Traction on Demand becomes HIPAA compliant
You would never drive a car without insurance (right?) but would you ever consider hiring a system integrator (SI) that wasn’t HIPAA compliant? Without this kind of security, you could end up in a lot of trouble if there’s ever a data breach.
HIPAA—the Health Insurance Portability and Accountability Act—was passed by US Congress in 1996. It’s the federal regulatory law that governs sensitive health data. As Jim Rogers, Vice President of Healthcare Solutions at Traction on Demand (ToD), explains, “Healthcare organizations in the US are covered entities that are bound to certain security rules because they handle personal health info.” This means that ToD, as a HIPPA compliant SI vendor, can sign a business associate agreement with an organization and take on the various risks that come with handling sensitive data.
Even though HIPAA refers specifically to the health sector, any organization that works with a HIPAA compliant SI partner benefits from the added measures put in place to ensure data security.
“Surprisingly, not all SI’s that work with healthcare organizations are HIPAA compliant. Not even the big ones.”
It’s hard to understand why healthcare organizations would ever consider partnering with an SI that wasn’t HIPAA compliant. Unfortunately, it can boil down to ignorance, according to Jim. In the same way we think about any type of insurance—like adding a protection plan to your new vacuum—we may briefly think about the associated risks but ultimately decline the highest level of security. “People think nothing’s going to happen, and no one cares until it does,” says Jim.
An almost HIPAA Compliant SI partner not good enough
An SI may be near HIPAA compliant, and this may feel good enough for both them and their partner health organization, but ultimately it’s not. According to Jim, “Most partners don’t go through this level of scrutiny. They might set up some general security rules but becoming HIPAA compliant can be an 18-month process that can get very expensive.” He adds that vendors don’t have to be HIPAA compliant by law, but they’re putting themselves at risk if they aren’t.
As for ToD, “We’re separating customers’ data from each other and minimizing our exposure to any type of data leak. We’ve had to prove it to auditors, and we’ll be audited every year. We had a 100 per cent clean report. It’s rare to have no gaps in data security,” says Mike LaVigne, Chief Technology Officer at ToD.
Getting to the guts of our data: cybersecurity deep dive
ToD was audited by Coalfire, an independent cyber risk management advisor.
We already had strict cybersecurity measures in place so we didn’t have to make any major changes, says Chris Peacock, Chief Marketing Officer at Traction on Demand. In fact, we got through the HIPAA compliance process in half the suggested time. “For Traction, it was more about demonstrating compliance rather than becoming compliant,” says Chris Peacock, Chief Marketing Officer at ToD.
Jim explains how we demonstrated our cybersecurity measures to the experts at Coalfire. “They came in and we opened every data and technical element within our organization.They told us whether those elements were secure or not and whether it would meet the HIPAA compliance criteria,” he says. And when he says every element in our organization, he means it. “The HIPAA compliance process touched every area of the business—IT, consulting, HR, shared services, finance, legal, even sales. The result affects everyone on the team, even those who are never going to work with client data,” echos Chris.
Not in healthcare? You’ll still benefit with a HIPAA Compliant partner
The new or updated processes and technologies we put in place to become HIPAA compliant will benefit all of our customers, not just those in healthcare. “Being a HIPAA compliant partner demonstrates our commitment to being able to service the Health and Life Sciences segment in North America. It demonstrates our commitment to maintain security and compliance levels that are the best in the world,” says Nara Henderson, Senior VP of Business Development at ToD.
“We take data security seriously across the board. Regardless of whether or not the customer is a tiny dog-walking company or a multinational organization. We treat and protect all personal data in the same way,” says Mike. In this way, it is definitely hip to be HIPAA compliant (hey, someone had to say it). Then, if something still goes wrong, you can go to bed knowing you’ve done everything you could possibly do.