HIPAA law says that all Protected Health Information (abbreviated to PHI) must be protected at rest, in storage, and in transit. In practice, there’s so much more to it than that.
Virtru's SVP of Strategy Rob McDonald joined Jason Karn, Chief Compliance Officer of TotalHIPAA, a leading HIPAA compliance consultant, for a conversation about email encryption, HIPAA, and how companies can protect their data amid tech and regulatory complexities.
McDonald and Karn begin by assessing the true meaning of data control, in the past, and in the future. Particularly in the realm of healthcare, control means different things in different levers of business, and McDonald stresses that understanding as key to protecting your data.
"[In] the partner engagement model today, control is a complicated concept," said McDonald. "A lot of the solutions today address [stages of protection] independently and there's no continuity between the two. So control means it changes between each of those stages a lot of the time."
It can be a challenge to account for how best to manage these ever-changing elements of your business — whether it's patients, providers, partners, etc. By managing these complex changes and applying data controls accordingly, your organization will become known as a responsible custodian of data—and your brand will benefit as a result.
Beginning that journey to specific, granular data controls per medium can be complex, but it begins with cultivating a high standard for the vendors you choose.
McDonald and Karn both agree: When considering data protection and encryption vendors, thinking ahead is a must.
“You’re bringing them into the business. They’re a partner, they’re there to help you. You have to think about, what are the implications of that into the future? I do need to address something today, for sure. But which of these future solutions are going to give you more mobility, more agility in the future? Because as your business changes, or as regulations change, or as the imperative for applying control and proving it becomes more stringent–did I pick a vendor, did I pick a solution, did I pick a technology, did I pick a process that gives me some of that future agility? Because that’s important. Those reduce cost for your business, they allow you to focus on the things you need to be working on instead of changing solutions in the future to meet those new changes.”
Karn notes that not only must businesses consider the compliance requirements outlined in the law, but also the self-imposed standards by partners like hospitals and providers. Perhaps they’ve been fined, or have experienced a compliance breach in the past. These parties are reactively ratcheting up their compliance efforts to prevent similar incidences in the future and will hold their upstream or downstream partners to those same standards.
McDonald points out that it still goes both ways; we can’t always control the actions or compliance practices of third-party partners. So, choosing solutions and architectures that can adapt to various conditions is vital.
Karn lists values that all businesses should take into account when choosing the right email encryption provider.
Karn provides another list of what to consider when looking for a secure file transfer provider.
McDonald and Karn emphasize an extra set of standards that can help businesses in future-proofing their data sharing practices; features like: will the provider allow data control outside of your internal environment? Can you securely request data? Will you have the audit log? Will you be able to host and manage your data, including encryption keys? How will it fit into your workflow, is it easy to integrate? And of course, will the cost make sense in the long run?
We have strong control over data within our own “castle,” but what about outside of the kingdom walls?
McDonald stresses that many of the regulations and best practices for external data sharing aren’t focused on gaining control, but, rather, transferring risk.
“The way the landscape is moving, I don’t actually think that has longevity into the future,” said McDonald. “And most of the solutions really only focus on the internal state right? They don't give you any insight into what's happening to that data after you've extended it to your partners or outside your business organization, and at that point, you've kind of given up your own autonomy, you've given up your own sovereignty.”
When it comes to sharing sensitive medical or personal data externally, there is no room for mistakes. Standard email and file-sharing offers no revocation, no external auditing, and no window into what’s done with your data once it leaves your possession. And many industry professionals have accepted this, and in turn chosen solutions and processes that blind them instead of finding ways to maintain control.
Management of data, McDonald asserts, is an evolving concept. What was management then, isn’t the same as now: We have more capabilities and control than we ever have before.
“In the very beginning, the intentions were good with these regulations …get this data so that we could know if something happened. It was mostly a forensic requirement,” said McDonald. “But the reason why they laid that foundation was because these are going to evolve and we need to be able to take action on that data, not just forensically view it … The future is going to be more about automating that action and empowering the data owner to take action.”
Karn references the constitution as a parallel to HIPAA regulation. The founding fathers wrote the constitution with no concept of the technological and political advancements we face today, but still had an understanding of the evolution of law and people. HIPAA regulation and data protection law is similar; we have no concept of what the future will bring, but must interpret the law with the knowledge of what we are capable of today.
Karn explains that in building HIPAA compliance plans for clients, Office 365 and Google Workspace are the top two systems that Total HIPAA encounters, and customers typically want to know if the encryption services within these systems are enough.
Karn explains that encryption is the first step, but we have to consider common issues that these solutions can’t fix on their own—like accidentally sharing data with the wrong person, or needing to revoke it past a certain date.
Rob explains that though the intent behind adopting Google and Office 365 is to stay on par with software industry standards and to make collaboration easier. But at the end of the day, the strategies of these businesses are to increase their presence and gain market share—and may not always take your workflow and need for flexibility into account. Total reliance on one provider for everything, particularly when it comes to your data, may not always be the right move.
“You may pick different service providers, right? I want to use this service provider for this, or this service provider. What's the common denominator? It's your data,” said McDonald. “So don't let any service provider hold you hostage if you want to move from here to here because you get a better service that helps your business. Think about providers that are going allow you to make that portability possible.”
To see Karn and McDonald’s full conversation, including answering questions about PHI, cloud security, vendor grading, and more, follow the link below to TotalHIPAA’s website.
Contact us to learn more about our partnership opportunities.