Recently, I had the honor to lead a virtual panel discussion featuring two Clearwater customers – Kezia Cook-Robinson, ESQ, CHC, CHPC, CIPP/G, CIPP/US, Compliance and Privacy Officer for Uber Health; and Chris Cashwell, Senior Vice President of Healthcare Solutions for Digital Reasoning. Through their work advancing the medical transportation market and the application of artificial intelligence in healthcare, Uber Health and Digital Reasoning are great examples of how technology is dramatically improving how we access and deliver care. Through their commitment to building strong Cyber Risk Management and HIPAA Compliance programs, Uber Health and Digital Reasoning are also great examples of how leading technology companies are recognizing the importance of maintaining the privacy and security of the patient data that flows through their systems as they help power healthcare’s digital transformation.
With third-party breaches continuing to rise, healthcare providers have drastically increased their expectations and standards for vendors (classified as “Business Associates” under HIPAA) to safeguard patient data.
- Number of breaches involving a business associate in first half 2020 vs. second half 2019 +47%
- Number of individuals’ records in breaches involving a business associate in first half 2020 vs. second half 2019 +745%
* Excludes Optum360 breach submitted to HHS on 7/1/19, but reported by AMCA in May 2019
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf; data accessed July 9, 2020.
In this blog, I capture some of the key take-aways from my discussion with Kezia and Chris. I invite you to review the full webinar recording here.
With the surge in cyberattacks over the last six months, have you seen your customers become even more demanding with regard to how they look at your data privacy and security practices?
Chris Cashwell: The bar has certainly been raised. It’s no longer good enough to just check the box with compliance. Compliance is just the start of what of what we’re doing, and what we see is our clients and prospects asking us to comment and react to what’s going on in the outside world, not just what our internal policies, procedures, and standards are. So that takes privacy and security to another level of sophistication of being part of the DNA of what we do.
Telling them is not enough anymore. You have to show them, and we certainly see an increase in that mentality of the folks that we work with.
Kezia Cook-Robinson: Many healthcare providers now expect their business associates to perform risk analyses and risk assessments and have risk management plans before entering into a business associate agreement (BAA). This is their way of ensuring that their vendors are able to comply with HIPAA Security Rule requirements as well as their requirements outlined in the BAA. You have to show that you have a strong understanding of HIPAA and areas of potential non-compliance.
Many technology companies are challenged with responding to HIPAA compliance and cybersecurity questionnaires when they approach healthcare providers. Can you tell us a bit about your experience with customers’ expectations, what steps you have taken to transform your program, and how your business has benefited?
Chris Cashwell: In many cases, the questionnaire is one of the first real touchpoints between us and a new prospect. It’s an important opportunity for us to establish our credibility. It’s also an opportunity for us to engage and inquire about anything that we may see in their ecosystem that could trip up both of us going forward.
Cybersecurity and protecting patient information is a companywide effort, not just the responsibility of the security officer or the compliance officer. When we complete these questionnaires, we circulate them throughout the different verticals of the healthcare group and let everyone see how the latest product feature or function could affect something that we’re doing from a security standpoint. It’s all linked and closes the loop.
You only get that that one shot to make a first impression. And if, at the very beginning, you can create that relationship with the IT folks at your prospect or customer, then it just makes the rest of the process go so much smoother and allows you to take advantage of that.
On various pieces of marketing literature, your website, and even in media interviews, we’ve heard the term “Built with Compliance”. That was one of the key messages for Uber Health when it entered the medical transportation market. Can you tell us a bit about you know how you arrived at that expectation?
Kezia Cook-Robinson: One of Uber’s core values is that we do the right thing, period. We built privacy and security into the foundation of our products and our programs, drawing on these values. We did this by engaging with HIPAA experts like Clearwater who’s been a great partner to us. Clearwater came in and helped us to perform the risk analysis so that we could have a program that’s customized for the healthcare industry with safeguards and controls in place to protect the privacy and security of the protected health information that we receive from our customers.
Once you understand what your obligations are, then it is up to you to find a partner that can help you to perform a quality, enterprise risk analysis that’s necessary in order for a Business Associate to meet the requirements enforced by the Office for Civil Rights under the HIPAA Security Rule.
I believe that a lot of the amplified privacy and security obligations and standards for business associates are actually born out of the fact that covered entities can share an immense amount of data with their vendors, and it used to be that covered entities were the only organizations held accountable for complying with HIPAA. Business Associates’ compliance obligations were limited to what the parties agree to in the business contract. But this is not the case anymore. Business Associates have a responsibility to keep the data they receive protected.
How has the advancement of your program helped the organization to make better risk-based decisions and to think about where it spends its money when it comes to security?
Chris Cashwell: As we look at it, the risk assessment allows to put the resources in the right place for the immediate need but then also to understand what’s coming down the road. Having that roadmap keeps you from having as many of those surprise discussions throughout the year in the budget and planning process. From a resource standpoint, it’s a good reminder that this is always going to be a journey. It’s not a destination. It is evolving every day based on what’s going on in the outside world. Have a strong, risk-based approach allows you to move those priorities around when something happens but still keep your eye on the bigger overall plan.
Tell us about your cybersecurity governance process. How are you thinking about risk and measuring risk? How is the issue of risk management viewed by leadership?
Kezia Cook-Robinson: Through the risk analysis and the risk management plan at Uber Health, the business is able to fully understand what the risks are. And we’re able to not only articulate the risk but also understand what resources may be necessary to mitigate the risk.
It informs strategic decision making and helps create a culture where privacy and security are valued.
Clearwater thanks Kezia and Chris for the great insights they have shared.
To learn more about your organization can build a strong Cyber Risk Management and HIPAA Compliance program that exceeds your customers’ expectations, reach out to Clearwater at info@clearwatercompliance.com.