Value of HIPAA gap assessments for retail industry and third parties
CASE STUDY |
The Health Information Portability and Accountability Act (HIPAA) not only affects the health care industry, but many retailers as well. In fact, any organization that obtains, stores, processes or transmits protected health information (PHI) in paper or digital format is subject to HIPAA. Within the retail industry, a growing number of grocery stores maintain pharmacies and wellness programs that handle employee and customer PHI. This brings both the retailer and any third-party business associate (BA) that helps them with these services under the scope of HIPAA.
A grocery chain recently approached RSM to assess its state of HIPAA compliance. Since the organization operated a pharmacy, it needed to assess the pharmacy environment, as well as the BA that provided pharmacy support services. The organization also needed to assess the HIPAA compliance of the BA supporting their employee wellness program. If any PHI under the organization’s domain were compromised, the organization could face stiff penalties and fines for noncompliance, in addition to bearing the reputational and financial impact of a breach. Furthermore, the organization feared they would not be prepared for a HIPAA audit from the Office of Civil Rights (OCR). Assessing both in-house and outsourced processes through HIPAA gap assessments helped to determine and reduce their internal and third-party risk.
To get a clear picture of the grocery chain’s compliance status, RSM performed HIPAA gap assessments on the organization’s pharmacy environment, as well as on the two BAs supporting HIPAA-related processes. In a HIPAA gap assessment, we conduct interviews with key personnel and review documentation to identify areas where policies, procedures and technology do not meet the HIPAA standard. This provides insight into the effectiveness of the compliance program, thus allowing organizations to adjust processes to meet their compliance obligations. Once the gap assessment is complete, we provide a detailed strategic and tactical recommendation plan to better protect customer and employee PHI.
The HIPAA gap assessment also helps organizations meet an important but often overlooked element of HIPAA compliance and security best practices: third-party due diligence. Third parties bring unknown risks, and organizations can be held liable for breaches originating with or occurring at their third parties. When it comes to HIPAA, organizations are required to obtain assurances that their BAs are handling PHI in accordance with the law. Depending on the BA’s role, this could involve a review of the BA’s policies, training requirements, facility, technical controls and personnel management procedures. HIPAA also requires organizations to establish a business associate agreement (BAA), or contract, outlining the BA’s duties when handling PHI. The HIPAA gap assessment helps organizations meet this due diligence requirement. The results of the assessment can be used to refine the BAA, support compliance efforts and reduce third-party risk.
With this client, the HIPAA gap assessments provided a much more efficient strategy for managing compliance and for reducing third-party risk. One gap assessment was performed on the client’s own pharmacy environment. By identifying areas of noncompliance, RSM developed a remediation road map involving process, technology and control improvements. The assessment process also helped executive management understand what an OCR audit would entail and how to best prepare for it.
The other two gap assessments were performed on the BAs. They uncovered troubling areas of risk and led to drastic changes in these relationships. The BA handling the organization’s wellness program was found to be only 37 percent compliant with HIPAA standards. We worked with the client and its BA to define expectations and milestones for remediation. It is not uncommon to identify major deficiencies in a gap assessment, but this BA showed little progress in prioritizing compliance and meeting milestones. Thus, the organization eventually decided the BA was too risky and ended the relationship.
This was a critical action because working with the BA—despite pervasive noncompliance—could make the client liable for HIPAA violations. The BA was collecting sensitive health and personal data on upwards of 50,000 employees. PHI and personally identifiable information (PII) are among the most valuable and highly targeted data sets because they can facilitate identity theft or insurance fraud. The BA had a responsibility to protect this data with controls pursuant to its sensitivity and its regulatory implications; not doing so put the client’s reputation and security at risk.
The second HIPAA gap assessment was performed on a group within a large pharmacy technology provider serving as a BA to the client. This also revealed major HIPAA deficiencies. To date, this BA has also made little headway toward remediation, and the client is considering alternative actions. One viable approach is for the client to purchase the group that was providing the relevant services. This way, the client can manage and streamline all compliance initiatives in-house, rather than wait for the third party to restructure its processes. Whatever the course of action, the client is now much more aware of its BA’s compliance standing and can now manage this risk much more effectively.
The HIPAA gap assessment is an essential business planning tool not only for the health care industry but also for retailers. Many retailers are unaware of their HIPAA obligations, and even more are unsure of how to manage vendor compliance status. This assessment provides guidance for both situations. By assessing your environment against the HIPAA standard, we can identify tactical actions to achieve compliance and a strategic plan to maintain that compliance. By assessing BAs, we can provide a vehicle for articulating third-party risk to executives and for managing vendor compliance status more efficiently.