webinarsbreadcrumb separatorultimate-masterclass-to-understanding-hipaa-compliance-chapter-4

Chris Reddick (president, CEO, and co-founder of Clarity Ventures) and Ron Halversen (vice-president sales and marketing) continue their discussion regarding the selection of HIPAA security vendors.  

Part 4 of a 4-part series. (Click to return to Part 3)

CHRIS REDDICK: It really pays to work with a provider and a partner that knows these complex details and really does this at scale. And that's really what we want to talk about next, is basically selecting a vendor, selecting someone to work with. And really that's kind of the bottom line, isn't it, Ron? I mean, you don't necessarily want to go for a drive in really bad weather with someone who's just driven three or four times. 

RON HALVERSEN: Yeah. And doesn't have snow tires or four-wheel drive, right? 

CHRIS: Yeah, exactly. I mean, isn't it safe to say that HIPAA could be considered kind of bad weather, dangerous territory, maybe very dangerous road to drive on? And so that's really the summary. You want to look for a vendor for any aspect of your HIPAA compliance needs that has specific experience in the areas that you're looking for, and their actually following these protocols. Are they actually able to say what HIPAA is and comply with it, and show that they have infrastructure in place and partnerships that support some of the areas that they don't have coverage in? Are they willing to sign the BAA and represent their commitment to delivering on the specific area that they say that they're delivering on, et cetera. And Ron, whenever you've worked with different clients that are using some of these third party SaaS services, whenever you're talking with them about these vendors, what are some of the other aspects that you like to point out? What are some of the things that you would recommend considering? 

what is hipaa

RON: Yeah. I mean, HIPAA experience is the big one. Is this their first time doing HIPAA? [Some vendors might say] "But we do a lot of security." Well, everybody who builds a website has to secure it, so you can't really say we're security specialists without some meat to that statement. So I think the big one that you said is the BAA, because that legally puts them, if a breach occurs and you get sued, it literally puts them in court standing next to you defending what they did and their part of securing that data as well. So the BAA is certainly the big one, but the one is, do they really know what they're talking about? Do they understand the different components, the four compliancy rules? What tools do they have in place? Do they have any testimonials? Do they have any sites or do they have any customers that are HIPAA compliant that you can go look at and see that they're HIPAA compliant? 

And then do they offer any ongoing services? [You don't want to hear] "Yeah, we can make you a HIPAA compliant website, we'll just throw it on a HIPAA server, and it'll encrypt the database, and then we'll cut you loose," but then they don't know how to ensure and help you maintain the compliancy. Well, then that kind of just puts you out on the edge of a cliff, and then you're waiting for that impending storm to come swooping in. But if you have the BAA, you've got partnerships that typically understand and can continuously support you with your HIPAA compliance. Well, then you're building yourself this great foundation that, if the storm swoops in, you're not going to get nailed. You've got, like you said already numerous times now, that multiple levels of security, like peeling that onion away (which is separate from onion architecture). They can try all they want. And they'll always try. I mean, how many of our clients do we know that had attempted hacks last year? But it's— 

CHRIS: It's immediate when you go online. I mean, right away when you take anything online that's public, you can watch the logs and you'll see that it's constantly getting attacked right away. So the attempts are always there. And so Ron, just based on your experiences with discussing and talking with potential clients, what are some of the scenarios that you see commonly that do require some detailed work on HIPAA compliance? They may be a lot more robust and complex, they're not just going to be a simple SaaS-based tool that's out there that you can just turn on a simple form. What are some of those that you've seen? 

what is hipaa

RON: Yeah. It's kind of amazing that every one of them are different. I mean, we've done mobile health apps where clients can schedule appointments with their doctor and request refills on prescriptions. They call them Mhealth apps. You've got doctor/patient portals that we've done quite a few, we've got billing portal where they're paying their bills online, and a huge one that we do a lot of, especially with our background in eCommerce, are companies dealing with an eCommerce pharmacy and HIPAA eCommerce. Because if a patient comes in, and they order a controlled substance, now all of a sudden "Ron ordered Oxy," and that's recorded, there's PHI. 

Whether it's a diagnosis or specific drug related to a person, now we've generated a scenario where we're collecting PHI information and we're storing that. So a lot of times a very difficult one is eCommerce, and I'd love to hear your thoughts on that, because the place where I really see that getting complex, and I don't know how deep we want to go into it here, is kind of with GDPR, because they may come back and want to remove their data, but you, as pharmacy eCommerce, have to still maintain that, hey, I sold this government controlled Oxy to Ron back in 2019, and I only gave him a one-month supply or something. That has to stay. So how does GDPR work with a HIPAA-compliant database and with eCommerce? 

CHRIS: Yeah, that's a great question. I think that's a great scenario that's maybe comparable to going uphill in the snow on a very narrow road for some vendors. And basically we have to comply with all of these rules. So one of the big things that I would say is that, whenever we're looking at fundamentally eCommerce, it really does boil down to having multiple fail safes and having just kind of this assumption of failure as a mindset to be able to go through and test and validate the security, and not just the security of the software, but also the security of the team and the organization, and the mindset of the team that's using these systems and these tools. Because most commonly nowadays, a lot of hacks and breaches are occurring on the softer side of things with the people themselves, with them being hijacked or their accounts being hijacked. 

But anyway, to your question, GDPR mixed with HIPAA eCommerce is kind of like a Venn diagram where you've got to be able to hit the sweet spot. So yeah, I think with GDPR, the big thing is, in many ways it's more complex or more stringent than HIPAA is, and so being able to essentially present to the user that, hey, this information that's used on the system, you have the right to select to not put your information in for that, and we need to be able to show the user what that's going to impact if they don't share certain information. Maybe they won't have the ability to continue online, maybe they'll need to get in touch and have more of a manual process. We also need to be able to let the end-user know that this is the data that we're using, and maybe not necessarily just put all their data out there, but just kind of generally say, these are the areas where your data is being used, and you have the right to remove this data. 

But again, we just want to let them know if you remove your data from the system, we're removing your data, so we can't really use it in eCommerce in the traditional sense. But you're right. I mean, the data does need to be, from a compliance perspective, it needs to meet this narrow Venn diagram sweet spot. So typically what we would do in that scenario if someone wanted to get rid of their data, but we'd still need to comply with the prescription tracking information, et cetera, is we are going to be persisting that relative to what the business—the covered entity—needs to meet their legal requirements. And what I can tell you for pretty much every scenario, that it gets pretty complicated. It may make sense to actually work with a HIPAA lawyer and make sure that you're actually getting T's crossed and I's dotted properly. 

I do not pretend to be a lawyer. And I can tell you, ultimately that's probably where that goes, depending on what kind of prescription data needs to be persisted versus what kind of data ultimately the lawyer might determine that needs to be removed whenever they request the data removal. The capability is there to get rid of the data, but allow the system to still function. So we can keep information in there about the order and just genericize it and do things like that that kind of sanitize that user's information out of the system, but still allows the EMR or ERP system to function, it just isn't going to be as accurate with that user's data. 

RON: Yeah, that makes sense. We've done a lot of different things with that, and it sounds like that might be an upcoming webinar where we start talking about GDPR and the EU and the new California restrictions. 

CHRIS: Look at you. Yeah, definitely will be.

what is hipaa

RON: One of the things with eCommerce for me, 99 out of 100 eCommerce deals that I deal with, they have some kind of integration. I mean, a doctor/patient portal is no good unless I can attach to either the clinic or the hospital or the doctor's EMR, and I can pull lab results, or I can see the available time slots in my mobile app, so I can schedule an appointment with my doctor. So I think one of the things we really should talk about is security and HIPAA compliance with regards to integrations. What do you think? 

CHRIS: Yeah, that's right. And the fundamental there is that now we're making it more complex. It's kind of like we're going uphill in the snow, and we're towing a car behind us. 

RON: You like the snow, don't you? 

CHRIS: Sure do. I have a flare for the dramatic. But yeah, I mean, if you think about the kind of level of complexity, it just adds another layer. And whenever these systems talk to each other, basically it just needs to be secure. And so when this data is going between these systems, it kind of opens up the potential between those systems for there to be a breach. But fundamentally one of the best ways to deal with that is using classic technologies like point-to-point VPN, and then encryption when the data is in transit, and encryption at rest, and then these role-based authorizations, and having a user for the eCommerce or the medical portal that has very restricted access. And in many cases, we'll work with clients to set up an intermediate layer that kind of sits behind the physical infrastructure, the security infrastructure of the internal systems. 

So that's what the external system will talk to, and then that intermediate system, you could almost think of it as just kind of a caching layer almost. That intermediate system would then only talk to the EMR/EHR system or other back office system. So this is kind of like what we were talking about with the vault system where you can tokenize things. You can essentially put intermediate steps in place that the data has to be go through that's secure, and this just kind of adds extra layers. You can almost think of having, instead of one rope to pull the car, you have 10, and they're made of metal. That car is not going down. 

RON: Yeah. We did this for another client. I just saw the demo a couple days ago, and basically it was an online e-pharmacy type scenario where they could come in and order controlled substances, but the client couldn't really get in and do much with that data. It actually came into our eCommerce, sent an email into a custom portal, notified the doctor that there was a new prescription ready for approval, and then the doctor could log in and the doctor and/or physician's assistant were the only ones that could actually see the request for the prescriptions, and then they could approve those, and then it went back into the fulfillment and said, okay, we need this drug, it needs to go to this address. 

It's kind of a gray area now in PHI, because it could be my parents are in an old folks home, and the provider there is ordering the drugs and the prescriptions and taking care of them. So the prescription isn't always tied to the person making the order. So as long as you go through and tie the person and tie the diagnosis and only allow the doctor or PA to have that information, that's kind of that intermediary layer you're talking about without exposing additional information to people that may not, or deserve, or should have access to that type of PHI information. Am I hitting on what you're talking? 

CHRIS: Yes, sir. That's exactly right. Yeah. So the integrations are really powerful, and it is just a matter of kind of applying the same core concepts. And because we offer all of these different variations and we have all this experience, we did—and this is where we're going to give just a very brief overview—we did over the years put together our own HIPAA eCommerce and HIPAA medical portal solution that we would love to review among your various options, if you are looking at going with one of the more robust HIPAA scenarios, and you do need a solution. And Ron, what's your experience been so far when you're talking with folks evaluating some of these different platforms? What are your thoughts on this solution and kind of what it offers and what it doesn't offer? 

what is hipaa

RON: Yeah. I mean, again, I've been here 10 years now, and we've done hundreds of these things. So when they came in, the first thing is that people just don't know how it affect their budget, and doesn't know how it affects them legally, or how it puts them at risk. So typically they're either way underestimating these coming in and going, "oh, so I can just have a...I mean, the last website I had built was 15k, I can have one like this." And it's like, oh my gosh, no. So one of the things that I see and that we've with this solution more than anything else is, because we know exactly what you need and we built our solution as a modular architecture, we're able to assemble just the modules you need. 

So people can come in and go, "I need an Mhealth app, I need one during Epic integration. I just need a mobile app that does this that's integrated with the clinic." Great. We've optimized that. We have a solution exactly for that. I can show you a demo, give you an idea how long that can take, and we can build that. Same thing with, "we need a doctor/patient portal that connects not only our hospital, but all 400 hospitals on the West Coast." Great. We can do that too. But the biggest thing is that people just don't know what they don't know. They don't understand how eClinicalWorks and Epic integrations are so similar, but the integration of those two EMRs could not be [more] different, and it all stems literally from a breach that one of the two of them had over 10 years ago. 

But since we have to deal with that every day, we know those ins and outs. So more than anything else—again, Chris and I aren't trying to sell you this solution, although we think it's amazing—we're just trying to tell you we've dealt with this. So if nothing else, you're welcome to pick up the phone, give us a call, schedule an appointment, and we're happy to give you some consultation time to talk through the intricacies of HIPAA, and at least get you on the right path, even if you're looking at some other solutions and want to know our opinion of those solutions. 

CHRIS: That's right. Exactly right. Yeah. We learn a lot by talking with potential customers and really just experts in the field or folks that know nothing. So we welcome any and all of these vantages as we continue to build our knowledge base. And if you think that we can help you, point you in the right direction, that's really going to be our goal with any kind of interactions. And you can reach out to us via our Ask An Expert, or you can set up a time to meet with us via phone, whatever format works. But either way, we hope that you found this valuable today. Really our goal with these webinars is to provide you with some resources that you can start with and that you can kind of get going into the right direction. And again, if you need any support or you're looking for support, please feel free to reach out to us and get in touch. And until then, Ron...

RON: Yeah. Thanks everyone. Appreciate your time today, and we'll see you in our next webinar. 

CHRIS: Awesome. Thanks Ron. 

RON: Thanks Chris. 

 

Get In Touch with the Experts

Clarity is ready to talk to you when you're in need of protection for ePHI. Get in touch or schedule a demo today.

Talk To Us
image description
what is hipaa
what is hipaa
what is hipaa

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps