When prospecting we often get the answer “No thanks we have HIPAA under control.” Of course, in a few cases that might be true, but often it is just a polite way to get us off the phone. There are many compliance officers (CO) that believe this to be true but have no idea whether their HIPAA compliance initiative is “under control.” Why? Primarily because they have no way to measure it. If we were auditors, the first question we would ask is where is your “Scorecard” that indicates which parts of HIPAA you have implemented. Huh? Followed by that “deer in the headlights” look.
How many COs know how many requirements exist across the three rules (Privacy, Security, Breach Notification). Well, there are one-hundred-sixty-nine (169) according to HHS. And, by the way, in order to comply with each you need visible, demonstrable, evidence (VDE) that you have the following in place for each: (1) a policy; (2) processes that underpin the policy; and (3) a database of process results for each requirement. All are necessary but the last one is most critical. If you cannot show me a database (writ large) of who you have trained, when, and on what then you do not have VDE for this requirement. The bottom line is you need VDE for all the requirements. Yes, for all 169.
How many COs are vetting your business associates (BA) for “satisfactory assurances” that are necessary to comply with the Security Rule? Let us give you a few clues: (1) having a BAA in place will not suffice; and (2) getting an “attestation” from the BA will not suffice. Well, if this does not suffice then what does. Before we answer that we can tell you unequivocally was it not required. You do not need to make onsite visits to BA premises once a year. That is impossible, and HIPAA does not require the impossible (neither does the law in general). The best practice that has emerged is mailing out questionnaires and then manually processing the responses. This is so cost-prohibitive that it is only generally done by the largest stakeholders (of course Expresso®’s Business Partner Vetting (BPV) Portal helps solve this problem).
So, if you have not gotten “satisfactory assurance” what happens when your BA experiences a serious Breach? You get stuck with all the costs! Why, because indemnification costs for Breach Notification alone run into the millions. This will drive most BAs into bankruptcy. What if your BA responds with “we have cyber-security insurance.” That is nice. What you need to ask is for the policy limit and what is covered. Your BA’s 100K policy limit is not going to help you no matter how well-crafted your indemnification clause is in your BAA (or other contract). Finally, no amount of indemnification is going to cover the reputation damage to your organization.
Also, if you do not get “satisfactory assurances” you can expect a class action lawsuit under state law for negligence, across all states where a patient’s data may have been compromised. This is in addition to regulatory and notification costs that you will incur. Have we gotten your attention? We are quite sure that within 15 minutes we can demonstrate that you don’t have VDE for each of the 169 requirements and that you don’t have a Scorecard that measures the current status of your HIPAA compliance initiative (unless of course you are an HSG subscriber and have followed our road-map).
In this case, ignorance is certainly not bliss. If you should have an audit after a significant Breach chances are the ax is going to fall on you, the CO. Sure, the authorities will hold the senior management team accountable, but you are the one most likely to lose your job, even though you have been advocating a “better way of doing things” for years now.