By |February 2nd, 2021|Blog|0 Comments

ECRM Compliance Efficiency

How Enterprise Cyber Risk Management Can Facilitate Compliance Efficiency

 

HIPAA is not the only law that addresses data privacy and security within the healthcare industry. There are many other laws and regulations which apply to specific types of data and/or specific kinds of data transactions that are applicable to the healthcare industry. Many of these laws and regulations include language, requirements and standards related to risk assessment. For example:

General Data Protection Regulations (GDPR). The GDPR, a data privacy law designed to protect individuals in the European Union (EU), went into effect in 2018.[1] U.S. healthcare organizations that offer goods or services to individuals in the EU may be subject to the provisions of the GDPR.[2] Article 35 of the GDPR requires organizations to conduct a “data protection impact assessment.”[3] This provision requires “an assessment of the risks” and “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation …”[4]

Gramm-Leach-Bliley Act (GLB Act).[5] The GLB Act requires organizations that offer consumers financial products or services (such as loans) to explain their information-sharing practices and to safeguard sensitive data.[6] The GLB Act specifically addresses the safeguarding of “nonpublic personal information” (NPI) which includes “any ‘personally identifiable financial information’ that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise ‘publicly available.’”[7]

The Federal Trade Commission (FTC) issued a Safeguards Rule (16 C.F.R. Part 314) as part of its implementation of the GLB Act.[8] Among the requirements of the rule are that each company must “identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.”[9]

Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS articulates global standards that apply to any organization that stores, processes, or transmits credit card information. Guidance from the PCI Security Standards Council® identifies assessment as the first step in adhering to PCI DSS standards.[10] PCI Security Standards Council® guidance describes assessment as “… identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.”[11]

Additional guidance from the PCI Security Standards Council® defines “Risk Analysis / Risk Assessment” as follows: “Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.”[12]

Family Educational Rights and Privacy Act (FERPA). The FERPA statute and accompanying regulations give parents access, and some control, over the disclosure of personally identifiable information (PII) found in education records.[13] When a student enters postsecondary education or turns 18 years old, FERPA rights transfer to the student.

The FERPA statute and regulations do not directly address the need to conduct a risk analysis. However, the National Center for Education Statistics, within the Department of Education, published specific guidance on Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records in which they effectively outline all the steps for conducting a risk analysis.[14] Conducting a risk analysis is important to complying with FERPA requirements.[15]

Genetic Information Nondiscrimination Act (GINA) of 2008. GINA protects individuals from discrimination based on their genetic information. The specific areas of discrimination GINA addresses are employment and health coverage.[16] When the HIPAA Omnibus Final Rule was published in 2013, the Privacy Rule was modified to encompass the protections specified in GINA.[17] Genetic information, as part of a patient’s health record, is protected by both HIPAA and the more specific protections spelled out in GINA.

As these examples illustrate, laws and standards that address the privacy and security of data are embedded in many different regulations that impact healthcare organizations. The examples cited above focus specifically on language related to risk analysis/risk assessment. But the fact is, conducting a risk analysis is but one aspect of a comprehensive Enterprise Cyber Risk Management (ECRM) program. An effective ECRM program includes, but is not limited to, the following activities:

  • Evaluating whether or not the organization has adopted a cybersecurity framework, such as the NIST Cybersecurity Framework (CSF), and evaluating the maturity of the organization’s implementation of the framework;
  • Conducting an enterprisewide risk analysis that identifies all of an organization’s information assets (data, systems, and devices), documents the threats and vulnerabilities associated with each of those assets, and documents the organization’s approach to addressing each of those risks;
  • Assessing the organization’s compliance with the requirements of the HIPAA Security Rule;
  • Assessing the organization’s compliance with the requirements of the HIPAA Privacy and Breach Notification Rules;
  • Establishing ongoing processes for identifying and treating risks as the organization evolves and the risk landscape continues to change.
  • Assuring ongoing maturity of the ECRM program through continuous process improvement.

An effective ECRM program will execute these tasks in a way that complies with HIPAA requirements and meets OCR expectations. A comprehensive ECRM program, which meets these goals, can provide the foundation for meeting the data privacy and security requirements of many different mandates and regulations. In other words, a comprehensive ECRM program not only serves to protect the organization from cyber risk, it also helps simplify compliance with myriad regulations related to data privacy and security.

Getting started with ECRM to simplify compliance

ECRM is a journey, not a destination. It takes time to establish and implement a comprehensive ECRM program. However, once such a program is in place, it can help make compliance activities more efficient and more effective. By implementing a single, comprehensive, ECRM program, organizations can not only have confidence that they will meet HIPAA’s requirements, but also have confidence that they have a program in place that will meet the data and privacy requirements of many other statutes and regulations as well.

The following three action steps can help healthcare organizations move toward leveraging the power of ECRM to manage privacy and security mandates efficiently and effectively:

  1. Identify the information security and privacy regulations that impact your organization. HIPAA’s Privacy, Security and Breach Notifications Rules are likely at the top of the list. But what about the other regulations mentioned in this article? Do any of them apply to your organization? Are there other regulations—for example, state-specific regulations—that control the way your organization manages cyber risk?
  2. Analyze the specific requirements of the data security and privacy regulations that impact your organization. For example, how many of the regulations require a risk analysis or risk assessment, as described in this article? What other common requirements, related to cyber risk management, can you find across the breadth of data privacy and security regulations your organization is subject to?
  3. Find out whether or not your organization has implemented an ECRM program. Share the information you have gathered about how cyber risk management impacts your organization with respect to compliance. Make sure compliance has a seat at the table as the organization establishes, or matures, its ECRM program.

This blog is adapted from the article Driving Compliance Efficiency Through Enterprise Cyber Risk Management, which appears in the January 2021 issue of the Health Care Compliance Association (HCCA) publication Compliance Today. You can access the full article here.

Copyright 2021 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

 

[1] Regulation (EU) 2016/679 of the European Parliament and Council of 27: General Data Protection Regulation. Available at https://bit.ly/2PkuDPI

[2] For a more nuanced discussion of how GDPR provisions apply to U.S. healthcare organizations, see: Amy Joseph and Krietta Bowens Jones. “GDPR compliance: Considerations for U.S. healthcare organizations.” Compliance Today. October 2018. http://www.health-law.com/media/publicationsother/439_Amy_s%20bio%20article%20to%20post%20ct-2018-10-jospeh-jones.pdf

[3] GDPR, Article 35

[4] GDPR, Article 35(7)(c) and Article 35(7)(d)

[5]Pub. L. No. 106-102, 113 Stat. 1338, codified in relevant part primarily at 15 U.S.C. §§ 6801-6809, §§ 6821-6827

[6] Federal Trade Commission (FTC). “Gramm-Leach-Bliley Act.” (n.d.) https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

[7] Federal Trade Commission (FTC). “How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act.” 2002.

https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm

[8] Federal Trade Commission (FTC). “Financial Institutions and Customer Information: Complying with the Safeguards Rule.” 2006. https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying#how

[9] Federal Trade Commission (FTC). “Financial Institutions and Customer Information: Complying with the Safeguards Rule.” 2006. https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying#how

[10] PCI Security Standards Council®. “PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1.” July 2018. https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1602522380649

[11] PCI Security Standards Council®. “PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1.” July 2018. https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1602522380649

[12] PCI Security Standards Council®. “Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS): Glossary of Terms, Abbreviations, and Acronyms, Version 3.2.” April 2016. https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf?agreement=true&time=1602522380627

[13] 20 U.S.C. § 1232g; 34 CFR Part 99.

[14] National Center for Education Statistics, Institute of Education Sciences (IES). “Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records.” November 2010. https://nces.ed.gov/pubs2011/2011602.pdf.

[15] See also the “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records,” published by the U.S. Department of Health and Human Services and the U.S. Department of Education in 2019. Available at https://studentprivacy.ed.gov/resources/joint-guidance-application-ferpa-and-hipaa-student-health-records

[16] U.S. Department of Health and Human Services (HHS). Office for Civil Rights (OCR). “Genetic Information.” Content last reviewed June 16, 2017. https://www.hhs.gov/hipaa/for-professionals/special-topics/genetic-information/index.html