The new SecureState HIPAA Compliance seal is leading to an interesting conversation taking place on the consulting firm’s site. The company is a global management consulting firm focused on information security.
The pros and cons of such a program are offered and both of the following questions are being asked: Is a HIPAA-compliant seal is worth the effort and would it be relevant?
For business associates of healthcare entities, becoming HIPAA compliant can be a daunting task, and proving compliance to a possible partner can be even harder, which is SecureState developed one.
As such, the SecureState’s Qualified Security Assessors have developed a seal, providing a means for businesses to convey that their programs comply with applicable regulations based on its independent third-party attestation.
According to the company, given the depth and complexity of regulations, and the pending Omnibus changes, they think such a seal has value.
Specifically, though, what are the pros and cons of obtaining a seal, or requiring service providers maintain a current seal?
“SecureState’s HIPAA compliance seal for business associates provides an easy way to prove to potential partners you are HIPAA compliant.” Said Matthew Neely, SecureState Director of Strategic Initiatives.
According to Secure State:
- Effective seal programs must be executed by a competent objective third party. Self-certifications carries little weight, since you are essentially reviewing your own controls – likely a conflict of interest. Engaging a third-party solution carries a cost.
- Obtaining a seal is a “place in time” controls assessment. Material changes to the environment would trigger another audit, as a third-party cannot attest to effective controls if an entity changes them. To compensate, material changes need to coincide with audit review cycles, which may not align with business objectives.
- And finally, periodic reassessments are needed, as things change over time. So even without cognitively implementing material changes to the controls, you would need to invest in periodic assessments (typically annually).
- Some laws/controls sets require a controls assessment (e.g., HIPAA, PCI, and GLBA). Outsourcing this work frees your team to perform the remediation tasks.
- Third parties are going to be objective, focused, and company politics agnostic. A properly executed Third-party HIPAA Audit won’t supplant a regulator audit (e.g., HHS/OCR for HIPPA, OCC for GLBA), but could provide additional assurance that the program is effective.
- Should you experience a breach, providing a third-party perspective may be valuable in suggesting you took security seriously, and implemented proper controls.
- And finally, displaying a logo sends a message to patients, clients, consumers, and business partners that you take regulatory compliance seriously and that you have implemented proper security controls. These logos can be added to your websites and marketing literature, signifying compliant controls.
Is a compliance seal valuable? Perhaps your thoughts will differ from those of SecureState, the the consultants there think there is no simple answer. “It depends on your industry (e.g., do you fall within a heavily regulated industry, are you receiving protected health information), your compliance posture, risk aversion, and the size and complexity of your environment. But for many entities, being able to display a seal can provide patients with peace of mind and business partners a competitive advantage.
“For example, if you are seeking an explanation of benefits (EOB) print solution, selecting a vendor who is HIPAA compliant is required, and a seal assists in determining their compliance posture. As such, it may make sense to only select from a pool of candidates who have successfully demonstrated compliance – for example those with a third-party attested HIPAA seal.
“Similarly, patients are becoming more privacy savvy, thus they may demand minimum security controls be in place. Do these offset the associated costs? Again it depends, but if you are off-loading work – such as required due diligence or internal controls assessments – you may even save money.
Advice from SecureState about proceeding with a seal audit: It’s prudent to look at your business model. An audit will provide objective feedback on compliance posture – always a good thing – but does that provide the business value to justify a HIPAA seal?
“As technologies continue to evolve, including algorithms to correlate seemingly disparate data stores and business leaders continue to find value in mining big data, validating compliance controls seems in most business setting a prudent step in managing risk. Positioned correctly it can be a competitive advantage for both patients – seeking to have their health information adequately protected – and business partners who need assurances that their data is being properly secured, to protect themselves. So while it may not make good business sense for all entities to pursue a HIPAA seal, there is a preponderance of data that suggest it can be a value tool.
“Many businesses struggle with filling out multiple questionnaires to prove they are HIPAA compliant, or even worse need to go through multiple audits from different vendors,” said Neely. “A HIPAA compliance seal provides a simple solution to this problem. Go through one HIPAA audit and use the seal to prove you are compliant to all your business partners or to insurance vendors.”
So, is a HIPAA compliance seal worth the effort for those in the industry?