In my last post entitled "What you Need From Your Business Associates" I highlighted some of the key aspects of the HIPAA Omnibus Final Rule (“Final Rule”) business associates of covered entities should expect and require of their own business associates and/or subcontractors to have implemented by now. I also briefly mentioned the painstaking work it took the various teams at Merus - from engineering to legal - to come into full compliance under the Final Rule.
Achieving full compliance by the September 23, 2013 deadline did not merely involve countless debates and meetings as I previously wrote. In fact, there were quite a bit of heated arguments and infighting amongst frustrated Merus staff, including our president and Principal Engineer, Johnny Fuery. Not that I underestimated the magnitude and the importance of complying with the Final Rule, but I was fairly naive in thinking that the process wasn't going to be quite as difficult or painful as it turned out to be. After all, armed with the best and brightest engineering team, how hard could it be?
Well, it was hard. It was excruciatingly time consuming more than anything. Most of our engineers already work at least 10-hour days, and Johnny works at least 14-hour days, including weekends. (Note to self: never start a business that requires providing round-the-clock service). Nicky, one of our head engineers, conducted a rigorous risk analysis of our internal infrastructure, which included taking a complete inventory of all technical devices that transmit/store/receive protected health information (PHI), an analysis of the physical layout of our office, each workstation, and the roles of each employee at Merus to determine their required or permitted level of access to PHI. From the data derived from the risk analysis, the engineering team identified the risks and vulnerabilities, both that were already present and those that could potentially pose a risk of violating HIPAA.
Next, we needed to adequately address the identified risks and vulnerabilities with a comprehensive risk management plan. From the Final Rules, it was clear what was absolutely required by the deadline. But what we debated about the most was what to do with the “addressable” issues. Do we buy cable locks and physically bolt down each computer to its workstation by drilling holes into our brand new, recently bought office desks? Do we go the extra mile by purchasing the latest Windows 8 with BitLocker encryption, even though any potential breach of PHI within Merus was very minute at best? We ended up doing both and a lot more, and that is how we treated every “addressable” implementation specification under the Final Rule. Rather than coming from a place of “it’s good enough,” our overworked engineering team and the entire Merus staff went over and beyond what was statutorily required.
I can’t reiterate enough how much time and resources it took to become HIPAA compliant by the deadline, but it was so worth it. For one, I know that no one in our engineering team ever wants to work that hard again and revisit unfinished HIPAA business. Also, providing a peace of mind to our clients who are business associates of covered entities is a priceless thing. A couple of weeks ago, we had an onsite audit by our soon-to-be business partners who are business associates of covered entities such as Aetna, Blue Cross and Kaiser. Not only were we prepared to demonstrate our compliance under the Final Rule, but we approached the audit with complete transparency and showed them everything “under the hood” so to speak. We further put them at ease by providing them with Merus’ “End of Life Mitigation Plan” and Disaster Recovery Plan. This brings me to note that as of late, Johnny has been getting this question fairly frequently: “what happens to our stuff if you get run over by a bus?” More on that next time…
Written by Sooah Sohr, General Counsel at MerusCase
Leave a Reply