HIPAA Compliance at Informatica
Informatica has achieved compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the current suite of iPaaS products. HIPAA addresses the use and disclosure of individuals’ health information — called protected health information (PHI) — by organizations subject to the Privacy Rule — called covered entities — as well as standards for the rights of individuals to understand and control how their health information is used. A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis (or aggregation), utilization review, and billing. Informatica is a business associate for several of our customers in the HealthCare industry, and we have Business Associate Agreements (BAA) in place with many of those customers.
Since one of the goals of the HIPAA legislation was to increase the use of automation in the electronic processing of medical records while minimizing the use of paper records, ensuring the security and privacy of that data became a primary concern. The legislation requires covered entities and business associates to do the following:
• Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
• Ensure compliance by its workforce.
So, when Informatica made a strategic decision a few years back to enable access to our products through iPaaS-based products and a subscription revenue model, and at the same time indicated a desire to sell those products to entities in the HealthCare vertical market (among others), we wanted to be sure that all aspects of our corporate business processes – including product development, IT operations, human resources, legal, sales, customer support and professional services – were all executing those processes in a way that meets or exceeds these HIPAA requirements at all times. The question that logically followed that decision was: how will we prove to our customers and prospective customers over time that we do, indeed, consistently meet those requirements?
It is interesting to note that, unlike some other regulatory standards, there was no formal certification process defined. Essentially this means that each covered entity or business associate is free to determine what they want to say to their customers (and the public) related to their regulatory compliance status. Within United States Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) has responsibility for implementing and enforcing HIPAA with respect to voluntary compliance activities and civil money penalties. They accomplish this through the use of audits, which are by nature observations of compliance with controls that are in place and operational at any point in time for a given entity. And given that even government resources are limited, these audits can only include a small percentage of the entities that are subject to the legislation.
At Informatica we defined and implemented a multi-step approach to ensuring compliance with all of the relevant controls. We first started by conducting a self-assessment to determine which of the controls had already been implemented (at least to some extent). We leveraged our Governance Risk and Compliance (GRC) tool that had all of the controls pre-populated and assigned each of the individual controls to the team(s) who we thought were most likely to be responsible for implementing and maintaining those controls. Each team then was asked to review each control and indicate the following:
• Is your team reasonably responsible for the implementation and maintenance of this control? If not, can you suggest a team that would more likely be responsible?
• Has the control been completely implemented? If so, they were asked to provide the documentation to substantiate that claim.
• Has the control been partially implemented or not yet implemented at all? If partially implemented, they were asked to provide the documentation to substantiate the partial implementation, and if not completely implemented to suggest a plan and timeframe for having the control completely implemented.
Based on these initial responses we were able to work with each team over the course of several months in 2015 to complete the control implementation, and gather the evidence of successful completion in our documentation repository. The next step was to engage an independent third party (Schellman and Associates) to validate the work we had completed. As part of our SSAE 16 SOC 2 attestation effort, we asked the vendor to also validate the extent to which we had been successful at implementing all of the HIPAA controls as well. The Schellman team then reviewed all of the evidence we had gathered and documented their results in an Independent Practitioner’s Report of the Informatica Information Security program related to HIPAA and HITECH. The final report was issued in January, 2016 and also includes the individual iPaaS products that currently run in our Cloud Hosting environment, and that is an important step that is not always implemented. The final report is unqualified – that is to say that all required controls were validated as being compliant with the requirements.
The HIPAA report can be made available to customers and other external parties with whom a Non Disclosure Agreement is in place. Please contact the It Compliance team (DL: ITCompliance) for copies of the report or additional information.