I remember the time I was kidnapped and they sent a piece of my finger to my father. He said he wanted more proof. - Rodney Dangerfield
Anybody can, and many companies do, put "HIPAA Compliant" on their websites and marketing material. Complying with HIPAA is essential to selling software that processes, stores, transmits, or somehow touches ePHI. It's an essential, though non-differentiating, feature of any B2B healthcare technology product. The reason companies can self-attest to being HIPAA compliant is that there isn't a certifying body, or accompanying certification, for HIPAA. That's problematic for both vendors making and selling healthcare software to enterprises and enterprises buying software from third party vendors. Let's talk briefly about those two camps.
Vendors. Compliance is a challenge because vendors constantly answer the same questions over and over again, though often phrased differently or in different formats (word docs vs spreadsheets). They often must provide different forms of evidence for each of these reviews. Not having evidence, or not having validated (externally audited) evidence, can slow the process and extend sales and implementation cycles.
- Enterprises. Compliance is problematic for enterprises because they need to collect and review different forms of evidence and responses to questions from vendors. This takes time, does not typically leave security and compliance groups with lots of confidence since the evidence is so scattered and largely self-attested. Angst is often created between business buyers and compliance groups.
The end result is an inefficient process of security and compliance reviews where vendors and enterprises essentially reinvent the wheel for every new relationship. It's akin to how EHR integrations work today in that every new contract for a vendor or enterprise is like creating a new point-to-point relationship. Similarly, it can be a big stumbling block for vendors, especially smaller ones that have a hard time absorbing the cost of longer sales cycles.
HIPAA vs PCI
The financial industry, in contrast to healthcare, created a standardized certification for processing financial transactions or storing financial data. The PCI DSS is a set of rules and requirements that can be tested, with passing resulting in certification to process financial transactions. Financial organizations and vendors work with a qualified security assessor in order to be certified. As opposed to HIPAA, organizations cannot self-attest to being "PCI Compliant".
The reason for the differences between the financial industry (PCI) and the healthcare industry (HIPAA) is that PCI was created and is maintained by the private sector. If you look at who governs PCI, it's almost all the large financial institutions. Essentially PCI is self-governing. HIPAA, in contrast, was created and is maintained by Health and Human Services (HHS), a government agency responsible for many different areas of healthcare. HIPAA is interpreted and enforced by non-government organizations and not HHS.
Change is coming in healthcare that will make HIPAA more like PCI. The changes are represented in the new compliance framework and certification called HITRUST.
HITRUST, like PCI, is governed by a board made up of large private sector healthcare organizations like Anthem and United Healthcare. HITRUST maintains the Common Security Framework (CSF), which is essentially a PCI DSS for healthcare and HIPAA. Similarly to PCI, HITRUST CSF Certifications are granted to organizations that complete the CSF, have the results validated by an approved third party assessor, and then are verified by HITRUST itself. The resulting form of evidence is a certification and standard report. Catalyze has been through the HITRUST process and is awaiting final verification from HITRUST.
How to Prove HIPAA Compliance
Different paths can lead to HIPAA compliance. To be clear, we're talking about proving compliance with HIPAA as part of an enterprise (payer and provider system) deployment. We've outlined a couple of options below. We have personal experience with each path, and have Catalyze customers that fit into each, so we feel confident discussing the pros and cons of each.
Path 1 - Self Assessments
The first option does not require third party verification or auditing. Not shockingly, self assessments are the easiest and least expensive, at least in terms of direct costs, to show compliance with HIPAA.
Downsides proliferate, however. The inspiration that led to the formation of Catalyze was based on our experience trying to sell modern, cloud-based software as part of a previous venture; it's also important to note this was just before the new HIPAA Omnibus Rules went into effect in late 2013. We were selling to large healthcare enterprises (mostly academic - UCSF, University of Colorado, etc) and trying to prove compliance with HIPAA based on our own assessment. We were spending the majority of our time configuring our technology and updating our policies and internal procedures in order to deploy our technology and complete sales. All that time, effort, and work was going into things that our users would never see or appreciate. It's the reason we built Catalyze and the reason we open sourced our policies and procedures.
Without official audit reports you must illustrate your compliance story through hand-crafted documentation. You can simply respond to compliance questionnaires with specific technical settings, but you may also have to provide some form of proof (like screenshots of settings or links to policies).
A better approach is to use some type of framework to pre-compile answers to questions around HIPAA. The best framework to use is the Audit Program Protocol from OCR (part of HHS). Companies complete this framework to at minimum identify existing gaps before talking to compliance officers. Another option is to complete the Common Security Framework (CSF) from HITRUST. This is more involved and takes more time than the OCR framework but provides a standardized report (not a spreadsheet you created yourself for the OCR framework). Self-assessing with HITRUST also has a cost, whereas the OCR framework is free.
Be prepared to answer many questions. You will need both technology settings and policies to prove compliance. You need to assure technology (things like backup and DR) and internal procedures (things like training) are in line.
We've been through multiple third party audits at Catalyze. Based on that experience, we discovered transparency and proactive approaches to HIPAA have value for everyone. We decided to publish our policies and our mappings to HIPAA. The HIPAA page is very close to a web page representation of the OCR audit framework linked above. If you're interested in leveraging our design for these pages, please let us know and we'll be happy to provide you with the code to host it yourself. Also, both our policy page and HIPAA page are dynamically generated by Github repos, which serve as the master source and provide a great form of version control (good for an audit). Our policies are written in Markdown for simplicity.
Less upfront time and effort
- Lower cost
Can derail (or drastically slow) sales process
- A lot more effort during the sales process (it will require a lot more time learning about HIPAA to respond to questions)
Path 2 - Full third party audits
Audits are not fun. Audits are not cheap.
In a previous life, Catalyze's CEO, Travis Good, conducted technology assessments for HIPAA audits in addition to Catalyze completing three external audits. We feel we have a good understanding of the process and value. Despite the effort and cost, audits are the single best way to streamline the security and compliance portion of the sales process.
We fully realize audits aren't an option for many smaller organizations. We are often asked "when should I do an audit?" and "do I have to do an audit to close a deal?" The answer to the latter question is an emphatic No, you don't have to do an audit to close a deal with a healthcare enterprise. The answer to the former is harder to answer. Of current non-enterprise Catalyze customers, less than 5% have done external audits (we think this is fantastic, actually).
Vendors typically do audits once they have about 4-5 enterprises customers. At this point companies shift to scaling sales based on lessons learned from early reference customers. It may have taken 12-24 months to acquire the initial 4-5 customers; acquiring the next 8-10 customers must be faster. Scaling sales means adding more sales agents, many of which won't have the same experience selling and answering questions about security and compliance; in this context, audit reports are empowering to sales people. Also, organizations with 4-5 customers typically have more resources. All those factors seem to push vendors over the tipping point of doing an external audit. The audit is a tool to help vendors accelerate and scale sales efforts. Maybe the best way to answer the question around when to do an audit is to say that doing an audit makes sense when security and compliance is the main bottleneck for sales.
While you may still have to answer questions from each customer about security and compliance, providing your audit reports will go a long way to circumventing long, drawn out security and compliance reviews. On many occasions, you may only get asked about gaps that exist in your audit reports. Oftentimes those gaps will have associated remediation plans and you may get asked if gaps have been remediated. In essence, you've proven compliance to third party auditors so there's a lower burden of proof for your customers.
Speeds up sales process
- Puts less of a burden on internal resources (sales and tech) to be well versed in HIPAA
It's expensive and time consuming
- They do become out of date so need to assure you revisit, likely annually
Types of audits
Broadly speaking, there are two main healthcare compliance frameworks that you can be audited against
HIPAA (from HHS)
We've done both at Catalyze. We started with HIPAA, as our auditors recommended, and then moved on to HITRUST. We began with a HIPAA gap assessment, which most auditing firms will recommend if it's your first audit. Basically a gap assessment is lighter weight in terms of verifying things and is meant to, as the name implies, identify gaps in your compliance and security programs when mapping those programs to HIPAA rules. Once you know the gaps you can address them, or mitigate them if they can't be addressed for some reason. From there, a full HIPAA audit is a lot easier and holds a much higher chance of success.
Once we'd completed our gap assessment, addressed our gaps, and then completed our HIPAA audit, we did our HITRUST audit. The official term for that a Validated HITRUST Assessment. We opted to complete the HITRUST assessment because
More enterprises were asking about it
A strong security and compliance program and culture at Catalyze is important
- It is a valuable tool for our customers in their sales process
As opposed to HIPAA audits, which are somewhat customized by each auditing firm, HITRUST has created one framework (the CSF linked above) that all entities are assessed against. It doesn't matter if you're small or large, the framework is the same. Some variability exists around the scope of a HITRUST audit as there are certain aspects of security and compliance that apply to some organizations and not others. HITRUST also has the concept of risk levels which determine the extent of questions organizations need to answer and prove. The bank of questions and resulting report are standardized. It is a true certification, as opposed to HIPAA.
For us, the HITRUST assessment involved two site visits and completing 278 different question areas. Each question area required attestation of 5 different maturity levels and each maturity level required some form of justification and/or proof. Also, many questions required additional comments to add context and specificity for how the question area fit with Catalyze. Taking out the comments and back and forth as HITRUST and our auditors reviewed our responses, that's just under 7,000 responses. Completing the 7,000 HITRUST entries was made more painful by the incredibly slow (think spinning pinwheel) response times in the CSF web app.
Other certification-type frameworks exist, like the DIRECT certification and Meaningful Use. These can be used as a proxy for an audit, as they do assess certain aspects of security and compliance programs, but these don't hold as much weight as HIPAA or HITRUST audits.
Cost of an audit
Cost is a common question. This is too broad a topic to completely cover here because the real cost of audits involves more than the direct cost. For example, try to estimate the cost of completing 7,000 entries in a slow web app for a sense of the indirect costs.
Most want to know the direct costs, which is easier to compute. From our experience, and those of customers and contacts at other modern tech vendors, the average cost of audits is about $20,000 for a HIPAA gap assessment, $20,000-$25,000 for a full HIPAA audit, and $30,000-$35,000 for a Validated HITRUST Assessment (includes both auditor's fees the the licensing fee to HITRUST). Variability exists from audit firm to audit firm but these prices are consistently what we hear.
Path 3 - Middle Road: Inheriting Proof
If you've gotten this far, chances are neither Path 1 or 2 above appeal to you. Path 1 is easy but can kill sales. Path 2 is expensive, extremely time consuming, and you might run out of money before you start selling. We've been in your shoes. When we sat down as a team and decided to build Catalyze, pivoting out of our previous venture, neither Path 1 or 2 seemed terribly appealing to us.
Catalyze was built to create Path 3. There had to be an easier way to build modern healthcare technology, practice modern development practices, comply with HIPAA without having to hire a compliance expert, and to prove compliance with HIPAA without doing a full audit.
As technology has evolved and computing has become distributed, driven largely by easy-to-use cloud platforms and APIs, different requirements of HIPAA are getting distributed across partner organizations. It's why HHS expanded who is covered under HIPAA to include subcontractors. Covered entities work with business associates who in turn work with one to many subcontractors. In this brave new world, certain requirements under HIPAA are inherited by business associates from their subcontractors.
The industry has proven our early assumptions. Many customers utilize our audit reports, policy page, and HIPAA mappings as the cornerstone of their compliance programs. These resources, collectively what we refer to as a HIPAA Sales Package, are a core part of the value that we provide to our customers. We've spent 1,000s of hours on security and compliance (policies, procedures, audits, technology, training, etc) and $10,000s on audits so our customers can focus on what they do best. Our customers inherit our work and our expertise, making compliance and trust a core part of their products. In fact, several of our customers have told us they've delayed audits because they leverage Catalyze.
When our customers do decide to go down the path of doing a full audit, we help them in the process and make it less time consuming for them. Since we've been through multiple HIPAA and HITRUST audits, our customers give their auditors our documentation and audit reports to show evidence of certain aspects of HIPAA.
How is Path 3 different from Path 1 and other "compliant" cloud options? If you've built and configured your own technology on a traditional hosting vendor like AWS, you're going to have to prove every aspect of HIPAA compliance. You can point to the hosting vendors SOC2 (other audit reports) and BAA, but those only a address a small subset of the HIPAA rules like physical security. All other aspects of HIPAA, from a technical perspective, is yours to prove. The same goes for the admin side of HIPAA, though this is typically less important to security and compliance groups that the technical rules. With Path 3, we offer a fully audited platform and address more of HIPAA than any other option.
Choices, choices, choices
In the end, the path you choose to prove HIPAA is up to you and will be driven by your available resources, both financial and human. We've focused here more on the technical requirements of HIPAA, but the administrative side is also relevant. Completely addressing both the technical and administrative side of is necessary to proving compliance with HIPAA.
If you're interested in learning more about how we can help with the technical aspects of HIPAA, don't hesitate to email us. If you have specific questions about any of this, please let us know and we'd be happy to respond.