This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.
Linda Sanches, a senior advisor on health information privacy to the Department of Health and Human Services (“HHS”), recently told a conference audience that she believes that about 66% of HIPAA regulated health care organizations or providers have not performed the mandated audit of the security controls of their electronic health records. That is a major problem. Not only are internal security audits required by HIPAA hosting solutions, but regular security audits are a best practice for protection against the liabilities and costs associated with a data breach.
For smaller organizations, the notion of performing regular security testing on systems that should “just work” is often daunting. The ease of performing such audits can vary with the size and structure of the organization because, with larger entities, in-house technologists can perform the audits during the course of regular workflows. Yet, for many smaller organizations, the process of auditing systems requires the organization to retain an outside expert to complete the task, and is often perceived by senior management to cost precious time with customer data, which is already at a premium, and office workflows should a system need to be taken offline or if an employee needs to assist in the audit at the expense of his or her usual tasks.
But there can be no doubt that failure to conduct regular security audits can be a costly failure for HIPAA-regulated organizations. The Office of Civil Rights, the department within HHS responsible for ensuring compliance, has repeatedly stated that it intends to increase the frequency with which it audits both Covered Entities like ambulatory centers, hospitals and medical practices, and their Business Associates (organizations that do work on behalf or for Covered Entities and require access to patient-identifiable health information, such as IT consultants and law firms). As such, Covered Entities and Business Associates that do not regularly audit their security systems are at an increased risk of being found in violation during audits and assessed fines or other penalties. From a practical perspective, organizations that do not consistently audit and then update their systems to protect their assets from new threats are also at a higher risk of a security incident and potential breach, which can also lead to fines and penalties.
Fortunately, the pain point created by regulations that require conducting regular security audits can often be alleviated by deploying cloud based solutions in HIPAA-regulated organizations. Cyber security safeguards often fall outside the core competency of many doctors and their office staffs, while cloud providers retain on staff employee experts in the security field to ensure that their information safeguards are up to industry standards and that the information management procedures are regularly followed.
As such, smaller organizations may consider enabling the required security compliance through retention of a cloud vendor. Yet, it’s not that simple and quick. The smaller or mid-sized medical practice should request and review the cloud provider’s most recent and relevant security audits (not all third-party security audits address the sort of information management challenges of medical practices). Indeed, cloud providers that promote their security prowess by holding themselves out as meeting HIPAA standards often will provide third-party security audit reports for potential customers, though sometimes only under a Non-Disclosure Agreement. Relying on the security core competency of a cloud provider to provide and maintain a certain level of security can, if the practice performs appropriate due diligence on the provider’s security capabilities and representations, allow smaller organizations to enhance protection from cyber threats that they it may not even know exist.
By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Barton, LLP.