Now that we’ve passed our PCI audit, we’re making another big compliance push, this time for HIPAA. We’re not in the health field, but the Health Insurance Portability and Accountability Act includes guidance and requirements related to the safeguarding of health-related data that can be useful for just about any company.
At issue: Meeting the requirements for HIPAA compliance can make a lot of sense from a business standpoint, but it won’t be easy.
Action plan: Present the executive staff with findings about what will be needed, while emphasizing the potential business benefits.
We were similarly situated when we chose to improve our credit card-handling processes by going through a full Level 1 type of PCI assessment. We fall short of the number of credit card transactions that would make a full Report on Compliance necessary, but we made a business decision to become more attractive to customers by reaching that level of compliance. When it comes to personally identifiable health information (PHI), some customers have said they would like to store it in our application. Up to now, we have advised against that because we are not HIPAA-compliant. But with the realization that our stance could result in some lost opportunities with prospective customers, we’ve decided to look into what it would take to reach HIPAA compliance.
To get started, I hired a third party to assist with a gap analysis. It turned up one area where we have a big gap between where we are and where we should be for HIPAA purposes: logging. A second gap that we identified, in the area of encryption, is not a problem for HIPAA compliance (surprisingly, encryption of data isn’t mandatory under the current requirements), but we nonetheless decided it was a failing that could contribute to customers’ reluctance to use our application.
For HIPAA, companies have to create, enable, collect and store a lot of log data. You need to know who accessed data and whether they just viewed it or changed something. If they did make changes, you need to know when they changed it and the previous value before the change was made. Was a report generated, and did that report contain any PHI? Was data transferred to a third party via our API or some other data-delivery mechanism? If so, what data was transferred, where did it go and who initiated the activity? All of the log data needs to be available in a timely manner and retained for a certain period of time. To make all of that possible will require a considerable amount of engineering effort.
Encryption is also problematic. We already encrypt things such as passwords and credit card data (which is, of course, a PCI requirement). But our application architecture makes it extremely difficult to encrypt all data in the database, because application performance would take a hit, and we are very sensitive to our customers’ needs for a high-performing application.
Sign up for CIO Asia eNewsletters.