Hipaa Gap Assessment.Sanitized Report

ABC Company

Health Insurance Portability and Accountability Act (HIPAA)GAP Assessment Report

April 15, 2009

April 15, 2009 v.1 ii

Proprietary and Confidential Copyright © 2009 FishNet Security, Inc. All rights reserved.

The informat ion transmit ted in th is document is intended only for the addressee and may contain conf ident ia l and/or pr iv i leged mater ia l . Any interception, review, retransmission, disseminat ion or other use of or tak ing of any act ion upon this informat ion by persons or ent i t ies other than the intended recipient is prohib i ted by law and may subject them to cr iminal or c iv i l l iabi l i ty .

Propr ietary and Conf idential Information shal l include, but not be l imited to, performance, sales, f inancial , contractual and special market ing information, ideas, technical data and concepts or iginated by the disc los ing party, i ts subsid iar ies and/or af f i l ia tes, not previously publ ished or otherwise disclosed to the general publ ic , not previously avai lable wi thout restr ic t ion to the receiving party or others, nor normal ly furnished to others without compensat ion, and which the disc los ing party desires to protect against unrestr ic ted disclosure or compet i t ive use, and which is furnished pursuant to th is del iverable and appropr iately identi f ied as being propr ietary when furnished.

Copyr ight © 2009 FishNet Secur i ty, Inc. Al l r ights reserved. The FishNet Secur i ty, inc (“FishNet Securi ty”) logo is a registered trademark of FishNet Secur i ty. Al l other products and company names ment ioned herein are trademarks or registered t rademarks of their respective owners.

April 15, 2009 v.1 iii


Table of Contents Executive Summary .................................................................................................................................... 1

Engagement Objectives ................................................................................................................................ 1

Scope of Work ............................................................................................................................................. 2

Approach ....................................................................................................................................................... 2

High-Level Findings .................................................................................................................................... 4

Overview ....................................................................................................................................................... 4

Appendix A .................................................................................................................................................. 6

Detailed findings and Recommendations ..................................................................................................... 6

April 15, 2009 v.1 1

ABC Company HIPAA GAP Assessment


Executive Summary

ABC Company’s primary purpose is in the business processing outsourcing (BPO) services industry. As ABC Company continues to expand its range of service offerings into new industries, compliance with regulatory acts and standards involving data systems security become increasingly important. Topping the list for regulatory compliance is the Health Insurance Portability and Accountability Act (HIPAA). As ABC Company considers providing new health related services to its client base, compliance with HIPAA and other standards aimed at the protection and safeguard of health related information are critical components to establishing and sustaining these services. HIPAA is comprised of two separate but related regulatory acts focused on the identification and classification of protected health related information and the protection of such information in the enterprise. The first of the two regulatory acts is the privacy rule. The HIPAA Privacy Rule covers protected health information (PHI) in all forms (paper, oral and electronic). The second act is the HIPAA Security Standard Final Rule which applies only to PHI that is maintained or transmitted in electronic form (EPHI). The HIPAA data security rule for the most part does not prescribe specific safeguards for all covered entities to use regardless of their circumstances. Rather, it expects each covered entity to evaluate its protection approach in light of its mission, budget and good information assurance practices. A covered entity is any organization that stores, processes or transmits protected health information (in any form) and must comply with the provisions as described in HIPAA. FishNet Security assumes ABC Company’s status under HIPAA to be that of a covered entity. Covered entities must comply with the applicable provisions listed in both the HIPAA privacy and security rules. Therefore this report measured ABC Company’s environment using data security and protection control areas contained in both standards. The remaining sections of this report illustrate the objectives of the engagement, standards used, and a listing of variances discovered using said standards as a baseline measurement. The main body of this report contains a section of high-level findings and recommendations required to achieve HIPAA compliance as either a covered entity or business associate. This section aims to provide ABC Company’s senior leadership team with key information both on ABC Company’s current and future state of HIPAA compliance. Detailed listing (Technical) findings can be found in Appendix

Engagement Objectives ABC Company provides both onshore and offshore BPO services through 14 delivery centers throughout the United States and abroad. ABC Company engaged FishNet Security to conduct an assessment of their information processing environment using standards contained in the HIPAA. The HIPAA security compliance gap assessment is the first step in addressing ABC Company’s specific business driven requirements and regulatory issues pertaining to PHI. ABC Company has identified the need for a risk-based assessment based on HIPAA requirements to assist in the further development and advancement of the strategic position and approach of Information Security within the organization. The HIPAA compliance privacy rule and the HIPAA Security Standard Final Rule specify a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. The HIPAA regulation and standard rules requires organizations that have access to PHI to ensure their security requirements are in compliance.

April 15, 2009 v.1 2



Scope of Work

The scope of our engagement was to perform a high-level HIPAA gap assessment of ABC Company’s data processing environment and the related policies and procedures within the Information Services function. Our objective was to measure ABC Company’s general computer, information security and data protection controls using the HIPAA privacy and security rules as a baseline. FishNet Security does not express an opinion nor provides assurance as to the design or operating effectiveness of those controls and accordingly, does not offer any such assurance with respect to any specified objectives.

Approach

HIPAA Security Assessment Methodology FishNet Security reviewed each of the applicable areas of ABC Company’s environment to determine the “current state” of HIPAA compliance. The methodology included in-depth interviews with ABC Company’s key business and Information Technology leaders to assess the organizations understanding and determination to comply with the applicable areas of the HIPAA privacy and security rules. Through inquiry and observation, FishNet Security consultants reviewed ABC Company’s policies, processes and procedures related to the protection of health related information. FishNet Security performed a physical on-site visit to the corporate data center to assess certain and specific physical, environmental and data access controls related to the protection of protected health information processing facilities and repositories. FishNet Security aggregated the information collected during this visit and has included them into the high-level HIPAA gap analysis matrix. This matrix contains a complete listing of areas listed in the standard as “required or addressable” including detailed descriptions of any ABC Company in-place controls, compensating controls or variances from the HIPAA privacy and security rules.

HIPAA Compliance Review The HIPAA Security Standard Final Rule specifies a series of administrative, technical, and physical security procedures for covered entities that are used to assure the confidentiality of electronic protected health information. These standards are delineated into either required or addressable implementation specifications. Both HIPAA rules provide a framework for organizations to measure compliance with each standard. FishNet Security performed the following actions to determine compliance with each HIPAA rule including:

• Obtained and reviewed applicable information security policies, processes and procedures • Assessed the potential risks and vulnerabilities to data related to non-compliance • Interviewed key ABC Company personnel to understand critical business and IT processes

related to compliance with these safeguards

The HIPAA Security Standard Final Rule applies to all individually identifiable health information that is in electronic form, whether it is being stored or transmitted. The goal is to protect against threats to information security or integrity, and against unauthorized use or disclosure. Using the HIPAA Security Standard Final Rule as a baseline FishNet Security reviewed (where applicable) ABC Company’s:

• Administrative procedures, to ensure access to information is limited to appropriate parties and guard information from all others

• Technical procedures, to ensure the balance of timely access to needed health information with

the need to protect its confidentiality and integrity

• Technical security mechanisms, to review whether information is kept from being easily intercepted by third parties via external entry points

• Physical security procedures, with a focus on preventing unauthorized individuals from gaining

access to electronic information

April 15, 2009 v.1 3



FishNet Security measured ABC Company’s information processing environment using only the applicable areas of the HIPAA Privacy and Security rules. As ABC Company does not currently handle protected health information nor is considered a “covered entity” under HIPAA, only those areas of each rule applicable to ABC Company’s environment were assessed and appear in the subsequent findings and recommendations sections of this report.

Interviews Conducted During the course of this engagement, FishNet Security conducted the following interviews: Sarah Jones – Vice President and Chief Information Security Officer Mike Smith – Director, US Human Resources Services John Cooper – Vice President, Global Sales Operations Mary Rogers – Business Continuity Planning

Documents examined

• Security Management Policy • Organization of Security Policy • Risk Assessment and Treatment Policy • Asset Management Policy • Human Resources Policy • Physical and Environmental Security Policy • Communications and Operations Management Policy • Third Party Service Delivery Management Policy • Protecting against malicious code policy • Data Backup Policy • Network Security Management Policy • Media Handling and Destruction Policy • Access Control Policy • System Acquisition, Development and Maintenance Policy • Incident Management Policy • Business Continuity Management Policy • Compliance Policy • Acceptable Use Policy • Encryption Key Management Policy

April 15, 2009 v.1 4



High-Level Findings

Overview The findings in this section outline the requirements for HIPAA compliance as either a covered entity or a business associate. As access to health information may be required as part of an ABC Company strategic business service offering, the organization should consider how it will allow and safeguard access to PHI to meet the provisions under HIPAA. Should ABC Company’s executive management decide to achieve a covered entity status, HIPAA compliance requirements become increasingly comprehensive. Covered entities have stringent requirements for both logical and physical segmentation of networks and information processing sites whereas a business associate may require less complexity to meet HIPAA information protection standards. In any case, ABC Company should examine the unique and specific requirements in either category to determine the appropriate approach based on the needs of its business units. Information Segmentation (Physical and Logical) As previously stated, covered entity requirements to protect health related information are rigorous by design and require careful consideration from a cost and support perspective. Covered entities must both protect information from unauthorized access (provisioning and logical control) as well as unauthorized viewing and dissemination (physical control). Logical segmentation may require ABC Company to architect and build a completely separate network that processes, stores and transmits PHI. Access to and provisioning of this information would be limited to and provided by those personnel and administrators that were appropriate cleared and have a “right” to such information. Under HIPAA, meeting physical segmentation requirements requires the isolation of both ABC Company personnel and systems administrators that have access to PHI. The relocation of personnel to a specific space, floor or building may be required to adequately restrict EPHI personnel and data from other business and information technology functions within the enterprise. Floors, walls and other physical limiting barriers may have to be constructed in order to meet the hard requirements for limited physical access to protected health information. ABC Company should examine the requirements for compliance in each category and determine the implementation of security and information protection controls required to meet HIPAA standards. The following table outlines the specific requirements for logical and physical segmentation according to each compliance category (covered entity and business associate):

Compliance Requirement Required for a covered entity?

Required for Business Associate?

Physical segmentation (walls, floors, doors, locks, datacenters, etc). Yes

Not Necessarily. Based on a review of ABC Company’s information processing

environment, the in-place controls may be sufficient to meet the requirements in this

category

Workstations that access EPHI must be isolated from other workstations that do not access EPHI. Polarized

screens must also be used.

Yes No

Logical Access EPHI must be provisioned separately from access to

other forms of non-EPHI Yes No

Servers, databases and other network devices that process, transmit and/or store EPHI must be logically separate

from non-EPHI systems

Yes No

April 15, 2009 v.1 5



Control of Removable Media Yes Yes

Backup Media Encryption Yes No

EPHI Storage (Server, Database, SAN, etc). Yes No

Secure and segregated movement of EPHI backup Media Yes No

Separate Workforce Clearance Process Yes No

Business Continuity Business continuity and availability is a key component of HIPAA compliance. The act outlines several significant requirements covering the availability and access to protected health information in the event of an emergency, natural disaster or catastrophic systems failure. Although ABC Company has a documented business continuity and disaster recovery program currently in-place, it has yet to be adequately tested and further developed in the United States. Capacity planning has yet to be tested and validated (at each location) to adequately sustain normal operations in the event of business interruption. Some testing of the business continuity plan has been performed in the Philippines however seat testing and validation has not occurred. Failover to other data processing sites has not been fully tested or implemented in the U.S. or abroad at all of the ABC Company data center locations. The absence of such testing may have a significant impact on ABC Company’s ability to provide the required level of emergency access to EPHI in the event of natural disaster or systems failure. The requirement for a covered entity to have protected health information highly available (even to unauthorized personnel in the event of an emergency) is a critical requirement of compliance and subsequently has a very high consequence for non-compliance under the HIPAA enforcement rule. The following table illustrates the requirements for business continuity compliance under HIPAA:

Compliance Requirement Required for a covered entity?

Required for Business Associate?

Emergency Access to EPHI (including temporary access to unauthorized

individuals) Yes

Not necessarily. Depending on the type of information that is stored, processed and/ or

transmitted with ABC Company, the organization may not have to comply with

this requirement.

Emergency decryption of EPHI in the event of emergency Yes



this requirement.

Emergency authentication to EPHI Yes



this requirement.

Emergency recovery of EPHI from encrypted backup media Yes



this requirement.

April 15, 2009 v.1 6



Appendix A

Detailed findings and Recommendations

Finding #1 Applicable Standard: HIPAA Privacy Rule Control Section:

Control Area: Chief Privacy Officer Implementation Specification: Issue: ABC Company does not currently have a formalized role or a single person appointed to address all concerned related to protected health information. Recommendation: ABC Company should appoint a Chief Privacy Officer (CPO) with responsibilities for the protection and safeguard of protected health information. The CPO’s primary responsibility would be to ensure that ABC Company’s policies, processes and procedures related to the handling of protected health information comply with HIPAA. The CPO should report directly to the CEO or Chief Executive Counsel.

Finding #2 Applicable Standard: HIPAA Security Standard Final Rule (Security Process Management) Control Section: §164.308(a) (1) (ii) (C) Control Area: Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures of the covered entity Implementation Specification: Sanction Policy (Required) Issue: ABC Company does not have a formalized sanction policy that details the process and procedures for discipline of employees regarding breaches of the security of electronic protected health information. Recommendation: ABC Company should develop a formalized policy for disciplining employees for breaches of the security of EPHI. Those violations include failure to comply with ABC Company’s policies and procedures. An investigation following the standard disciplinary process will determine the specific sanction according to the severity and circumstances of the violation.

April 15, 2009 v.1 7



Finding #3 Applicable Standard: HIPAA Security Standard Final Rule Control Section: 164.308(a) (2) Control Area: Identify the security official who is responsible for the development and implementation of the policies and procedures required for HIPAA security. Implementation Specification: Assigned Security Responsibility (Required) Issue: ABC Company has not formally assigned HIPAA security to a single individual. Recommendation: FishNet Security recommends that ABC Company formally assign HIPAA security to a single individual. Our recommendation includes the assignment of HIPAA security to the Chief Privacy Officer reporting directly to the CEO or Chief Executive Counsel.

Finding #4

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(a) (3) (i) Control Area: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Implementation Specification: Workforce Security (Required)

Issue: ABC Company has not specified how access to protected health information is provisioned to users that have a right to such information. Although ABC Company has an access provisioning process, it does not currently address how access to protected health information will be approved, granted and revoked upon termination. Recommendation: ABC Company should modify the current access provisioning process to include the appropriate workflow and approval chain for access to protected health information. FishNet highly recommends that ABC Company consider the implementation of an automated Identity and Access Management solution that provisions access to protected health information based on pre-defined roles and responsibilities.

Finding #5

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(a) (3) (ii) (B) Control Area: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Implementation Specification: Workforce Clearance Procedures (Addressable)

Issue: ABC Company does not have an in-depth and formalized pre-hire background investigation process to determine if pre-employment candidates are appropriate personnel for access to protected health information. Although ABC Company does have a formal background process for positions other

April 15, 2009 v.1 8



than agents, the process does not include a pre-hire determination for access to information protected under HIPAA. Also, ABC Company does not have a formalized process to “Clear and authorize” individuals for access to protected health information. Recommendation: “Clearance” is the process of determining a person’s trustworthiness. “Authorization” is the process of giving user permission to access information. A person can be “cleared” but still not authorized for access to certain information and vice versa. FishNet Security recommends that ABC Company develop a formalized workforce clearance process that determines, based on the results of an in-depth investigation, a person’s eligibility to access protected health information. Investigative criteria should contain a national agency criminal records check, financial and credit review, and a check for issues related to the theft, breach or mis-handling of protected health information.

Finding #6

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(a) (5) (ii) (A) Control Area: Implement periodic security updates.

Implementation Specification: Security Reminders (Addressable)

Issue: Although ABC Company does have a formalized information security training program, the current process does not include subject specific training for the access and handling of protected health related information. ABC Company does not regularly distribute information security reminders or periodic updates on security related subjects including those related to HIPAA compliance. Recommendation: FishNet Security recommends the inclusion of HIPAA related training in their information security training program and develop periodic security updates related to the organization’s expectations for the access and handling of information protected under HIPAA.

Finding #7

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(a) (6) (ii) Control Area: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Implementation Specification: Response and Reporting Procedures (Required)

Issue: ABC Company does not have formalized information security incident response procedures associated with the organization’s incident response policy. Recommendation: FishNet Security recommends that ABC Company develop formalized information Security response procedures including specific tasks for the timely investigation and notification of a breach of protected health information. FishNet also recommends that ABC Company retain all evidentiary and documentary components of an incident (evidence, logs, and reports) for a period of not less than six years from the date of disposition.

April 15, 2009 v.1 9



Finding #8

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(a) (7) (ii) (A) Control Area: Establish policies and procedures to create and maintain retrievable exact copies of electronic protected health information.

Implementation Specification: Data Backup Plan (Required)

Issue: FishNet reviewed ABC Company’s continuity plan and found the plan does not currently meet the backup and integrity requirements of HIPAA. Currently HIPAA requires “exact” copies of all protected health information and a retention period of not less than six years from date of creation. Recommendation: FishNet Security recommends that ABC Company modify its existing business continuity plan to meet the specific requirements listed in §164.308(a) (7) (i). These requirements include an integrity verification process of all protected health information backups and a retention period of those backup for a period of at least six years from the creation data of such information.

Finding #9

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(a) (7) (i), §164.308(a) (7) (ii) (B), §164.308(a) (7) (ii) (C) Control Area: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Implementation Specification: Contingency Plan (Required), Disaster Recovery Plan (Required), Emergency Mode Operation Plan (Required)

Issue: Although ABC Company has an overall business continuity plan, it does not address what actions the organization will take in the event of a disaster at a specific site. Additionally, it does not address how ABC Company will continue to provide access to protected health information during and after recovery. A formal and documented individual site contingency plan was not available for review or validation by FishNet Security consultants. Recommendation: FishNet Security recommends ABC Company develop a formalized process (for each processing site) to recover from systems or location catastrophic failure. The plan should consider each site’s unique physical and environmental requirements and have a process to address known and future risks as they occur. The plan should also contain how security of protected health information will be maintained during recovery and transition operations.

April 15, 2009 v.1 10



Finding #10

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(a) (7) (ii) (D) Control Area: Procedures for periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary

Implementation Specification: Testing and Revision Procedures (Addressable)

Issue: Although ABC Company’s business continuity planning process requires periodic testing of disaster and recovery plans, a formalized document detailing the execution and results of testing was not available for review at the time of this assessment. Recommendation: FishNet Security recommends the regular and formalized testing of disaster and recovery plans for all ABC Company information processing locations. The results of testing should be documented and reviewed by local, regional and executive management business and technology teams. Each plan should be updated to reflect changes in processes and procedures resulting from testing.

Finding #11

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.308(b) (1), §164.308(b) (4) Control Area: A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information. Document the satisfactory assurances required by paragraph (1) of section §164.308(b) through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a). Implementation Specification: Business Associate Contracts and Other Arrangements (Required) and Written Contract or Other Arrangement (Required) Issue: ABC Company does not have a formalized process to evaluate other partner organizations handling protected health information as to their status of compliance under HIPAA. Currently, ABC Company does not review contracts with its client, vendors or key business partners to determine the external organizations relationship as a covered entity or a business associate. Recommendation: FishNet Security recommends that ABC Company develop a formalized process to review new and existing contracts with clients, vendors and key business partners to determine their status under HIPAA as a covered entity or business associate. ABC Company should ensure that all contracts that involve the processing, storage and transmission of protected health information include requirements for the external organization to comply with HIPAA as either a covered entity or business associate. The process should include a complete legal review from the corporate executive council and the Chief Compliance Officer.

April 15, 2009 v.1 11



Finding #12

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.310(a) (2) (iv) Control Area: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example hardware, walls, doors, or locks).

Implementation Specification: Maintenance Records (Addressable)

Issue: ABC Company does not have a formalized process to document repairs and/or modifications to physical components facilities that handle protected health information. Recommendation: FishNet Security recommends ABC Company develop a formalized process to document and records all changes (additions, modifications, and deletions) of physical security components to facilities that store, process and/or transmit protected health information.

Finding #13

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.310(d) (1) Control Area: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain protected health information into and out of a facility, and the movement of these items within the facility.

Implementation Specification: Device and Media Controls (Required)

Issue: ABC Company does not have a formalized media control policy, process and a related set of enforcement procedures to prevent the unauthorized removal of electronic protected health information from the facility. ABC Company does not currently have the ability to govern the transfer of EPHI (at the endpoint) to or from the facility. Recommendation: FishNet Security recommends ABC Company develop a formalized policy, process and set of procedures governing the use and enforcement of removable media. FishNet Security recommends that ABC Company consider a proof-of-concept project for the evaluation of an automated removable media endpoint enforcement solution to address HIPAA requirements and the protection of protected health information.

April 15, 2009 v.1 12



Finding #14

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.312(a) (2) (ii) Control Description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Implementation Specification: Emergency Access Procedure (Required)

Issue: ABC Company does not have a formalized policy, process or set of procedures for the provisioning of emergency access to electronic protected health information. Access to EPHI may be available during an emergency or time of crisis. Recommendation: FishNet Security recommends ABC Company develop technical procedures, and document instructions, for obtaining EPHI when the normal methods for obtaining access fail because of a crisis situation. Two situations may potentially deny access to patient information stored in automated information systems, including system failure and the unavailability of authorized users. This mandatory implementation specification requires ABC Company to develop procedures to grant temporary access to otherwise unauthorized users when authorized users may not be available. ABC Company should develop procedures for gaining access to information during a system emergency or failure.

Finding #15

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.314(a) (1) Control Description: The contract or other arrangement between the covered entity and its business associate required by §164.308(b) must meet the requirements of paragraph (a) (2) (i) or (a) (2) (ii) of this section, as applicable. (ii) A covered entity is not in compliance with the standards in §164.502(e) and paragraph (a) of this section if the covered entity knew of a pattern of an activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful-- (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the Secretary.

Implementation Specification: Business associate contracts or other arrangements (Required)

Issue: ABC Company does not have a formal process to assess a vendor or key business partner’s capability to appropriately safeguard EPHI.

Recommendation: ABC Company should develop a formalized policy and process for the evaluation of all vendors and key business partners that will process, store and/or transmit data on behalf of ABC Company. The policy and process should include the requirement for all business associates’ to implement the appropriate Section §164.314 complements section 308(b) Business Associate Contracts. It states that business associate contracts must require the business associate to implement administrative, physical and technical safeguards providing a minimum level of protection equivalent to that required by the final rule for security and section §164.502(e) of the Privacy Rule. ABC Company may not be compliant with the provisions under HIPAA if it knows of breaches of the terms of the agreement by its business associates and takes no action to terminate the contract or report to the Secretary of the Department of Health and Human Services.

April 15, 2009 v.1 13



Finding #16

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.314(a) (2) (i) Control Description: The contract between a covered entity and a business associate must provide that the business associate will-- (A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart; (B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; (C) Report to the covered entity any security incident of which it becomes aware; (D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

Implementation Specification: Business associate contracts (Required)

Issue: ABC Company does not have a formalized process to ensure that business associates or other covered entities that have access to EPHI are bound to implement data protection and availability controls as listed in the HIPAA Security Standard Final Rule. ABC Company does not currently have a process to include contractual language requiring business associates or other covered entities with access to protected health information to comply with the provisions of HIPAA. Recommendation: ABC Company should develop a process to ensure that agreements with ABC Company’s business associates include the specified elements of HIPAA. The business associate contracts between ABC Company and its business associates must require the business associate to implement administrative, physical and technical safeguards providing a minimum level of protection equivalent to that required by the final rule for security and section §164.502(e) of the Privacy Rule. The business associate must agree to ensure that any agents or subcontractors to whom it provides information will also implement equivalent safeguards, report any security incidents to the covered entity. The contracts or legal document must allow ABC Company to terminate the contract if the business associate violates the terms of the contract on data security. This ensures that health information that is protected by ABC Company continues to be protected when given to someone that is not required to comply with HIPAA.

Finding #17

Applicable Standard: HIPAA Security Standard Final Rule Control Section: §164.316(b) (2) (i) Control Description: Retain the documentation required by paragraph (b) (1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Implementation Specification: Time Limit (Required)

Issue: ABC Company does not currently retain documentation or data related to protected health care information for the required six year period. Recommendation: FishNet Security recommends ABC Company keep all policies and procedures required by the HIPAA security rule until six years after they are no longer in effect. ABC Company should retain documented results of actions, activities, assessments, or designations created as a result of the HIPAA security rule for six years. This ensures that the information is available if needed to answer legal questions and other inquiries that might arise.