Is SharePoint HIPAA Compliant?
The protection of privacy has long been at the heart of regulations that govern the storage and security of sensitive data, like protected health information (PHI). Patient privacy is compromised when organizations fail to properly secure records containing PHI, as well as the applications and systems that store them. This is precisely what the Security and Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) are designed to address.
HIPAA non-compliance is now a boardroom discussion, as recent rulings from U.S. regulatory agencies have held organizations – and their leadership – accountable for poor information security practices, including employee mishandling of sensitive data. At a time when 70% of healthcare organizations believe that employee negligence is their biggest security threat, IT, security, compliance, and legal staff should recognize that good compliance can come from good security – but not the other way around.1
In an age of increasing regulatory scrutiny, simply having written security policies and compliance checklists are no longer sufficient to withstand an audit. Healthcare organizations must also deploy effective security tools to safeguard corporate networks and systems, while demonstrating that information governance policies have been implemented in the form of technical controls at the application level.
Likewise, ordinary end users must be routinely trained on how to use safely use IT applications so security measures don’t interfere in their ability carry out their job responsibilities. Such security layers are necessary for an organization to properly safeguard their environment. Without them, compliance policies intended to govern how users access, store, and share sensitive data cannot be enforced.
HIPAA: Phase 2 of Office of Civil Rights (OCR) audits
In the United States, Phase 2 of the OCR HIPAA Audit Program is in full swing. Unlike previous rounds, audits are focusing on organizational practices and protocols that address the risk of data compromise. This is an important distinction, as the risk scope in Phase 2 will force organizations to critically evaluate security practices and protocols that likely need updates.
While OCR will only conduct a few onsite audits during Phase 2, all corporate legal and IT teams should pay close attention to the practices that resulted in some of the largest HIPAA compliance fines in 2016:
- Just this August, Advocate Health Care Network agreed to the largest-ever settlement against a single entity for multiple potential HIPAA violations that exposed the protected health information of millions of patients.
- Earlier this year, the Feinstein Institute settled for $3.9 million after OCR found its security management process was limited in scope, incomplete and insufficient, putting the ePHI of about 13,000 patients at risk.
- In July, Oregon Health & Science University (OHSU) agreed to a $2.7 million settlement to resolve OCR’s claims of "widespread and diverse" HIPAA noncompliance – which included a self-reported incident resulting in the unauthorized storage of PHI of over 3,000 individuals in the Google Drive platform.
OCR auditors are paying close attention to how business associates (consultants, contractors and other third parties) interact with sensitive or confidential healthcare data. For example: imagine an employee working on a project with a contractor who doesn’t have access to the organization’s SharePoint. In a well-intentioned effort to be productive, that employee might email a document containing personal health information (PHI) to the contractor as a workaround, or share that data through their own personal Google Drive or Dropbox account. As the OHSU incident demonstrates, this is precisely the type of practice that is drawing increasing regulatory scrutiny and determinations of liability.
Federal Trade Commission decision highlights corporate liability
In addition to the OCR, the Federal Trade Commission (FTC) has emerged as a major player in the ongoing regulatory crackdown. Last month, the FTC reached a widely-publicized decision in its ongoing case against LabMD, and ultimately found that organization’s data security practices (or lack thereof) were fair game when assessing liability under Section 5 of the FTC Act, the statute governing consumer protection in the United States
The FTC originally brought a case against LabMD following two separate breach incidents, which resulted in the exposure of sensitive consumer data of 10,000 individuals. In a unanimous ruling, the commission found fault with LabMD’s information security practices, and specifically, how the company “lack[ed] even the basic precautions to protect the sensitive consumer information maintained on its computer system.” The FTC ordered LabMD to adopt an organizational information security program and undergo frequent information security assessments from third parties.
The LabMD decision is important because it demonstrates a renewed regulatory focus on the relationship between an organization’s information security practices and corporate liability in the event of a data breach or sensitive data exposure.
The Commission found that LabMD could have taken many preventive steps prior to the breach occurring. Two findings from the Commission’s unanimous opinion are noteworthy and have direct relevance to any IT Administrator who manages applications that house personally identifiable information (PII) or PHI. The Commission noted that:
- LabMD could have "limited employees’ access to only the types of personal information that they needed to perform their jobs at relatively low cost.”
- The company could have "purged the personal information of consumers for whom it never performed testing at relatively low cost.”
In other words, the company had many opportunities to deploy technical controls that ensured PII access to only authorized individuals, and that the company could have deleted any irrelevant and unnecessary PII from their databases.
As the FTC ruling shows, demonstrating HIPAA compliance at the application level involves discovering and monitoring content repositories that contain electronic personal health information (ePHI). As an additional preventive security practice, an organization should routinely audit activity and access associated with known PHI sites, so if anomalies are present, corrective steps can be taken. For regulators, good security is good compliance.
Healthcare content in SharePoint
Many healthcare organizations have deployed enterprise collaboration platforms like SharePoint for workforce collaboration and document management.
Employees and contractors use these platforms on a daily basis, and regularly access:
- Patients' ePHI
- Clinical trial information
- Merger and acquisition activity
- Confidential business and financial information
- Employee Human Resources records
It is critical for healthcare organizations to understand how employees are accessing, managing and sharing sensitive content on SharePoint.
Putting the right security and governance protocols in place not only helps IT leadership maintain security oversight, but also helps limit corporate liability in the event of data exposure.
If your healthcare organization is using SharePoint to store and share sensitive content, there is a high chance that employee behavior is putting your data at risk. SharePoint’s out-of-the-box capabilities to keep sensitive content safe are limited and may not prevent your risk for regulatory fines.
See what we’ve learned about how SharePoint manages sensitive healthcare content. Download the eBook: Security & Compliance in Healthcare.
1 Ponemon's Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data report.
Jai Dargan is a Senior Director of Product Management at Metalogix, where he directs the strategy Metalogix’s security and compliance solutions. In this capacity, Jai guides the direction of Metalogix products aimed at securing content collaboration, including ControlPoint, Sensitive Content Manager, and Insider Threat Index. Prior to Metalogix, Jai was a co-founder at Pim Labs, LLC, a startup company (acquired by Metalogix) that built solutions for securing social networks and sensitive content. He holds a Masters Degree from Georgetown University and an undergraduate degree from New York University.