I am putting the finishing touches on an executive presention for a client. Our finding, after a series of technical tests, a review of their policies and their security administrative compents was that they are generally proactive on securty from a technical perspective but any additional maturation or improvement of their program requires management involvement.
I am going to present this to senior management team that has already informed me they don't want to hear that message.
This isn't the first time Jacadis has encountered such a situation.
Why should senior management be involved in security decisions?
At some level security decisions are really risk management decisions and not just technical, information security decisions. Even the strongest technical team can't know the risks, obligations, contracts and mission priorities that senior management brings to the table.
Sorry, managers but this isn't just geeky stuff.
Here is a quick list of five questions that my client's technical team needs senior management input, involvement and or leadership on:
Are we obligated by law or contract to HIPAA?
Are we obligated to PCI? Are we exposed in the way we handle crtedit card data?
How long can your business operate with reduced computer facilities? Which facilities are most important to the mission?
How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach?
What are our employees permitted to do with social media outside of work hours on their own computers?
Are you putting your technical team in a spot where you expect them to protect your business but don't share with them critical information or involve yourself in their decision making process? If you are in a business that is data driven (and which business today isn't) your lack of involvement will likely ensure a high technical team turnover, raise the possibility that you will have security issues interfere with your business, decrease the resiliency of your business and potentially put at risk vendor and client relationship while also opening your business (and perhaps yourself personally) to legal and regulatory liability.
Forecast is for some snow tomorrow here in Columbus. One of my clients just last week shared it had taken a couple of months to get maintenance to test the back up generator. They finally went to fire it up to test that it worked and .... nothing. Tried again. Nothing. Their hardware vendor responded quickly. Turns out that the broken part was under warranty but was 48 hours away.
The test was conducted on one of those warm sunny days we had before Thanksgiving. We aren't supposed to get much snow tomorrow but you never know here in Ohio. Had the part failure not been found until it was actually needed the 48 hour shipping wait could have been catastrophic.
Our client did two things right:
1. They created a policy calendar. Policies should be formal statements of value supported by the routines (processes) that must be followed to meet the stated value. Most of the time though policies are dead documents that state something a client would like to do but doesn't get around to doing. My client's policy calendar lets them manage the normal routines of their "HIPAA year" which operationalizes their compliance.
2. They actually tested the process. The IT Director didn't take no for an answer as maintenance continued to put his test request off.
How are you doing?
Have you operationalized your HIPAA program?
Have you tested your generator, your back up processes and your contingency operations plan?
With so much focus these days on data privacy and individual identities much of the conversation within the security community and from the security community to the business community skips over other critical information types that need to be protected.
This is a list of information that you should also work to protect:
1. Information about your systems and networks. When I backpack I don't do very well if I have to go off trail and I don't have a map. The same is true for someone trying to break into your information systems. If you fail to protect the information describing your systems and networks (network maps, configuration files, etc.) then you may just be providing a map to someone who wants to explore your network and find more valuable information. Are you making your network an outside explorers paradise?
2. Your company's secret sauce. You may not have a secret sauce made of "11 herbs and spices". Or your business may not depend on the mysteries of an ancient chinese secret (Remember the Calgon commercials?) but all of us in small business have our secret sauces. For Jacadis, it is the unique way we deliver many of our services. For a printing client of mine, it is the unique steps that they have created to protect confidential data transmitted to them from larger customers. That process has helped them win business because other printers aren't doing it. Years ago we did work for a company that made a unique material used in the florist business. They were the only company in the world that could produce the material at quantity and had factories world wide that did it. Their key asset was the chemical formula and process to produce that material. Are you protecting your secret sauces?
3. Work. Think of the endless hours that you spent putting together that killer sales presentation. Should it be corrupted or removed from your computer you’ll have to redo the work. The same is true for data entry, etc. The work itself might not be “secret” but should you lose it you’ll really be losing time and value. As I sit here typing most of my work is electronic collections of media (words, video, slide presentations, papers, articles, Secure-Value, jacadis.com). For your business your work may be many other things. My sales team would tell me that their biggest collection of work is the information they have on clients. A friend of mine has a laser cutting business. Unique programs are written to consistently and repeatedly cut 3D designs into different materials. These programs are his work. Another friend has a much lower tech manufacturing business, an old sand mold foundary. His forms and molds breaking means he has to redo them just as my more high tech laser cutting friend would have to do should those laser programs get lost or corrupted. In the end the loss of work means the loss of time or information. You'll have to invest time to recreate the information. In some cases you may not be able to recreate it. Are you protecting your work?
4. Personal information about your executives, leaders and key employees. Again, to explore something you need a map. To attack a target you need a map. Freely and without thought sharing personal information on your executives, leaders and key employees may just be providing a map. This is a tricky subject though. I won't do business with a company if I can't see some information about its ownership. Most people do business with people so a company that completely hides the details of their key players doesn't earn my trust. Likewise, though, a firm that freely shares contact information, addresses, personal information, etc. about its members opens itself up. On a simple level, executive emails sprinkled all over a web site invite spam. On a more complicated level, in some businesses, travel plans and other locational information improperly shared invites more nefarious attacks. Are you protecting your key people? Are you protecting all of your people?
5. Personal, though non-protected, information about your customers and prospects. Again, protect the map. Customer lists, detailed information about your customer's pains and challenges, and the other sort of information that fuels a personal realationship between your business and your clients should be protected regardless of whether or not the informaiton is consdiered private, confidential or in some way protected by law or regulation. Protecting your customers information promotes trust. Are you promoting trust with your customers?
What types of information that must be protected did I miss?
With compliance efforts the question is "Which way do we go?! And most times the signs are just this clear! Image by bob august via Flickr.
Two weeks ago, a financial services client of ours asked me “how compliant is compliant enough?”
They’ve been a good client for over 15 years. They are good people who care about their customers. They follow a disciplined approach to IT operations which provides a great foundation for their information security program.
At first, I was blown away by the comment.
How could they even consider such a question?
But the more I reflect on their comments and their situation, a new question has come to mind.
Who could blame them?
With the HITECH changes to HIPAA they unequivocally fall into the frame of HIPAA compliance. They by law are obligated to do more than they do now to secure their customer data.
They are doing a lot and doing it well, though they know they are not perfect.
Their wireless network is 100% impervious to outside invaders; they decided the risks of deploying outweighed the business risks of implementing wireless. Over 10 years of having 3rd party security assessments their technical team and technical infrastructure have consisently passed muster (ours wasn't the only firm evaluating them so the consistent findings were from multiple firms using multiple techniques and tests). A recent HIPAA Security Rule Gap Assessment Workshop that we facilitated found that from a HIPAA standpoint they were doing the vast majority of the controls in the security rule.
They are "doing" security but they don't document at a policy or procedure level what they do. Their staff is aware of security issues, but less so about privacy issues, particularly pertaining to information handling practices within the organization. In those 10 years of tests a couple of the assessors have been able to penetrate their physical security through social engineering. Security and privacy is an IT focused effort.
We believe that they are well secured against external attacks but are vulnerable to inside threats and accidents or to interuptions in their business process.
Fixing those business related issues all boils down to revenue versus expense, and they aren’t sure they can invest the time and treasure to attain perfect compliance.
And so the honest question is asked, “How compliant is compliant enough?”
Although they only ask one question, I suspect they had a few other questions they didn’t verbalize:
If we don’t do anything will we really get in trouble?
Will the government really enforce the law? They haven’t really yet have they?
If we do all this extra work won’t the work cost more than the likely fines we’ll pay if we don’t do the work?
Are our competitors doing it? Do our customers care?
In the time they’ve been wrestling with these questions they could have substantially closed the larger gaps in their program. But they are frozen by the uncertainty.
They are not the only client that is frozen by regulatory uncertainty.
Truly, with the way our government regulates information security and privacy I don’t have good answers for those questions.
Regulatory uncertainty is in and of itself a threat to privacy and security, and regulatory non-compliance is a risk that needs to be managed.
In the face of uncertain and confusing regulatory options most businesses in our experience choose to do nothing.
Regulatory uncertainty manifests itself in a number of ways:
Uncertainty due to a lack of knowledge about the potential regulations on the part of businesses
Uncertainty about just what various regulatory agencies are doing
Uncertainty about just what various regulatory agencies are going to do –
Uncertainty due to the myriad of fine line distinctions and confusion in the regulatory body
Uncertainty because of the confusion about which regulations apply to a particular firm or type of firm
All of these types of uncertainty are born out of poor communication, difficult language, sudden course corrections as rules are morphed in the political process even after they’ve been published,
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or "red flags" — of identity theft in their day-to-day operations. It was first passed in 2003. The FTC moved the enforcement date three times. Depending on whose view you take that was because they bent to lobbying from interest groups representing doctors, lawyers and higher education institutions OR they were listening to industry and adjusting the rules to meet the feedback they were getting. From either perspective the enforcement date continued to slip.
In December 2010, the law was amended with the Red Flag Program Clarification Act of 2010 to focus the law on its original intent.
(NOTE: Did you catch that last line: “Bookmark this site and check it often for revisions that reflect changes in the law.” Often? How often? Changes? What changes? How do I plan for those changes? Are you kidding me?)
HIPAA or the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA has five titles covering an array of topics. Title II ironically known as Title II of HIPAA, ironically known as Administrative Simplification, primarily requires the establishment of national standards for electronic health care transactions . Administration Simplication also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
Based in part on the poor adoption rates of and loopholes in HIPAA, Congress passed HITECH.
HITECH the street version of the mouthful formal name Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted as part of the American Recovery and Reinvestment Act of 2009. It was signed into law in February, 2009. It primarily promotes the adoption and meaningful use of health information technologies such as Electronic Health Records (EHR). Within HITECH, Subtitle D addresses privacy and security concerns associated with the electronic transmission of health information primarily through a number of provisions that strengthen enforcement or clarify the original HIPAA rules.
Yet, uncertainty surrounding HIPAA is epic:
Poor enforcement impacted HIPAA adoption rates so HITECH was passed to provide stronger enforcement. We have seen an increase in enforcement action as well as an increase in awareness for breach events through HITECH’s breach reporting requirements but it has not reached a tipping point that catches decisions makers’ attention in a way that motivates them to act.
Rules that were to be out by now are not published. Rules have been published and pulled. Published dates have been moved around the calendar. We know that subcontractors are covered under the Security Rule but the rules have not been published. We know that there are mandatory audits required under HITECH but we don’t know exactly what that means.
Rules sometimes just don’t make sense. For instance, the Security Rule is focused on ePHI or electronic Protected Health Information. Think technical infrastructure. The Privacy Rule is focused on PHI in any form. Think use, handling and behavior. A fax is not considered ePHI though in most environments today many faxes come in and outbound through unified messaging. What is compliant action in regard to action
The government has produced an alphabet soup of laws, rules and regulations FERPA, Sarbanes-Oxley or SARBOX or SOX, GLBA, all with similar stories. And there are legislative efforts to move forward with a new batch of privacy and security laws covering related topics such as national cyber security, privacy, security standards and breach notification. With the continual onslaught of breaches the political will is building to enact and execute a national law focused on information security and privacy.
So into this clear as mud uncertainty we now have political activity driven by the epidemic of breaches that is leading us to a more laws, rules and regulations, and as I would suspect more uncertainty and with it more frozen clients caught between their fear to act and their fear not to act. And doing nothing puts them and their data at risk.
So we think the question isn’t “how compliant is compliant enough” but rather “how can we position our firm to lower compliance risk in light of this uncertainty while focusing on doing the right things to protect our customer and other critical data”
We suggest the following:
Stay focused on the basics. We recommend you start by defining a standard language for internal information security discussions. We at Jacadis like ISO 27001. The ISO 27000 series is an internationally recognized family of standards focused on turning information security, privacy and compliance into a management function. Adoption of ISO 27001 provides a framework and language from which to build top down, management to technical information security, privacy and compliance function within an organization. The framework will provide a standard way of managing security and once adopted assist in building resilience to changes in compliance standards while keeping you focused on protecting the most important information assets in your stewardship. For additional reading on ISO 27001 I suggest an IT toolbox article by Jacadis’ Jerod Brennan.
If you don’t have someone tracking the laws that affect your company, the cost to become compliant is going to hit you like a ton of bricks. Stay on top of it. Ounce of prevention is worth a pound of compliance, er… cure.
And while I don’t suggest you get get caught up with the what ifs and could bes as the legislative process moves forward. If you are an information intensive organization it is a good idea to have an executive level team member monitor the legislative process. You may find there is a moment that calls for your attention to get involved politically if legislation gets restrictive in a way that could impact your business.
Yesterday, I had a prospective vendor tweet out details of our infrastructure right after he got off the phone with one of our engineers. I guess he thought letting me know he was working for me was cute. He lost a deal because he violoated my trust.
Today, we had a client ask if we could speak to their sales people about the importance of information security and privacy from their customer's view.
Do you sell products or services into markets that have information security risks or fears? Do you consider security to be a feature of your product? Do your customer's routinely include questions about how you handle information security in their RFQs and RFPs? Do your contracts include clauses that allow your customer's to audit your infrastructure? Do you sell products or services into regulated industries such as healthcare (HIPAA/HITECH) or public companies (SARBANES-OXLEY) and so on?
If you said yes to any of those questions do your sales people understand the importance of security in building and maintaining customer trust?
Do you train them? Do you make their role in building and maintain trust an obvious part of their performance expectations?
Security training for sales professionals selling into protected markets should include:
1. Information Security 101 covering basic terms that your customer's auditors and IT staff will use as a matter of everyday language. They should be comfortable with terms such as risk, vulnerability, threat, safeguard, confientiality, integrity and availability.
2. Industry issues related to security, privacy and regulatory compliance. A salesperson serving health care markets needs to have a different knowledge base than a salesperson selling into financial markets and so on. We've been involved with clients purchasing technology from vendors who have sales people claiming knowledge about regulatory issues that is wrong. They don't get those sales.
3. Product and service features that support a client's information security, privacy and compliance pains.
4. Basic online ettiquite and secure online behavior. Preparing sales people to participate securely and privately in communications particularly if social media is part of your communication strategy or part of the culture of your work force.
5. General trends in information security including some pointers on news sources that can keep your sales team informed.
An example:
After Epsilon was hacked two weeks ago, I had two conversations with senior executives from two differenct firms that provided consumer oriented services that had never heard of the Epsilon. Epsilon is an email marketer that provides email marketing services to large companies. They were hacked and the customer emails of some 50 companies were taken. You can expect firms in the direct consumer market to be concerned with the risks of having their customers exposed through other services. These execs had no idea. Without some idea of what to watch for in the news I wouldn't expect them to, but it would give an edge in customer conversations because the customers are very aware and knowledgeable.
We've seen good sales people with bad security habits lose business. We've helped some of them change and with their companies create competitive advantage as this knowledge prepares them to begin building trust at the inception of the first lead contact. I prefer to have my sales people be as productive as possible. If you sell into security concerned markets this is a tool you should consider.
"I don't want to know anything about HIPAA. I just want to be compliant.
Can't you just tell me what I need to do and then give me a certificate or something?"
So one of our sales reps was asked last week ...
To many an entrepreneur government regulatory requirements are simply a bother that gets in the way of us doing what we love in running our businesses.
In this case the firm in question is a Software as a Service provider in a niche part of the health care market. The business is under 5 people; the licensing for the service costs less than having a lawyer review each HIPAA BA agreement sent their way.
But because HIPAA compliance in how they protect and use the protected health information hosted in their application and touched by their staff during support interactions HIPAA is a part of the feature set. Like their desire to know Web 2.0 and other evolving technologies, knowledge of secruity and privacy
It isn't a whole lot different than a chef that just wants to create fabulous meals with no care or concern for a clean kitchen or the health inspector that is sure to come one day.
If you are going to play in the health care space providing services to HIPAA Covered Entities you must educate yourself and understand that part of your environment as much as you understand the technical and operational aspects of your business.
We provide services to educate companies of any size on the HIPAA Security and Privacy Rules, to assess how they stand in compliance with those rules and to plan for closing any gaps our assessments may uncover. We also help firms operationalize their HIPAA compliance because the law doesn't say "get there" in regards to compliance with the HIPAA Security and Privacy Rules but "get there, stay there" which means HIPAA must become a regular part of your day to day.
An integral part of our being able to help any company is a willingness to learn HIPAA and understand how it will impact your company.
An integral part of becoming and staying HIPAA compliance is a willingness to learn HIPAA and understand it on an ongoing basis.
The story is not unlike many other breach stories we've seen over the years. A mistake is made. Information including individually identifiable information is exposed. Somebody from the technology department is sanctioned or terminated. Other corrective actions are taken. End of story.
In information security there is a concept of information ownership. An information technology department that fits properly into a business is providing a service to the business units, but those business units are considered the information owners. IT has a responibility to provide appropriate quality services to meet the information owners needs. But the information owners should be accountable to what is done with the information.
Here's a rough analogy. I own a car. I am the owner. The Ohio Department of Transportation provides the infrastructure for me to use my car. If the road fails and I wreck I as the owner (or driver) am responsible to maintain control.
From an information ownership perspective in the case of a breach you rarely see sanctions laid down on the assigned information owners. If information ownership was properly assigned and maintained the owner would have a responsbility to make sure the information was properly managed by the service providers from IT.
An information owner is the individual or departmental unit who creates, acquires or manages information through a business process. When setting up a governance process I prefer an individual within the department has formally assigned ownership. That assigned owner is then responsbile for understanding the value of the information, obligations the organization has to protect information of that type and value, proper handling procedures given those obligations and oversight of the organization's handling of the information. In the case of many of these breaches an information owner overseeing the technical processing of this information would have had a chance of correcting the fault before it resulted in a breach.
In March, 2007, Piedmont Hospital in Atlanta earned the distinction of being the first institution in the country to be audited for compliance with the HIPAA Security Rule. Prior to the audit, according to a ComputerWorld scoop, Piedmont received a request for the information listed below.
Could you provide these items on request in a 10 day time frame?
Policies and Procedures:
Establishing and terminating users' access to systems housing electronic patient health information (ePHI).
Emergency access to electronic information systems.
Inactive computer sessions (periods of inactivity).
Recording and examining activity in information systems that contain or use ePHI.
Risk assessments and analyses of relevant information systems that house or process ePHI data.
Employee violations (sanctions).
Electronically transmitting ePHI.
Preventing, detecting, containing and correcting security violations (incident reports).
Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
Physical access to electronic information systems and the facility in which they are housed.
Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).
Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
Internet usage.
Wireless security (transmission and usage).
Firewalls, routers and switches.
Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
Terminating an electronic session and encrypting and decrypting ePHI.
Transmitting ePHI.
Password and server configurations.
Anti-virus software.
Network remote access.
Computer patch management.
HHS also had a slew of other requests:
Information Inventory
Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
Workforce
Please provide entity wide security program plans (e.g System Security Plan).
Please provide a list of terminated employees.
Please provide a list of all new hires.
Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
Please provide a list of all users with access to ePHI data. Please identify each user's access rights and privileges.
Please provide a list of systems administrators, backup operators and users.
Please provide a list of users with remote access capabilities.
Security Architecture and System Security Plan
Please provide a list of encryption mechanisms use for ePHI.
Please provide a list of authentication methods used to identify users authorized to access ePHI.
Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
Please include a list of antivirus servers, installed, including their versions.
Please provide a list of software used to manage and control access to the Internet.
Please provide the antivirus software used for desktop and other devices, including their versions.
Please provide a list of database security requirements and settings.
Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.
Assigned Security Responsibility
Please provide organizational charts that include names and titles for the management information system and information system security departments.
With the likely changes from HITECH we reasonably think an audit today would also require copies of your past Risk Analysises, your Evaluations, your Information Systems Activty Review process and documentation you do it as well as your incident response and breach notification plan.
Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers. We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.
Frankly, as breaches Epsilon isn't a big of deal. No protected information, just names and email addresses were taken. And more sophisticated attacks have come and gone in the press largely unnoticed.
Epsilon has received more attention than the more impactful breaches in part because it touched so many people. Non techies are talking about it. We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.
Experts suggest that companies that outsource technology services take some of the following steps:
Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
Make sure vendors assume liability for breaches that affect customers and end users; and
Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.
Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers. These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.
This will impact you if you answer yes to any of the questions below:
Your business is part of the supply or services chain for larger regulated firms. We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley. We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information. Do you provide services to these types of firms?
Your business provides a service that includes considerably volatile information. If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply. Or, if, for another instance, you process company confidential information such as trade secret related information. Do you provide services to these types of firms?
Firms in the supply chain stack. You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses. You know what they say about it rolling downhill. Are you at the bottom of a supply chain?
Take action
If you answered yes to any of those questions we suggest the following:
1. Look at your customer agreements with firms in the categories above.
Do any of those agreements place obligations on your company to protect your client’s information in a certain way?
Do they have the right to audit?
Have you told your IT team about these obligations?
Are you prepared to meet these obligations?
2. Sit down with your technical leadership and discuss:
Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months?
When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
Are we managing security well enough that we can create a competitive advantage over other firms in our class? Can we use that advantage to build new business?
If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.
But the reality is that HIPAA Privacy Rule wasn't set out to be a destination but rather a journey. It isn't enough to 'BE" compliant but the expectation is to operate in compliance. Two hugely different approaches. My client had treated it as a destination, the "BE" compliant choice, had worked hard toward meeting the Privacy Rule in 2003s, but since 2003 had not attended to their obligations. They are not operating in compliance.
Are you in the same boat? Here are 3 questions that stand out as markers for how you are doing:
HIPAA requires regular training and updates on security and privacy (training requirements exist in both the Security Rule and the Privacy Rule). Have you trained your staff since 2003? Can you prove it when an auditor knocks on your door?
To operate in a compliant status you need to know the Privacy Impact of your business processes and functions. My client had understood this in 2003, but as processes had changed they had not updated their view of the privacy impact. Have your business processes using PHI (and ePHI) changed since 2003?
Documenting your privacy practices is a requirement under HIPAA. It is enormously important to be able to show to an auditor your work effort. For this client they didn't have much to show in the period between 2003 and now, but they were able to quickly produce the original documents from 2003. Our work effort to put them into an operational compliant mode won't require nearly as much investment because we have a sound starting point. Are you documenting your privacy practices under HIPAA?
