Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Approaching HIPAA Compliance with a Plan
Quick Take
On this week’s episode of Compliance Unfiltered, Adam and Todd tackle a topic that is on the lips of almost everyone in the compliance space: HIPAA. More to the point, the guys cover how to successfully develop, implement, and manage a plan for HIPAA Compliance.
For newcomers to HIPAA, Adam walks through exactly what HIPAA is, why it’s important, and how to effectively gain compliance with the help of a compliance-savvy consultant.
All this and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who literally does compliance problems in his head while walking the dog. It’s magic. I’ve seen it. Adam Goslin, how the heck are you, sir? I’m good, how are you doing today, Todd? I can’t complain, I really can’t. It is a good day, and out here on the west coast, the sun is shining, and I’m thankful for it.
I wish the same for wherever you happen to be listening to our podcast today. Adam, how are things in your neck of the woods in terms of health and wellness? Things along those lines. Oh, fantabulous, just living the dream. Every now and then, I wake up screaming. I can’t complain there. I definitely appreciate that.
So one of the things that I wanted to make sure that we got a chance to chat about here on Compliance Unfiltered is really a topic that everybody seems to talk about. Everybody knows the word, but it’s rare that I chat with folks that really have a finger on the pulse of what’s going on with HIPAA. Talk to me a little bit about HIPAA, about the approach to HIPAA compliance and really how to handle it.
Yeah, and I suppose I didn’t even think about this until right now, so I’m going to go slightly off track. What happens if somebody doesn’t know what HIPAA is? So it’s the Health Insurance Portability and Accountability Act of 1996. Long story short, it’s the certification which is designated for folks in the medical space. So, the thing about HIPAA that’s challenging is, there’s only about 50 or so requirements, and it might be less than that to be HIPAA compliant. And so from a count perspective, they’re like, oh, wow, , that’s a lot. under 50. I mean, some of these certs have 1000s, right? So, it’s a small count. A lot of folks go, oh, well, this seems deceptively simple. One of the problems with HIPAA is that, it was initially intended as a framework for serving everybody from a single practitioner, all the way up to a healthcare system. And so the requirements that they put into it are astronomically directional. To further the complication in the HIPAA arena, is that HIPAA takes this approach where the organization is responsible to assess their risk, against the controls that they put in place, and they need to be able to justify it. Effectively, it puts a responsibility on the organization that’s going through it, that’s claiming that they’re HIPAA compliant, to internally justify their positioning on how they went through and approached resolution for any particular item that’s in the list of HIPAA standards.
Well, what’s an example of a directional item in HIPAA? I’ll give you an example. Here’s the exact wording from one of the HIPAA requirements. Implement procedures for the authorization and or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. And so, it’s just a one liner, right? Sounds easy. Well, the problem is, is that in order to attack this, we could tackle this particular requirement in innumerable ways. So, organizations struggle with it in a couple different ways that I’ve seen. One area is where they’ll whitewash the whole requirement and risk assessment notion, and don’t really end up getting appropriate controls in place. That poses a risk to the organization itself. If they have a problem, well, guess what? Now they’re going to come back and go, well, how did you assess this risk? And was that reasonable? Now we’ve got a lot of people coming in with opinions and thoughts, calling you out on the carpet, and you’re having to justify, oh, this is why I did this, and this is why I did that, and here’s why I didn’t do this. The other side of it is folks struggling to get controls that are strong enough in place. They want to try to meet the requirements of HIPAA, but they’re like, oh geez, what exactly is it that we need to do so that we’ve got everything covered. So I see a couple of different ways that organizations will struggle navigating the waters. Yeah, that makes a ton of sense.
What would you recommend to companies facing down like a really directional standard? Well, first off, for any organization that’s going into this arena. Certainly if I’m an organization and I have to go up against HIPAA, but what else do I need to go up against?
Whether it’s the industry that I’m in, whether it’s what my clients are mandating, what other chosen adopted standards we may have taken on. But look at, what does that mix of certifications and standards look like, and determine which of those are the most prescriptive that you’ve got. HIPAA is again, very directional, so what other things do you have in your arsenal that would be a more prescriptive option. And if you have one of those real prescriptive certifications, use that as your starting point, map all of your evidence that you’ve now got in place, up against that standard, and map that across HIPAA. And basically, find out what the leftovers look like.
Sure. I mean, that makes a ton of sense.
But on the flip side of that coin, not every organization, is in that position. So what if a company is not subject to a more prescriptive standard? Well, one of the most prescriptive standards that’s out there, and it’s really been this way for quite some time, is the payment card industry data security standard. A lot of people will short form that to PCI DSS. That’s the standard to which credit card data is held to. And, the reason why I would use something along the lines of the PCI requirements, is that it does a couple of things for you, to several things for you. One, there’s less of a reliance on internal risk assessment, and possibly increasing risk to the organization if we missed the mark. It gives a really legitimate justification that if you’re using a prescriptive standard that you fully implemented, well, now you’ve got a leg to stand on. This is an industry standard. It’s being used by people protecting this data, so the portability to my instance in the HIPAA space would be direct. The best part about PCI is it’s freely available to any organization out there. You can go out to the PCI website, you can download copies of their requirements, and be able to leverage those for what you need for your organization.
For those that don’t know if you’re looking for that data, you go out to the PCI document repository. I’d recommend one of two of the standards to go out and take a look at. One is something called the self-assessment questionnaire, D as in dog, and go out and look for a self-assessment questionnaire D which should have all of the in sundry requirements. Otherwise go out and look at the PCI DSS report on compliance, otherwise in short form ROC, R-O-C. But in the case of leveraging PCI, what the user has to do, and this is something that a lot of people get hung up on, is well, this standards for credit card data, but I’ve got medical data. We’ll just look past the fact that the subject is focused on credit card data. Mentally, every time you’re seeing any references to credit card data, mentally swap it out and in your mind say sensitive data. And part of this is if I look at the breadth of PCI, there are very, very few requirements which are very specific to the actual credit card industry. There’s some items in there talking about issuers, if you’re an issuer or shared hosting provider. Some of those are going to be context dependent. But for the general user, I mean, literally 99% of what’s on that PCI requirements listing is going to be generically applicable to darn near any organization.
Well, give me an example earlier from HIPAA, what would that look like under PCI? Well, so I read you off the one-liner, the one-easy-peasy one-liner out of HIPAA. The reality is that you take that and you start breaking it out into its various components. You break it out into authentication requirements. There’s a whole series of requirements under PCI requirement eight that covers authentication. There’s a series of requirements under requirement seven that cover role-based access control. Given my role within the organization, what should I have access to? Which again works in concert with access provisioning modifications, and de-provisioning requirements. And in requirement 10, one of the things in HIPAA thing was, monitoring what’s going on. Well, requirement 10 in PCI covers a lot of the monitoring activities through things like central logging. So, if I were to blow out all the various pertinent requirements, just out of those three, and there’s some others that could sprinkle across, and provide additional coverage for this particular requirement of HIPAA. But with just those alone, you’re looking at over 30 different specific controls, rather than this one directional statement about what you should be doing. It provides a measure of specificity, so that I don’t need to be concerned about, well, should I do this or should I do that? You just go in, you grab this very prescriptive standard and go ahead and get it applied in your arena. And again, swap out card holder data for sensitive data, and then you’re off and running.
Well, what are some of the other considerations for managing these more directional certifications? Well, I mean, certainly you want to stay organized. So, of course, I’m going to recommend using a systematic approach for managing your compliance. Well, because managing compliance sucks. So why not make it suck less. On top of that, depending on the system that’s being leveraged, in other words, the compliance management system you’re using, they may have the ability for mapping requirements from one certification standard to another. So for a lot of organizations, they’ll end up sitting down and try to map all of these things between PCI and HIPAA internally. If the platform you’re leveraging already has a starting point, mappings between the certifications, guess what? You just saved an absolute treasure trove of time not needing to go do that internally. And honestly, the target organization may not have the deep bench technical skills to be able to perform that, without having to go outside to a consultant. So it can really be a huge time saver, and really give them a huge leg up in terms of just the ease with which they can go ahead and layer their certifications over one another.
Well, I mean, that raises an excellent point here. We started this conversation talking about HIPAA and now here we are talking about PCI. And for the listener, generally speaking Adam, what type of coverage would one gain of the technical requirements for HIPAA when using something like PCI? Well, when the controls of PCI, out over something like HIPAA, my expectation is that the technical requirements of PCI literally would dwarf HIPAA. HIPAA especially, just because there’s only whatever, 45 to 50 different actual line items. It’s not unusual for one to take 12 different requirements or 18 different requirements, and map them down over a single HIPAA line item. But at the end of the day, something that has the depth and breadth of something like PCI, is going to provide basically total coverage for your technical requirements. Now, it depends on the directional cert. So if I’m going with some other directional cert, is it 100% of the technical requirements? Maybe not. But generally speaking, you take any of these, I’ll call them the big names in the compliance space, you take a HIPAA, a SOC, an ISO, NIST, PSF, PCI, and now you start bouncing these up against one another. The technical requirements side, generally speaking, unless you get something that’s really off the beaten path, maybe something like one of the DOD specific requirements that they would leverage for somebody literally dealing with nuclear launch codes or something, the coverage is going to be pretty damn high. At a bare minimum, about 80%, in some cases, 95 to 98%. It just depends on which two certs that you’re bouncing up against one another. But that’s the one thing that a lot of these organizations don’t get, is just how much coverage you can have cert to cert, and especially with something with as few requirements as HIPAA, as broad as they are. It’s almost impossible not to be able to just dwarf something like that. Once you’re done mapping the requirements from a PCI over to a HIPAA, you end up with leftovers. Now, the leftovers, they’re not related to technical requirements.
So, there’s a couple of different elements that are situationally specific in HIPAA. Where if you’re some type of healthcare clearing house, there’s certain requirements that you’ve got to go meet, which for most organizations, they just NA that often and then they’re done. The one that’s omnipresent that I’ve seen in most engagements, is the business associate agreement. They typically will short form that to BAA. A BAA is an agreement effectively through the receiver of the sensitive medical data, and whomever they end up sharing that with. The organization that’s doing the sharing is the one that needs a business associate agreement in place, with whoever they’re sharing it with, and that basically governs responsibility for data protection with those people that you’re sharing the data with. You need to have a BAA in place with each of them that provides that governance. That’s the main one that you’ll typically see leftover. So when I see organizations go in and do this PCI to HIPAA style approach, the cool part is, if your using a system to go in and do it, and you know what items are going to provide coverage and, which items are not. Well now, I can take on the HIPAA track, parking lot all of the items that are already going to get covered by the other certification, now I can laser beam focus, right? I can go in, I can focus on those items that aren’t going to be covered. I can NAO what I need to, get working on my BAAs, you know gathering up all that documentation while I’m curing all of the deep technical requirements of something like PCI. It’s awesome because you can just run these in tandem and effectively provide coverage for your HIPAA track as a default of using a more prescriptive standard like PCI. That’s such a detailed approach. I feel like this is something that can not only be done one time, but it will be very easy to replicate year over year. Oh, for sure. I mean, if you think about it, right? If you’ve already gone through and you’ve done the work, and I’m using PCI as an example, but fill in the blank company maybe dealing with other stuff. I don’t know, maybe they’ve got CSF, whatever it may be. But it really doesn’t matter. Once you’ve gone in and done that initial legwork for getting all of your mappings together, certainly you’re going to be in for more entertainment the first time that you go through the process. But that said, once I’ve gone through that once, now I know my mappings. Now I know what line items mirror up to my items within HIPAA.
Certainly, one of the things which has been constantly gaining speed in the security and compliance arena is this notion of continuous compliance. Now, TCT happens to call that operationalizing your compliance. But basically what it means is those requirements that you’re responsible to do on a periodic basis. So, that’s the other nice thing about PCI, it provides some directional guidance on what are the things we should be going in and checking on. So there’s certain things which are supposed to be done every day, every week, every month, every quarter, twice a year, and once a year. And so, with that type of a strong standard that you’re going up against as your centerpiece, or cornerstone of your program, it also provides you with the ability to turn that into an operational track where you’re making sure you’re keeping up with all of those things that need done through the year. Because of the fact that you have those requirements mapped automatically down and over top of something like your HIPAA, well, now you can just go through the majority of the rigor of your security program on that more prescriptive cert. And literally, as a result, as you’re going through the year, it’s automatically dropping evidence right onto your HIPAA track. It almost fills in the blanks on the HIPAA track as you go, is one side of it. And the other side of it is that at the same time, you’re providing a very strong stance for your overall information security program at the same time, which ends up working out fantastic. You basically almost get like a two for one when it’s all said and done. Not the least of which is when I’m rounding out that second year. The way I describe it to people is, the first year that you’re going through, getting your program really together, that’s always super exciting, right? But year two, first year passed, we made it. That year two is a year where you’re still getting things together, but things are starting to feel a little bit more solid at that point in the game. But certainly, by the time you’re getting into year three, year four, now your programs hits its stride, you’ve got this stuff in lockstep, you’ve got your program running on all cylinders.
It’s actually awesome being able to go back and easily refer to, what exactly did we do last year? What exactly did we use for evidence last year? What exactly worked to be able to make it through our process the time before? Who did it, when did they do it?
These are all elements which are huge. And so, those clients that are getting into that level of maturity, it starts to become substantially less painful than unfortunately most people’s experience in years one and two.
That’s great stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
