In the recent NIST OCR security conference, a panel member said the terms “HIPAA compliant” and “HIPAA certified” made her cringe. We agree. The Anthem settlement has a lot of people asking about certifications for cybersecurity since Anthem was technically HITRUST Certified when the hacker first broke into their network. Let’s talk certifications and what they really mean under HIPAA, shall we?
Certification Is Not What You Think
Technically, Anthem, who was then Wellpoint, was HITRUST Certified right up until the time they found the data breach. So, what does that really mean if they had the largest breach and paid the largest settlement at least so far in the healthcare industry?
First, let’s understand what HITRUST Certification means. HITRUST Alliance says it is a not-for-profit entity formed by a group of entities in healthcare back in 2007.
Executive Council members represent the following organizations:
- Anthem, Inc.
- Express Scripts, Inc.
- Health Care Service Corporation
- Hospital Corporation of America
- Humana Inc.
- IMS Health
- Kaiser Permanente
- McKesson Corporation
- UnitedHealth Group
I have seen them called a for-profit organization before. That is mostly due to the costs associated with becoming HITRUST Certified. It is not cheap. Most quotes say it will cost $40K – $60K to get there but it could be even more depending on your size and type of organization. The SOC2 certification starts around $30K just so you know
To get to Certified there are several steps. You must use their Common Security Framework (CSF) which merges and attempts to normalize the requirements of multiple standards under one roof. It includes things like HIPAA, PCI, ISO, NIST, and much more. The idea is you meet all of those standards if you meet HITRUST. Great idea, huh.
So, you get their framework that you download for free from their website after agreeing to their license agreement which is very specific. Then, you follow their framework like you would others. The difference with this framework is you can use it but not mention that you are using HITRUST unless you take the next steps.
Start with a CSF Self Assessment and then move up to CSF Validated and then a CSF Certified Assessment. Each time you purchase a CSF Assessment report from HITRUST Alliance. That comes with 90 days access to their MyCSF online tool for doing the Assessment. You can add on a full-time subscription to MyCSF for another fee. Note, the subscription does not include the Assessment Report. You sign up for MyCSF and then purchase the report.
Once you have gotten pretty confident you passed the Self Assessment you step up to the Validated one. You do the same steps again that you do for the Self Assessment version but then you also hire a Certified CSF Assessor organization to review your work and validate it.
Once you have gotten pretty good at that one you go through the same process again but pay more for the CSF Assessor organization to come to your site and perform the Assessment instead of you doing it. If you pass then they call you Certified.
Each time you pay for the Assessment report. You also pay for the MyCSF subscription if you plan to get Certified it just makes sense. Finally, you pay big bucks for those assessors. The reason they are so expensive is it cost them big bucks to get certified to do the assessments. Guess who they pay for that – HITRUST.
All that being said, it does cover a lot of bases. We have talked about this concept before when we discussed SOC2 certifications. Just like them when it comes to HITRUST the defined “scope” is what it is all about in the end. HITRUST issued a statement about the Anthem settlement that said they are just a framework to follow. Also, just BTW, the failures they experienced at Anthem were “outside the scope” of their certification.
No matter what certification you may see for security it is absolutely imperative that you understand the scope of the certification.
OCR, who gets to decide things like a $16m dollar settlement, does not recognize any notice of certifications nor compliance. Period. Here is what they have to say about it (emphasis added):
No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
We could decide we are compliant and put it on our website or sell little badges to people for annual subscriptions. We would not be doing anything wrong by selling them, either. However, they imply something that is impossible to have which is proof or any guarantee of compliance. Well, at least so far the FTC hasn’t gotten involved in calling this out as fraud. Until then, we will assume it is just an honest misunderstanding.
We try really hard to be clear and precise with our advice and information. This is one area that is so gray that it borders on deception in some cases. No one can make a claim of 100% HIPAA Compliant. It is impossible to achieve and certainly not setting a standard we expect for our clients and partners. This doesn’t mean that when someone does make the claim that they are definitely trying to deceive us. It is likely that they themselves have been deceived or at a minimum misinformed about these statements. Ask the questions and vet the vendors extra intensely if they are making these claims. They may be just as confused or misinformed about it as you were before you heard this episode!