Consider the following circumstance: You are the Chief Information Security Officer (CISO) of a significant research university hospital system, and you have over ten years of expertise in dealing with protected health information (PHI) under the specific conditions:
“Safeguarding the kind of data as it is conveyed,” according to the HIPAA Privacy Rule.
“Protecting the security of the data,” according to the HIPAA Security Rule.
The research division is competing with the Department of Defense (DoD) for a multi-million dollar, multi-year contract to explore breakthrough medical technology. Clinical studies involving patients are required for the project to determine the technology’s impact on humans.
The vice president of research approaches you and the Chief Compliance Officer (CCO) with a request to assess the compliance criteria in the RFP and verify compliance preparedness.
You may believe that the facility must comply with both CMMC government contracting and HIPAA regulations. And if that’s how you’re thinking, you’re right. But why should you care, and how can you make the connection between the two?
Why Should Healthcare Be Concerned With CMMC?
Controlled Unclassified Information (CUI) is being targeted by adversaries in all 16 of the country’s essential facilities, especially the Defense Industrial Base (DIB), Healthcare, and Public Health sectors.
In most situations, healthcare clients with DoD agreements must achieve CMMC accreditation. DoD contracts under the CMMC architecture require CUI protection. If PHI is involved, it must be protected under both the CMMC framework and the HIPAA Privacy and Security Rules due to transference.
So, where can this be useful? This would be relevant under a Department of Defense contract for medical research or clinical trial assistance.
The PHI and CUI Convergence
The majority of healthcare data is CUI under a DoD contract. However, HIPAA compliance is still required. Healthcare is already preoccupied with HIPAA compliance; now, it must also grasp the integrated HIPAA and CMMC obligations. CUI may be required to be preserved in DoD agreements healthcare, with a linkage between PHI and CUI.
The Defense Health Agency (DHA), for example, held an RFP that was initially part of the Department of Defense’s Pathfinder initiative to be one of the first vendors to receive DFARS Vs CMMC certification. The contract included both PHI (as a healthcare practitioner) and CUI (as a consumer) (PHI is considered to be CUI).
It’s critical to determine how to connect PHI and CUI. How does a contractor for the Department of Defense work out this complicated mapping?
The Nationwide Archives and Records Administration (NARA) maintains a national CUI registry that contains data on CUI for numerous industries. CUI (left red box) translates from the Privacy category to two healthcare components with sub-categories, as shown in the table. PHI corresponds to the CUI Registry.
Why is HIPAA Compliance insufficient for DoD Contracts?
Both CMMC and HIPAA establish a methodology based on a balance between CUI and PHI privacy, reliability, and availability.
The secrecy of CUI is a significant concern for CMMC. To decrease the risk and consequence of unapproved release or potential compromise of CUI across the defense supply chain, CMMC has mandated compliance.
HIPAA focuses on a small number of companies in a certain industry. One of the most significant distinctions is that, unlike CMMC, HIPAA does not have a mandatory certification program.
Before a DoD contract can be awarded, healthcare providers must be certified by the CMMC. After a violation of PHI, healthcare professionals with DoD contracts are punished.
Handling CUI necessitates safekeeping or dissemination procedures compliant with relevant legislation, legislation, and federal policy. Because CUI and PHI overlap, healthcare providers now have the responsibility to abide by both CMMC and HIPAA under a DoD contract. Meeting compliance standards on the front end (CMMC) as well as “back end consequences” (HIPAA) can be daunting for healthcare providers juggling different compliance frameworks and regulatory needs.