessment process as well as the NIST Cybersecurity Framework control effectiveness review. By bringing these two together under a single compliance umbrella, as well as incorporating other standards that apply to HIPAA, the HiTRUST certification enables third parties to assure their customers that they engage in the due diligence necessary for maintaining ePHI securely.
Because certification requires additional levels of review and more detailed reporting, most covered entities and business associates rely on certification when compared to self-assessment. Many healthcare organizations establishing business partnerships require their third-parties to obtain and maintain HiTRUST certification. Thus, many payer organizations are aligning their compliance to the CSF.
Is HiTRUST certification the same as HIPAA compliance?
The two are similar yet distinct. HiTRUST certification acts as a means of HIPAA compliance. Since HiTRUST focuses on risk mitigation, organizations can choose recommended controls based on their use cases. Each self-assessment and CSF assessment starts with the organization’s organizational, regulatory, and system risks then aligns those to the necessary security controls.
However, while this enables compliance with the Security Rule, business associates need to ensure that they also maintain compliance with the Breach Notification and Privacy Rules.
How ZenGRC Enables HITRUST Certification
If you are not currently HITRUST Certified, you can use ZenGRC to enable a gap analysis to determine how your current controls align to HITRUST CSF. If you are presently NIST and ISO compliant, you can document your controls based on those, and then engage in an analysis to determine additional controls necessary for HITRUST certification.
ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can more rapidly review the “to do” lists and “completed tasks” lists.
With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.
Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.
Finally, ZenGRC acts as a single-source-of-truth enabling an easier validation and testing experience. With all your documentation stored in a single location, you can more easily provide your CSF Assessor with the information supporting your risk-based analysis and control decisions.
For more information or to schedule a demo, contact us today.