Research credit to Jennifer Morehead, Civicom Compliance Officer
“If you think compliance is expensive – try non-compliance.” – Paul McNulty, Former US Deputy Attorney General
In 2010, Mark Zuckerberg declared privacy dead. This last week, he reversed his position. After a myriad of consumer complaints, bad press, and a $5 billion dollar fine from the European regulators, he’s come to an understanding about the importance of privacy to most Americans. The new truth is this: Privacy is trending.
HIPAA’s been around for over twenty years, and those involved in medical research and dealing directly with patients are well aware of the requirements of compliance. However as leading facilitators of web-enabled market research globally, we’ve seen a range of compliance understanding from market researchers, mostly as a result of the complexity of modern market research using web-enabled tools, and what specifically to do to ensure compliance is met.
Hence, we’ve created a set of guidelines for what to look for in handling projects requiring HIPAA compliance that have grown out of what we have done to help keep our clients HIPAA compliant while remaining compliant ourselves. While much of this applies to other data requirements such as the GDPR, we’re focusing today on how to be HIPAA compliant in web-enabled market research. So here are ten things worth looking for.
Market researchers may enter the healthcare market deliberately or may fall into it because a healthcare company purchases their services. This is significant because many businesses may never intend to enter a market subject to HIPAA, yet if they do, they become subject to HIPAA requirements. Ask your supplier partner if they have worked on healthcare projects and are ready to meet requirements for protected health information (PHI).
Business Associate Agreements (BAA’s)
Business Associates are service providers to entities that have access to protected health information as part of providing services. Vendor partners should be ready and willing to sign a BAA – it is a violation not to have one in place.
Market research standards incorporate GDPR and HIPAA requirements for consent. Look at your vendor’s website. Do you have evidence that they have enhanced privacy and security policies to comply with HIPAA? In line with HIPAA requirements, they should have designated Privacy and Security Officers. Do they have a policy or process to deal with individual requests for accounting of disclosures? Have you thought about what you want to happen if a vendor receives such a request?
Minimization of Your Data
You can reduce risk by using the absolute minimum data necessary for your research. Your vendor partners should be able to tell you the minimum information required for them to provide their services. Can they anonymize respondent data? Can they provide you with audio and face masking? Voice recordings and full-face images are considered PHI.
Vendors should have data mapping of their processes in place to demonstrate that they know where your data goes and who accesses it. Expect consumers to exercise their right to privacy – vendors should be prepared to respond to requests for accounting of disclosure within the HIPAA required period of 45 days.
Secure Data Transfer
Encryption of PHI is required at rest and in transit. Vendors should be able to accommodate use of secured file sharing platforms whether it is through your proprietary web app or a third party SFTP. Never transfer PHI over email (unless sufficient encryption is enabled). Remote access to networks should be made only through use of VPNs and there should be a regular review of firewall rules.
Policies must be in place to ensure physical security. This could start with biometric authentication for entry to production areas. Protect the integrity of PHI: automatic timeout/log out for workstations [in a survey of 300+ healthcare professionals, primarily from organizations with less than 500 employees, 20% said they don’t have this] Require verifiable unique access to client confidential information.
A Security Culture
It is a HIPAA violation not to provide training for staff who handle PHI. Many companies invest in technical security but a true security culture will invest in their people. They are the front line to stop unauthorized disclosures. Training should cover the required topics as set out in the privacy rule. It’s important to provide training to employees at every level with an explanation of the laws and regulations in a way that applies to what they do every day.
Companies must engage in both regular risk assessments as required by HIPAA and risk assessments related to new or changing processes / projects. Willingness to submit to audit is essential.
Seamless Service Compliance
You may work with vendors with multiple service offering(s). Compliance should be seamless across all of their lines of business, with the appropriate controls along the way.
The Bottom Line
You don’t have to look far to find breaches in privacy that vendors caused. The bottom line is to understand how your vendors are handling your data and whether they can maintain HIPAA compliance. Demonstrate privacy and data protection awareness from the beginning of the relationship.