Find Your Industry

SAS 70 and HIPAA Security Standards

Securing Information is a Requirement

It has been more than a decade since HIPAA was rolled out by the United States Government for the purposes of establishing national standards for health care transactions along with ensuring the privacy and protection of valuable health care information, such as patient records and other related health information. Unfortunately, HIPAA has been a complex law, causing uncertainty as to compliance and even greater unfamiliarity with specific provisions and guidelines that need to be adhered to. Of the many concerns voiced in the ever-expanding health care industry, the following questions have warranted a more thorough understanding of HIPAA, such as:

Recent historical events such as the 9/11 terrorist attacks, followed by hurricanes Katrina and Rita have forced health care professionals to revisit their disaster recovery plans. Though known informally as business resumption, disaster planning, or a number of other phrases and abbreviations, this type of due-diligence activity should be considered paramount in today’s ever-changing and volatile world. Fortunately, many organizations have clearly understood the need to protect their valuable health care information and other related data. Unfortunately, just as many organizations have ignored these calls for safety and have looked upon HIPAA as nothing more than another legislative compliance mantra pushed down by Congress. What’s worse, HIPAA guidelines were written in such a way that interpretation of the law was difficult along with overall enforcement being lax. Here’s what you need to know for ensuring compliance for HIPAA as it relates to organizations such as health plans, health clearinghouses, and certain health care providers.

"Each entity needs to determine its own risk in the event of an emergency that would result in a loss of operations. A contingency plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given contingency plan will depend upon the nature and configuration of the entity devising it." ⁽¹⁾

⁽¹⁾ The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule and Mike Talon of Tech Republic.

Note: A copy of the final rule regarding HIPAA security standards can be obtained by visiting the following link: http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf

Without question, one can see how interpretation of the above phrase is directly left up to the health care professional, void of any specific requirements from the law itself. With that said, listed below are key items you should be concerned with for ensuring HIPAA compliance for disaster recovery planning:

• Conduct a formal analysis of your organization’s risks and how your organization as a whole can continue in the event of a major business interruption.
• Create a formal disaster recovery planning policy and document. These documents can be developed internally with the aid of dozens of templates and white papers available on the internet.
• Create an atmosphere of awareness within your organization concerning disaster recovery and its implications if a major business interruption event occurred.

More than anything, because the HIPAA requirements for disaster recovery are vague, it's up to your organization to use your best judgment as to what suffices for HIPAA compliance and for overall good business practice. Talk to your I.T. experts, confirm with management, and implement a sound, workable, and feasible plan.

SAS 70 and its Impact on HIPAA

When you look at the standards set forth in The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule, one can see many items that are also commonly tested for when conducting a SAS 70 Type II audit. Though differences exist in formality as to what they may be labeled or called by SAS 70 auditors and the Final Rule itself, similarities can be seen in a number of areas pertaining to Information Technology. Listed below is a sample of DHHS standards that can align with control objectives developed for a SAS 70 audit by a competent auditor.

Though by no means are the Department of HHS Security Standards and SAS 70 Audit Control Objectives a perfect match, a one-for-one. However, the SAS 70 audit can be utilized for helping achieve HIPAA compliance relating to information security standards. What’s more, the SAS 70 audit can cover additional requirements as set forth by HIPAA if these specific requirements are clearly addressed in the scope of the audit and communicated in an effective manner to the auditors themselves.