By: Jack Sunderman, Chief Technology Officer
With just a little searching on the internet, one can find tens of millions of dollars in fines that have been levied against medical organizations for failing to protect Protected Health Information (PHI) in just the past 2 years. Medical organizations and their owners expect to face higher fines if appropriate steps are not taken to protect their data.
How can a medical organization ensure their organization and their vendors are protecting the PHI and other critical data appropriately? The answer – by conducting a number of industry standard audits. Below, I will describe audits that our anesthesia business consultants participate in annually, and how those audits have changed and developed further. As the Chief Technology Officer (CTO), I am focused on audits that directly support the protection of electronic data, the most notable being: HIPAA Compliance Audits, SOC 2 Audits, and PCI DSS Compliance Audits.
HIPAA Compliance Audit:
As defined on hhs.gov, the “Office of Civil Rights (OCR) HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate”. OCR established a comprehensive audit protocol containing the requirements which should be assessed through performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
Our anesthesia business consultants follows the guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule titled “Security Standards for the Protection of Electronic Protected Health Information,” found at 45 CFR Part 160 and Part 164, Subparts A and C, commonly known as the Security Rule. The Security Rule was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Annually, the Medac compliance department, the Chief Information Security Officer (CISO) and the Information Security Manager (ISM) review the guidance against Medac processes and procedures to ensure compliance.
SAS70 -> SSAE16 -> SOC 1 -> SOC 2 -> SOC 3:
One way service organizations demonstrate compliance is by having outside auditors test and certify system controls. Over the past 10 years, accounting standards have evolved and changed names with the advent of more sophisticated technology. These standards are developed and maintained by the American Institute of CPAs (AICPA).
The Statement on Auditing Standard Number 70 (SAS70) was the original audit to measure a data center’s record-keeping controls. In 2011, SAS70 was replaced by the Statement on Standards for Attestation Engagements Number 16 (SSAE16). SSAE16 had two types. Type 1 was a data center’s description and assertion of controls as reported by the company; Type 2 was the auditors testing the accuracy of controls and the implementation and effectiveness of such controls over a specific period of time.
Starting June 2011, SOC 1 is the first of three new Service Organization Controls (SOC) developed by the AICPA. SOC 1 is essentially the same as the SSAE 16 audit. A SOC 2 measures the controls specifically related to IT and data center providers. The five controls of a SOC 2 are (1) Security, (2) Availability, (3) Processing integrity, (4) Confidentiality and (5) Privacy. The SOC 2 audit also has two types: Type 1 is where the company reports the data center’s system and suitability of its design of controls; and Type 2 includes everything in Type 1 and adds an opinion by an outside auditor on the operating effectiveness of the controls over a period of time. SOC 3 includes the auditor’s opinion of SOC 2 components with an additional seal of approval.
Medac completed a SSAE16 SOC 1 Type 1 certification in February 2015 and by the end of February 2016 will have completed a SOC 2 Type 1 report. Both audits were completed by 360 Advanced from Tampa, Florida. Medac will continue to work with 360 Advanced during 2016 to complete a SOC 2 Type 2 audit and maintain that certification annually.
PCI DSS Audit
The Payment Card Industry Data Security Standard (PCI DSS) was created by the major credit card issuers and applies to companies that accept, store or transmit credit card holder data. A key point is that a company must complete a PCI DSS compliance audit if they have any type of interaction with credit card information. For example, if an employee at a medical group took credit card information, and emailed that information to our anesthesia billing consultants for a payment processing, the group would be required to successfully complete a PCI DSS compliance audit to verify they are sending the email securely, the email server is encrypted, and the sender would not be able to retrieve that credit card number in the future. It would be impossible to pass the PCI DSS compliance audit using the scenario described since credit card numbers would have been stored in a retrievable format.
Medac provides a website for credit card entry and securely passes the information to a credit card processing vendor. The website stores the transaction ID from the vendor but does not store any other credit card information. Medac contracts with Trustwave to perform monthly and annual PCI DSS compliance audits of Medac’s credit card process to ensure our anesthesia business consultants maintain a PCI-DSS Certificate of Compliance.
While the use of electronic data allows a tremendous advantage in information sharing and rapid processing, much of this information is protected by federal regulation and holds significant consequences for failing to protect this information. As outlined above, our anesthesia business consultants has taken a number of steps to ensure the protected information we handle is in compliance with all federal standards and regularly conducts audits via internal and external organizations to test, certify, and constantly improve our policies and controls.