Chris Cashwell, Senior Vice President of Healthcare Solutions at Digital Reasoning, a leading provider of Artificial Intelligence-powered software for healthcare insurers and providers, and a Clearwater ClearAdvantage® customer. In this blog, Chris provides advice on evaluating and selecting a partner for HIPAA compliance and cybersecurity programs.
If your business serves the healthcare industry, invariably you will be entrusted to receive electronic protected health information (PHI). You’ll quickly learn that a strong HIPAA compliance and cybersecurity program is essential. Companies must comply with regulatory requirements under the HIPAA Security Rule and your customers will require that you enter into a business associate agreement (BAA). The BAA is a written contract that specifies each party’s responsibilities in handling PHI. Federal regulations and these contracts obligate a wide range of safeguards to ensure that PHI is not disclosed, exposed or misused.
Before even getting to the point of signing a BAA, your company’s privacy and security program will be highly scrutinized by the prospective healthcare customers. Breaches among healthcare vendors, regulatory enforcements and privacy lawsuits are at an all-time high. As a result, healthcare organizations are drastically increasing their expectations and standards for vendors to safeguard patient data.
HIPAA compliance and cybersecurity are a top priority.
At Digital Reasoning, we build software that understands human communication, context, and meaning to create value at enterprise scale. In healthcare, we deploy AI-powered software within health systems and insurers to deliver a positive impact on clinical, financial and operational outcomes. Even if your company has a strong cybersecurity program, healthcare has unique requirements, regulations, and other specific needs. Healthcare security teams speak their own language. It’s not just about meeting requirements but also how you communicate the features of your cybersecurity program in the security assessments and review process. This step in the sales process can frequently create impediments or delays for the unprepared. Strategic companies can transform their privacy and security program from a roadblock into a competitive advantage.
Expert partners in cybersecurity are a necessity.
As Clearwater discussed in Compelling Reasons for Business Associates to Outsource their HIPAA Privacy & Security Program as a Managed Service[1], we realized outside expertise is imperative. Through evaluating vendors, selecting and working with Clearwater over the past 18 months, we learned two important things:
- Building a HIPAA compliance and cybersecurity program that’s not simply compliant but exceeds customer expectations is a continuous process demanding strong program management. Expert partners go beyond developing the program to structuring an ongoing process for improvement and rapid response to even the most detailed security assessments.
- While there are many cybersecurity vendors, few are specialists in healthcare. Choosing the right partner that understands what your healthcare customers require, as well as how that applies to your unique business and its objectives, is critical.
Below I outline some key criteria to look for when choosing partner that will not only help you mature your HIPAA compliance and cybersecurity program, but also help you to leverage the program to aid in winning new business.
Key Criteria
- Expertise and Focus on Healthcare
While many privacy and security programs share the same foundational concepts, in healthcare there are specific regulatory requirements, best practices and standardized approaches to implementing those requirements. Your partner must have extensive experience and expertise in building and executing HIPAA compliance programs and working with companies that are reflective of your business and your customers. They must be able to advise you as changes occur and make corresponding recommendations.
Clearwater’s position as a thought leader and educator in healthcare privacy and security was immediately apparent from our first meeting. They demonstrated deep experience in helping technology companies like us create and maintain privacy and security programs that comply with HIPAA. For instance, we were impressed that Uber Health’s general manager frequently cites their partnership with Clearwater as a testament to Uber’s commitment to HIPAA compliance[2]. Clearwater’s experience has been invaluable in enabling us to understand and implement what our healthcare customers require.
- Broad and Diverse Skills Set
As we grew across different sectors of the healthcare industry, we recognized that portions of our HIPAA compliance and cybersecurity program would require a diversity of skill sets and expertise. When choosing a partner, it’s important to make sure the company offers a broad range of experience in different domain areas that might be pertinent to your product or to your customers.
One of things we appreciate about Clearwater is that its bench runs wide and deep. While we work with a program leader day-to-day who performs most our services, he can tap into any of Clearwater’s specialized experts, or bring in supplemental support, if and when we need it.
- Full-Service Program, Customized to Fit Your Business
A key objective of supporting your program is to reduce the learning curve that comes along with building a robust HIPAA compliance and cybersecurity program. Competent vendors will take the time to evaluate your current program and co-create a solution that meets your specific needs or gaps.
While other vendors were quick to provide us with a proposal, Clearwater invested time to educate our team and understand the state of our current program. They helped us build and execute a vision. Clearwater also took a practical approach with flexibility in program design in consideration of time, budget and resources. Ultimately, they designed a customized program both comprehensive and cost competitive.
- OCR-Quality Security Risk Analysis
A risk analysis is the most critical part of a business associates’ cybersecurity program as it evaluates the risk associated with all of the threats and vulnerabilities applicable to the information systems that will maintain or transmit your customers’ PHI. A risk analysis is the only way you can know if your controls are sufficient to reduce risk to an acceptable level. Your healthcare customers will expect you to perform an OCR-Quality Risk Analysis™ annually. When evaluating a partner, make sure that performing a risk analysis that follows the Office for Civil Rights’ (OCR) requirements is in in their “sweet spot” of their services. Unless the firm is a healthcare specialist, it’s unlikely it will be an expert on the specific methodology or have the tools in place to conduct the risk analysis.
Clearwater helped take our risk analysis to the next level – building stronger compliance and internal operations. Clearwater’s program included IRM|Analysis™ software and an annual risk analysis performed by consultants who specialize in this work. We now feel comfortable that our risk analysis would pass the most stringent of audits.
- Enabling You to Respond Well to Customer Security Assessments.
Any organization enduring a rigorous security and HIPAA compliance assessment from a health system or payor knows that it’s not only about what you say, but also how you say it. Your response to a customer’s security questionnaire will be indicative of your company’s experience and maturity when it comes to safeguarding PHI. Your partner should be highly focused on helping you to improve your ability to respond to these evaluations, as well as helping you to respond to the evaluations themselves.
One of things that attracted us to Clearwater was that we share the some of the same customers in the provider market – several large health systems. In fact, Clearwater even created vendor risk management programs and security assessments for the very customers we were targeting. As a result, they have a deep understanding of what our customers were looking for. The Clearwater team helped us to immediately focus on the areas that were most important to our prospective customers and communicate in a way that made them comfortable.
A Winning Partnership
Selling solutions and services to the healthcare industry can be attractive. Nevertheless, if you’re handling PHI as a business associate, you must build a robust HIPAA compliance and cybersecurity program to meet customers’ expectations. Partnering with an experienced, healthcare-focused compliance and cybersecurity firm to implement and manage your program can position your company ahead of its competition. With the right qualities, your managed service provider will enable you to comply with HIPAA, protect ePHI, and ultimately help you win more business.
To learn more about the ClearAdvantage® program, visit https://clearwatercompliance.com/hipaa/clearadvantage-program/.