The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been around for over twenty years. Those involved in medical research and deals directly with patients are well aware of the requirements of HIPAA compliance. However, the range of compliance understanding from market researchers varies from person to person, mostly as a result of modern market research complexity using web-enabled tools. Not everyone is aware of what specifically to do to ensure compliance is met. That leaves the question: how exactly can a researcher determine if their third-party market research facilitators meet and maintain compliance with the HIPAA Privacy and Security Rules?
In this eGuide, we’ve compiled the guidelines necessary to help you the researcher, stay HIPAA compliant in web-enabled market research.
Keep reading to learn:
One of the ten ways to stay HIPAA compliant in web-enabled research, particularly when you’re looking for vendors and service providers, is to look for healthcare experience.
Gauge if their business processes are well documented. Make sure they have assessed how each process can impact the privacy of individuals and their health information. Transparency here is very important as well. You need to know how any data that you are transmitting is going to be handled, where it goes, and who has access to it.
To ensure data is protected, make sure that service providers are facilitating measures to transfer data securely and with encryption as required by HIPAA. The same goes for erasing data securely either with a retention policy or evidence of the technical standards to which they disposed of the electronic data.
Suppliers should also be ready and willing to sign a BAA as it is a violation not to have one in place. Additionally, even cloud providers such as Amazon, DropBox, Google, etc., who only transmit PHI without actual access are considered Business Associates, even if the data is encrypted.
Business Associates are service providers to the entities that have protected health information (PHI) - researchers, law firms, transcriptionists, facilitators, and hosted software providers. In the case of a data breach, they are liable for both notification and minimizing harm to individuals by unauthorized access to their data.
Managing consent to the storage or handling of PHI is important. But how exactly can this be done? First and foremost, you need to know if your provider has the basics covered to meet GDPR and HIPAA requirements for consent.
Data minimization is a core principle of privacy protection, it reduces the risk of non-compliance or breach. Simply put, if you don’t have it, it can’t be stolen or misused.
It is important to note that there is not really such a thing as HIPAA-compliant technology.
It's about how the users implement the privacy safeguards when using the technology.
Most providers offer services globally - and even those that don't - are still most likely subject to GDPR as well as HIPAA. In lieu of this, vendors should have thorough data maps of their systems, data, and processes.
What is a data map and why is it important?
A data map shows how personal data are used and stored in the business. It is a visual representation or step by step layout identification of processes making it easier to assess business processes at every step. The data map needs to include the people who have access to it, the systems and platforms used, individual workstations, and transfers to third parties and other networks.
Look for transparency: the necessary security controls need to be clear at every stage of a process.
Expect consumers to exercise their right to privacy – suppliers should be prepared to respond to requests for an accounting of disclosure within the HIPAA required period of 45 days. Data maps make it easier to answer these requests.
You must also make sure that the integrity or correctness of PHI is protected. There must be an automatic timeout/log out for workstations to ensure that the PHI won’t be altered or tampered with. Unfortunately, in a survey of 300+ healthcare professionals, primarily from organizations with less than 500 employees, 20% mentioned they don’t have an automatic timeout/log out for workstations.
It is a HIPAA violation not to provide training for staff who handle PHI. Many companies invest in technical security but true security culture will invest in their people for they are the front line to stop unauthorized disclosures.
Training should cover the required topics as set out in the privacy rule. To make it easier for the staff to access it, set these topics out in a policy manual.
It’s also important to provide training to employees at every level with an explanation of the laws and regulations in a way that applies to what they do every day. Know the frequency of training and how new employee training is accounted for.
Companies must consider both regular risk assessments as required by HIPAA and risk assessments related to new or changing processes/ projects. Make sure you are able to see a list of controls that match identified gaps. Risk assessments are identifiable through data maps. You need to identify where the risks are and then address them.
Before the project starts, determine how the data will be transmitted, shared, and stored.
Since you may work with vendors with multiple service offerings, analyze each tool or service from a HIPAA compliance standpoint.
HIPAA compliance is not something to be hidden or avoided.
Simply have the right policies and controls in place and you should be fine.
Maintaining HIPAA compliance in web-enabled market research isn’t as complicated as you think. You just have to understand how your suppliers are handling your data and whether they are willing to maintain compliance. For further assurance, demonstrate privacy and data protection awareness from the beginning of the project relationship and execute a business associate agreement for every supplier.
As long as you keep these guidelines in mind when working with third parties, vendors, or service providers, it’ll put you on the right track.