Jason Karn, Total HIPAA’s Chief Compliance Officer, recently interviewed Erik Kangas, founder and CEO of LuxSci. LuxSci provides email encryption, web hosting, forms, and secure sending services for HIPAA compliant entities. The two discussed what it means to be quasi-HIPAA compliant, its dangers, and how to avoid it.
Erik offers helpful tips for choosing the right business associate for email marketing and other services. They also discuss remote work policies, Business Associate Agreements, cybersecurity, and more. You can listen to this episode of our podcast HIPAA Talk here or on your mobile device via Apple Podcasts. Or, read our summary.
What is Quasi-HIPAA Compliance?
Quasi-HIPAA compliance refers to vendors or service providers who uphold some HIPAA-required security standards but are not fully compliant. This may be obscured by the fact that the vendor is willing to enter into a Business Associate Agreement with your company.
You are required to have a BAA under HIPAA. However, some vendors create agreements that cover some services, but not the ones you’re intending to use. For instance, G suite will sign a BAA and Google will protect your data while it’s in its cloud. But Google’s BAA does not cover sending email. So if you sign a BAA with Google and send an email containing PHI with G suite, it could be a breach.
The bottom line is that signing a BAA is not equivalent to being HIPAA compliant. You must take it upon yourself to thoroughly review the agreement and determine whether it meets HIPAA’s security standards. Some services may be HIPAA compliant if configured correctly. It’s up to you to choose the right vendor and ensure that it upholds HIPAA.
Is Office 365 HIPAA Compliant?
It can be, if configured properly. Microsoft will sign a BAA. But it is your responsibility to configure access controls. In addition, you may need to pay for additional features like email encryption. Don’t assume that any service will be HIPAA compliant out of the box.
What happens when a Business Associate is only quasi-HIPAA compliant?
If you sign a BAA with a vendor, you’re agreeing to use their services as laid out in the contract. If a service is not covered in the BAA, you use it, and there’s a breach, you will be culpable and not the vendor because you did something out of contract. Having a BAA that doesn’t cover the service you’re using is equivalent to having no BAA at all.
To avoid quasi-HIPAA compliance, it’s essential that you read the BAA thoroughly and properly vet the vendor. Make sure you understand what security protocols it uses, how it handles your information, and decide whether it’s the right vendor for your company. Otherwise, you may end up with a breach on your hands. This could result in heavy fines, civil litigation, increases in insurance premiums, and damage to your company’s reputation.
How should you go about choosing a Business Associate?
Before you sign a BAA with a vendor, you should perform a risk analysis. This involves asking yourself the following questions:
- Which information will the vendor be handling?
- Where is it being stored?
- How does the data flow?
- What security controls are being used?
- What level of access will I give the vendor?
- Does the vendor have any subcontractors?
You might also consider giving the vendor a security questionnaire so you can gain a better understanding of whether their security policies are fully or only quasi-HIPAA compliant. An additional option is to have a vendor sign an attestation of HIPAA compliance on top of the BAA, to ensure that the vendor is committed to protecting your information. You should also periodically reevaluate vendors and update and resign BAAs so that the agreement reflects your company’s current operations.
What kind of security measures should a remote work policy include?
Remote work policies should contain the following requirements concerning devices:
- Employees may only use company-issued devices
- Only employees may use these devices
- Periodically patch the devices
- Employees may not have administrative access to these devices (this prevents employees from installing or updating software on their own)
- VPNs are installed on all devices and must be used in order to connect to the company’s systems
Additional security measures that a remote work policy should have include:
- Lock physical PHI in a filing cabinet or desk (papers, flash drives)
- Create strong passwords for devices and your WiFi network
- Periodically update your home router and install firewalls on it
- Back up your data
Do I need a VPN and if so, should I sign a BAA with my VPN provider?
Yes, VPNs are essential for any company that is handling sensitive information. HIPAA requires that data is encrypted at rest, in transit, and in storage. A VPN can be another tool for keeping your data secure while it moves from one location to the next. You should sign a BAA with your VPN provider, and the providers of any other services you’re using to transmit PHI.
It’s also important to institute regulations around how employees should use the VPN. This helps ensure that any websites or systems that employees have access to remain secure.
What other security protocols should be used when trying to achieve HIPAA compliance?
It’s a common misconception that all you have to do to become HIPAA compliant is encrypt your data. However, this is another example of quasi-HIPAA compliance. Full HIPAA compliance involves many other security practices like remote work policies, password protection, signing BAAs, documenting Policies and Procedures, and more.
Another security control you should implement, and ensure that your Business Associates do so as well, is isolation. Some cybersecurity companies put all their customers in a big shared cloud, with customers connecting to their respective servers. This presents a risk from a compliance standpoint.
Isolation in this situation would be for each customer to have its own server. That way, if there is a breach, it will only affect that one customer and not all of them. Keeping your systems isolated will help your company reduce risks, prevent breaches, and maintain HIPAA compliance so the business can run smoothly.