We’ve been seeing a disturbing trend. Since January, four of our clients, who are small HIPAA business associates (BAs), have asked us basically these same two questions from four different assessment businesses that their clients, which are all healthcare provider covered entities (CEs), sent to do HIPAA compliance assessments of their organizations.
Here are the general questions that the HIPAA compliance assessors asked each of the four BAs, claiming HIPAA required such actions.
-
The HIPAA compliance assessment company personnel told us that HIPAA requires all CEs and BAs to own all their own computing devices and software; that we couldn’t use any cloud services. Is this true? We use a cloud service for the software we use, and we each use our own personally owned computers. We can’t afford our own servers!
No. That is not true. HIPAA does not require CEs and BAs to own all the network hardware, software, and related components that it uses to support business. There has never been a HIPAA requirement that a CE or BA must actually own all their own network and associated components. That would be financially prohibitive and infeasible for most CEs and BAs. This is not a practice that is found in the HIPAA regulatory text, nor in NIST SP 800-66 Rev 2, nor in any of the HHS OCR HIPAA enforcement activities reports.
It is a widespread practice to utilize outsourced networks, applications, systems, storage, etc. to third parties. It has been for many years. It is a very common way in which organizations can afford to use networks and the associated components. Expecting all CEs and BAs to own all of their networks and associated components they use to support their business would be similar to also expecting all CEs and BAs to own the buildings where they have offices and do work. It is simply not feasible, and does not support the intents, goals or requirements of HIPAA, especially when such actions would be expensive, and not provide a related level of risk mitigation benefits.
CEs and BAs do not need to literally own their own hardware, software, firmware, brick ware, real estate, etc. to comply with HIPAA, nor most other regulations and laws.
-
The HIPAA compliance assessment company personnel told us that HIPAA requires us to obtain a SOC2 certification. Is this true?
No. HIPAA does not require CEs and BAs to use specific commercial products. There has never been an explicit HIPAA requirement that CEs or BAs must spend money to use a specific commercial product or service to meet compliance. Especially when the related actions can be accomplished by a CE or BA using other methods.
HIPAA also does not require specific types of security and/or privacy certifications for compliance. Such a requirement would diametrically oppose the passage from § 164.306 Security standards: General rules, described a few paragraphs down. The associated costs would also be infeasible for most CEs and BAs. By the way, SOC2 certification isn’t even specific to HIPAA; and it does not cover all HIPAA requirements.
Such a requirements would be financially prohibitive and infeasible for many CEs and BAs. This is not a practice that is found in the HIPAA regulatory text, nor in NIST SP 800-66 Rev 2, nor in any of the HHS OCR HIPAA enforcement activities reports. Expecting all CEs and BAs to spend money on a specific commercial security and/or privacy certification product would also likely be viewed as a conflict of interest for the HHS, and would likely be cost prohibitive for many, to most, CEs and BAs.
Some CEs may require specific tools, software, or certifications to work with them within their contract. However, that is a different issue, and situation.
HIPAA does not have such prescriptive requirements. If a vendor claims HIPAA requires such services and tools…and by the way, also sells those services and tools…they either do not actually know HIPAA requirements, or they are being willfully deceptive.
Every covered entity (CE) and business associate (BA) is responsible for performing due diligence to ensure those contracted systems they are using to support their business are sufficiently secured to mitigate risks to acceptably low levels, taking into consideration their own business’s operating ecosystem, while also complying with applicable legal requirements, including HIPAA.
The verbiage within HIPAA makes it clear that it is not prescriptive with regard to the use of specific types of technical, administrative, organizational and physical controls and protections. As one example, § 164.306 Security standards: General rules, states HIPAA allows:
(b) Flexibility of approach.
(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
The Department of Health and Human Services (HHS) is the federal regulatory agency responsible for HIPAA compliance. Cost is one of the aspects of compliance that they take into consideration for related compliance enforcement and investigation decisions, as supported within many of their publications, including 78 FR 5566.
The Regulatory Flexibility Act requires agencies to analyze and consider options for reducing regulatory burden if the regulation will impose a significant burden on a substantial number of small entities. The Act requires the head of the agency to either certify that the rule would not impose such a burden or perform a regulatory flexibility analysis and consider alternatives to lessen the burden.
It is not expected that the cost of compliance will be significant for small entities. Nor is it expected that the cost of compliance will fall disproportionately on small entities.
For the aspects of HIPAA compliance costs and flexibility, HHS, HIPAA, and the other regulatory guidance documents do not prescribe requirements for specific commercial products or services.
In short, HIPAA clearly establishes that each CE and BA:
-
Is accountable for its responsibility for performing due diligence activities to meet compliance with all HIPAA requirements within the scope of applicability each uses to support its business in the best ways that align to their business operations and associated ecosystems.
-
Can make its own decisions about owning their own software, hardware and firmware, or contracting the use of others, while also ensuring the associated activities have HIPAA compliance risk mitigation controls in place, as appropriate to their own business ecosystem.
-
Is responsible for determining the most feasible, cost-appropriate activities that also support HIPAA compliance, which may include getting certifications, but with the understanding that CEs and BAs are not required to obtain such certifications to be in compliance with HIPAA.
Way back during the “dot com bubble,” I worked for a short while at a consulting business that had acquired the consulting business I was previously working at. I found the business practices my new employer used were unethical, and focused more on ways to mislead and get each client to purchase more services and products instead of delivering the most value for each service possible to each client, in a transparent manner. The account managers were also sales directors, who didn’t have much experience with HIPAA, but were telling those of us doing the assessments to push additional services and products the business offered within our recommendations. This pressure to make such recommendations, which usually could be accomplished by the clients themselves, or weren’t necessary for the identified risks, or weren’t needed to meet HIPAA compliance requirements, stressed me out. I refused to be dishonest this way. I didn’t stay there long. I hope this type of practice is not becoming a tactic used widely again, but it seems to be. Ultimately, it will be harmful and businesses will view taking information security and privacy actions as unnecessary evils. Instead, security and privacy vendors should run their businesses in such a way that organizations will instead view information and IT security and privacy as something positive and necessary to protect their businesses, employees, patients, and customers.