Posted on by

Build Organizational Trust with a HIPAA Compliance Seal

Seals have been utilized for over a hundred years as a means to objectively convey confidence in products and services. For example, many people are familiar with the Better Business Bureau’s BBB logo and the Underwriters Laboratory UL icon.

Better Business Bureau A RatingUnderwriters Laboratories

 

 

Now enter the digital age; we have icons indicating a website is secure or that a business follows industry-standard privacy practices. For example, TRUSTe offers a privacy seal.TRUSTe

Given the complexity of the patchwork of legislation within the U.S. to protect consumer data, there is a need to help consumers make informed decisions when sharing their digital information. Equally important is to provide a means for businesses to convey to their partners that their programs comply with applicable regulations. Seals can provide for both, but benefits aside, these programs are not without drawbacks.

The Payment Card Industry (PCI) requires entities that store, process, or transmit credit card information must comply with a strict set of controls. If successful, an Attestation of Compliance (AoC) is issued. This industry recognized AoC is an excellent tool for merchants and their service providers to off-load some due diligence and reduce the scope of their security programs – subsequently reducing their risk.

So how does this translate to HIPAA Compliance Seals? Here are the pros and cons of obtaining a seal, or requiring your service providers maintain a current seal.

 

Cons

  • Effective seal programs must be executed by a competent objective third party. Self-certifications carries little weight, since you are essentially reviewing your own controls – likely a conflict of interest. Engaging a 3rd party solution carries a cost.
  • Obtaining a seal is a “place in time” controls assessment. Material changes to the environment would trigger another audit, as a 3rd party cannot attest to effective controls if an entity changes them. To compensate, material changes need to coincide with audit review cycles, which may not align with business objectives.
  • And finally, periodic reassessments are needed, as things change over time. So even without cognitively implementing material changes to the controls, you would need to invest in periodic assessments (typically annually).

 

Pros

  • Some laws/controls sets require a controls assessment (e.g., HIPAA, PCI, and GLBA). Outsourcing this work frees your team to perform the remediation tasks.
  • 3rd parties are going to be objective, focused, and company politics agnostic. A properly executed 3rd party HIPAA Audit won’t supplant a regulator audit (e.g., HHS/OCR for HIPPA, OCC for GLBA), but could provide additional assurance that the program is effective.
  • Should you experience a breach, providing a 3rd party perspective may be valuable in suggesting you took security seriously, and implemented proper controls.
  • And finally, displaying a logo sends a message to patients, clients, consumers, and business partners that you take regulatory compliance seriously and that you have implemented proper security controls. These logos can be added to your websites and marketing literature, signifying compliant controls.

 

Analysis: So is a Compliance Seal valuable? There is no simple answer. It depends on your industry (e.g., do you fall within a heavily regulated industry, are you receiving protected health information), your compliance posture, risk aversion, and the size and complexity of your environment. But for many entities, being able to display a seal can provide patients with peace of mind and business partners a competitive advantage.

For example, if you are seeking an explanation of benefits (EOB) print solution, selecting a vendor who is HIPAA compliant is required, and a seal assists in determining their compliance posture. As such, it may make sense to only select from a pool of candidates who have successfully demonstrated compliance – for example those with a 3rd party attested HIPAA Seal. Similarly, patients are becoming more privacy savvy, thus they may demand minimum security controls be in place. Do these offset the associated costs? Again it depends, but if you are off-loading work – such as required due diligence or internal controls assessments – you may even save money.

Before moving forward with a HIPAA Audit and obtaining a seal, it’s prudent to look at your business model. An audit will provide objective feedback on compliance posture – always a good thing – but does that provide the business value to justify a HIPAA seal? As technologies continue to evolve, including algorithms to correlate seemingly disparate data stores and business leaders continue to find value in mining big data, validating compliance controls seems in most business setting a prudent step in managing risk. Positioned correctly it can be a competitive advantage for both patients – seeking to have their health information adequately protected – and business partners who need assurances that their data is being properly secured, to protect themselves. So while it may not make good business sense for all entities to pursue a HIPAA seal, there is a preponderance of data that suggest it can be a value tool. Contact SecureState at (216) 927-8200 or email info@securestate.com for more information on obtaining a HIPAA seal.

Comments...

    12 months ago

    Thanks for a great overview of this issue, it is easy to get side tracked in the sea of compliance and what is important.

    12 months ago

    Con: HHS has given no one authority to certify HIPAA compliance and in fact has stated that they will not because they view HIPAA compliance as an ongoing process not an event such as a risk assessment.

      SecureState: Michael Wilt
      12 months ago

      Jack, You are correct HHS has not granted authority. However, nor have they precluded organizations from performing audits against the controls, quite the contrary OCR/HHS provide guidance using NIST 800-53/66 to conduct audits internally and/or using third party objective service providers. As such, it’s an attestation of compliance not HIPAA Certification. Seals provide place in time evidence that the controls were in place at the time of the audit. With seals, they require re-engagement of the auditor for material changes to the PHI environment and again periodically (e.g., annually). This is similar to PCI (i.e., PCI-DSS RoC/AoC).

      Thanks for raising a great point. I always balance covering too much detail and possibly losing the reader and not covering enough detail to include these types of concerns. Perhaps I erred on too little here. Thanks for your interest. – Brian

Leave a Comment...

Your email address will not be published. Required fields are marked *


*