At the core of every quality innovation in healthcare has always been the privacy and security of every patient's information. Now, more than ever — and amidst the acceleration of engagement-type innovation during the pandemic — quality innovation combines patient engagement with mitigating risks by ensuring privacy and security compliance.
Last April, at a virtual event, leaders in healthcare and cybersecurity gathered to discuss “Secure Communication During a Pandemic.” As one of the featured speakers in the Paubox Spring Summit, I shared LifeWIRE’s best practices as a HITRUST-certified and HIPAA-compliant communication platform and participated in meaningful exchange on “A Uniform Approach to Sharing Assurances and Other Certifications.”
Paddy Padmanabhan (@PaddyPadmanabhan), CEO of Damo Consulting, Inc., couldn't be more right noting the trend of HITRUST (@HITRUST) certification becoming at least table stakes and at best a necessary filter for those who look to be considered by big enterprises to do business with them. The HITRUST CSF certification is touted as the gold standard for compliance framework in the healthcare industry.
“When evaluating health solutions, especially for early-stage companies with no big track record who have innovative product(s) or solution(s), CIOs and CTOs are trying to risk-mitigate. And one of the things they ask straight out of the gate is: Are you HITRUST-certified?” Padmanabhan said during the session on “A Uniform Approach to Sharing Assurances and Other Certifications.”
Having completed the HITRUST certification for LifeWIRE’s communication platform, I was able to share our experience. Below are some of our insights along with those of Michael Parisi, Vice President for Business Development & Adoption of HITRUST, in addition to questions and answers to consider when taking the HITRUST path as part of an innovation strategy.
When LifeWIRE first started, discussions with large organizations in both the private and public sector, in many cases, came down to "What’s your company name, what's your product, and what are your security and privacy certifications?" And that 15-minute discussion leads to another “room” for perhaps 10 months, that is, the time it takes to do some of these organizations' security and privacy audits. However, once LifeWIRE's platform was certified by HITRUST, and others such as ePRO, we never needed to leave the first room. We just checked each certification “box” and continued with product discussions.
If your company can't yet check that box, then for potential clients to determine if they like your product, you'll have to spend 3 to 6 months on the client's own security and privacy audit. We're finding that fewer and fewer organizations want to do that work; instead, they are looking for external validation. And very simply, there’s no question that if you're not a "card-carrying" certified company, so to speak, the process is greatly protracted and you’ll be competing with more and more companies who do hold the card.
Going through the process is a major management commitment. It requires internal project resources to do it successfully. There are many elements to it, and it's particularly surprising during the first try. It is an extensive exercise of gathering a lot of information. A key eye-opener is the advantage of having incorporated the certification guidelines from the start of developing a product or a platform.
In LIFEWIRE’s case, security was of the utmost importance from the start. To get certified, we found out that there wasn't so much an issue of what our platform didn't do, but it was more that we needed detailed documentation of our platform and the processes involved. It was a long road: For us, it was a solid 18 months in the first run just to go through it all; now, the annual renewals are much more straightforward. That said, especially for that first time, it's not possible to exaggerate the number of pieces to it, with levels nestled inside more levels, very much like the proverbial onion.
Line up excellent auditors to work with. Doing so made a huge difference for us. We did our homework to find our auditors. You'll find they are indispensable, especially for your initial go-around.
Michael Parisi: Companies claim to be HIPAA-certified, but there is no such thing. What we (HITRUST) strive to do is to certify the implementation of controls that help meet the requirements of authoritative sources, one of which is HIPAA. It’s the closest thing you will find to HIPAA “certification.”
However, as there’s no HIPAA certification, the focus really needs to be on how you ensure that you have implemented appropriate controls, et al., to address the requirements that HIPAA dictates. In addition to that, when you look at a number of programs that have recently been rolled out, I think all industries are moving in this direction of some type of “certification.”
To put it more accurately, we offer independent validation. The number of business relationships for which we are depended upon by organizations is increasing, and it's only going to continue to increase. What I’d like to call the "daisy chain" of third-party business partners is also increasing. So, there’s no longer just one layer of third parties that you are directly working with, but, with the onset of the cloud, a much greater number of organizations. We’re probably needing to look 2 to 3 or even 4 levels down the line to understand everywhere our data resides.
Does HITRUST serve as a proxy for compliance to HIPAA?
Michael Parisi: Yes, that’s the bottom line. And if you look at most of the (security and privacy) releases that the U.S. Department of Health and Human Services (HHS) put out at the end of last year, for the first time ever they've indicated a level of Safe Harbor. And that level of Safe Harbor is driven by having an effective information, security, and privacy program actually implemented. Also key is maintaining that program to make sure it remains relevant.
So, what we’ve done to work with HHS and the Office for Civil Rights (OCR) for so many years is to align the requirements and capabilities of our program to the statement that was released. And we already have some examples even this year of organizations that have effectively used their HITRUST efforts in support of that Safe Harbor component.
From our experience, patients have always wanted to communicate with their providers, but it has been the providers who were reluctant because of concerns about security and privacy and about how they communicate. Patients just want to communicate how they communicate with everyone else, however that may be. In some cases, we've found this to be a generational issue: the younger they are, the less expectations of privacy. But on the provider-payor side, there is great concern about privacy. With the ubiquity of communication between patients and providers necessitated by the pandemic and with the increasing occurrences of hacking, there’s a growing privacy concern on both fronts: One features more extensive allowance for a variety of remote ways for patients to communicate with providers and for providers to communicate with payors; the other front features a much greater concern for security and privacy because of this wider range of bring-your-own-communication. Then add in people fighting against app use because of app fatigue. And right there is a perfect storm signaling the need for cover: 3rd-party verification and certification. #BeLifeWIREd
(Go to this link to see more videos from the Paubox Spring Summit 2021)