HIT vendors rely on security standards that don't meet HIPAA requirements

Health IT vendors don't often protect electronic patient information in accordance with HIPAA, even when they and their provider clients think that they're in compliance with the law, according to a new article by Dan Schroeder, an attorney with Habif, Arogeti & Wynne in Atlanta.

Writing for the Health Law eSource, the monthly e-zine of the American Bar Association's Health Law Section, Schroeder points out that while the potential security risks of health IT companies are "very high," many of them are falling short on HIPAA compliance. For example, they're not conducting a risk analysis of potential threats and vulnerabilities regarding the data, a fundamental HIPAA requirement.

Health IT vendors and the providers who use them are expected to come under increased scrutiny, particularly over the next year, according to one attorney with the U.S. Department of Health and Human Services Office for Civil Rights. Both the Office of Inspector General and OCR have announced their intention to targeting cloud vendors and other business associates to ensure that patient data is adequately protected pursuant to HIPAA requirements.   

Some vendors erroneously rely on alternative security standards as evidence that they adequately protect patient information. For instance, many health IT companies believe that obtaining a Service Organization Control (SOC) 1 Report--also known as an SSAE 16--is sufficient to comply with HIPAA. SOC 1 Reports, which are prepared by a certified public accountant in accordance with guidelines from the American Institute of Certified Public Accountants (AICPA), attest to a company's internal controls. However, they apply only to financial reporting, such as debits and credits.     

"A basic Internet search uncovers numerous HIT companies that offer up SOC 1 reports as evidence that they have fulfilled their HIPAA responsibilities, even though AICPA standards explicitly restrict the report from being used to address operational and compliance risks [e.g., security, privacy, integrity and availability risks]," he warns.

To learn more:
- read the article