Complying with HIPAA means conducting due diligence when it comes to business associates. Make sure your partners protect and secure patient data.
Due diligence is a fundamental requirement in multiple areas of business. Fundamentally, due diligence can be viewed as research required as part of a process to ascertain material facts and their impact on a given transaction or area of compliance. For example, SEC Release No. 34-64514 requires an issuer or underwriter of registered or unregistered "asset-backed securities" as defined under the Dodd-Frank Act, that are rated by a nationally recognized statistical rating organization, to furnish a third-party due diligence report. Section 15E(s)(4)(A) of the 1934 Securities and Exchange Act, which was added by Section 932 of Dodd-Frank, requires the due diligence report to include findings and conclusions of its "due diligence services." These services include: findings in relation to the asset data integrity; determining whether the requisite standards were met; assessing asset value; relaying legal compliance standards; and ascertaining any other material factor relevant to the timely payment of interest and principal by the issuer.
Likewise, as part of the required HIPAA risk assessment and risk analysis, providers should use the similar parameters expressed in Dodd-Frank in relation to HIPAA. For example, 45 CFR 164.506(a) is Standard (meaning not optional) and relates to permitted uses and disclosures "[f]or the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph 45 CFR 164.501(6)(iv) of the definition of health care operations [(iv): the sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity will become a covered entity and due diligence related to such activity] and pursuant to 45 CFR 164.506(a) [Standard: Permitted uses and disclosures]." Accordingly, whether part of a merger, acquisition, or joint venture transaction, or a portion of a HIPAA risk assessment, providers should specifically address the following:
• Data integrity in relation to the Privacy, Security and Breach Notification Rules, with an emphasis on integrity, confidentiality and access;
• Making sure all of the Standard, Required, and Addressable areas of the CFR in relation to HIPAA have been investigated and documented;
• There is no accepted "HIPAA CERTIFICATION" as expressed in the Final Rule (Jan. 25, 2013), but ascertaining compliance with all the areas associated with HIPAA, along with reasonable assurances from other covered entities, business associates, and subcontractors is mandatory; and
• Ascertaining other material factors.
One item that would be considered a material factor is a business associate's compliance with HIPAA. For example, is a HIPAA consulting company relying on Evernote? Evernote is a company which provides cloud services syncing information across multiple devices and medium. A quick search on the Internet reveals why multiple sources and experts have gleaned that this service is not HIPAA compliant. For example, there are a multitude of windows and channels, and the only identified way to secure data is to keep the notes completely offline. Yet, one has to go online to access the information and there are other HIPAA compliance requirements once the information is downloaded. Then, the value of Evernote is lost, as it basically becomes a text editor.
Another area related to material factors is whether or not the cloud service is a public cloud, a private cloud, or a hybrid cloud. This can have a substantial impact on HIPAA compliance with the requisite standards.
In sum, due diligence is essential in a multitude of situations. Performing adequate due diligence now can lead to a reduced risk of noncompliance and higher (or lower) valuations for companies occupying a variety of spaces.