In the second episode of a special series focused on privacy, Swathi West, healthcare compliance and privacy manager, explains the different assessments and frameworks that can help organizations achieve compliance with privacy regulations. She also discusses how to add privacy controls into various assessments, including SOC 2.
[00:00:00] Claire McKenna: Hello everyone. And welcome to today’s episode of cyBARR chats. This is the second episode in our special series focused on privacy. And today we’re joined by Swathi West, healthcare and compliance manager to discuss how to add privacy to your assessment. So swathi, my first question for you is just what is the difference between privacy and security and how is that difference reflected when it comes to an assessment?
[00:00:27] Swathi West: Great question Claire people often mistakenly think privacy and security are the same while they’re closely related. They mean different things. The definition of privacy is the state or condition of being free from being observed or disturbed by other people. You know, to keep it simple for our purposes, it’s helpful to think of privacy as the rights you have to control your personal information and how it’s used security on the other side is protection from, or, uh, resilience against potential harm cost by others.
And it also refers to how your data is protected in the assessment side of things. For example, let’s take HIPAA. Um, as an example, HIPAA security rule is different from HIPAA privacy rule, even though they both regulate the use or exchange of the protected health information, which is often, um, called Phi their various differences under HIPAA, the security rule applies to health plans, healthcare clearinghouses, and to their, their healthcare providers.
Who transmit health information in electronic form, which under HIPAA might be their covered entities or, uh, sometimes the business associates. But the privacy rule to, you know, it not only applies to health plans or healthcare clearing houses, but also to any healthcare provider who transmits health information.
So it’s not just covered entities or business associates. It is all the healthcare providers. Another big difference in that security role is, you know, it only applies to electronic protected health information, or sometimes called as E Phi that is stored in, you know, maybe your computers or in the cloud transmitted over the internet and sometimes downloaded into your local drive or USB.
But the security rule is not applicable to other forms. So if you think about a video recording or a message about your health information in your answering machine or any printed, protected health in information that is not covered in security rule, but in contrast, the privacy rule applies to protected health information of a patient in general, not just electronic.
Any type of protected health information of a patient, it can be paper or other forms. So, um, you, you see there’s some differences between the security and privacy, for sure.
[00:02:52] Claire McKenna: Thank you for that clarification. That was really helpful, especially with an example. So my next question is what assessments or frameworks are there that exist to help organizations comply with privacy regulations?
[00:03:04] Swathi West: There are a number of assessments with privacy mappings that we can do today to help organizations comply with the privacy regulations. Some of these assessments. Vary by industry, right? Specific assessments are better suited for financial, um, information or healthcare industries that might have more privacy regulations for the majority of the organizations.
ISO is a great choice to comply with. Privacy regulations ISO 27,000 7 0 1 is the latest standard in the ISO 27,000 series and specifically addresses what an organization’s must do when implementing a privacy information management system. You know, this essentially adding privacy processing controls to an already existing standard of information security.
So. The most, uh, closest that we’re, we can get with GDPR compliance to today. So, you know, we can, uh, Or I can perform that assessment today. And also we can also perform risk assessments over GDPR compliance and also the EU cloud code of conduct of cloud service provider. That’s something we can also provide in regards to privacy compliance.
We can also perform an audit on the SOC two privacy principle, which is. If you’re, you know, you’re aware that as one of the five trust service principles that we have today that put forth by American Institute of certified public accountants, a I CPA within the SOC two reporting framework. So that, that can be one option in regards to privacy.
And as we discussed earlier, we can also perform assessment on the HIPAA privacy. And the security role and another notable, which I think not many people know in regards to privacy certification is an APAC certification that is Asia Pacific economic corporation, which is insured. APAC has, um, you know, they designed this APAC privacy framework to kind of provide an accountable approach to.
Managing data, privacy protection and the data flow of personal information across the borders. So that’s another, um, notable privacy certification that organizations can get.
[00:05:12] Claire McKenna: Definitely a lot of different frameworks out there for privacy. Um, honing in a little bit. Could you expand on how to add privacy controls into something like a SOC two audit?
[00:05:24] Swathi West: Yeah. Like I mentioned, you know, we can do that today. It’s possible to add that privacy criteria to the SOC to audit. Uh, but it’s also important to understand that privacy criteria, like we mentioned, it’s different from security, right? It incorporates another eight different categories into the requirement.
So that includes notice choice and consent collection, use retention and disposal access. Disclosure and notification quality and also monitoring and enforcement. You know, these words kind of similar to GDPR that we see a little bit. So, you know, each of these categories help the organizations to provide their customers and partners with the confidence that their personal data is protected.
Um, you know, within the organization with that collection consent and disclosure and all that information. So yeah, definitely we can add on to it, but it. It’s important to understand what that requirements are part of that SOC to privacy criteria.
[00:06:21] Claire McKenna: Thank you. Switching gears a little bit. You mentioned we can perform an assessment on GDPR compliance.
So is there a specific certification organizations can get for GDPR compliance and if not, why not?
[00:06:35] Swathi West: That’s always a great question. And every, every everyone asks the same question, you know, can we just get GDPR or certification? There’s no GDPR certification that’s out in the world yet, but there’s not just one framework that addresses GDPR.
Uh, you know, which kind of makes compliance a little bit tricky. But as I mentioned, ISO is the global framework and the controls can get you get the organizations a little bit close with the GDPR compliance. And, uh, we also. Today help organizations performing the Microsoft data protection, uh, which is a DPR, uh, that’s that’s, what’s called in the world, which is, you know, Microsoft requires their suppliers to adhere to an undergo, an assessment for, and has number of privacy components that closely resemble GDPR as well.
So with, uh, with ISO. And also Microsoft DPR is another great, uh, framework that’s out in the world to kind of get that close to that GDPR compliance. And, uh, like I mentioned, BARR offers both of these assessments. So if you have any questions about any assessments or anything that’s mentioned, uh, about in regards to APAC or, um, any other frameworks, please contact us or let us know and we can help you out.
[00:07:49] Claire McKenna: Great. So we’re talking about all of these different frameworks. Is there one specific framework you might tend to recommend for organizations that would wanna assess their privacy practice?
[00:08:00] Swathi West: I know, wouldn’t that be easy to just, you know, one, uh, one size fits all like a compliance framework that kinda addresses all the regulations.
But unfortunately, like I mentioned, we have different frameworks. One might better work over the other for different organizations based on their needs. Right. So for example, a client with healthcare products may choose. High trust with HIPAA mapping or, um, you know, if you’re working with California residents, CCPA might be an option that you want to think about.
So when it comes, when it comes to compliance frameworks, the best thing organization can do is by getting started, take a framework and just stick with it. And when organizations try to meet every framework like, Hey, you know, this looks good and this looks good or GDP or CPA, it just becomes, uh, it becomes unnecessarily complicated.
So at an early stage, I think just picking that one framework and sticking with it would be, um, a great recommendation us.
[00:08:57] Claire McKenna: Great. So I have one last question for you, swath. What are the best practices an organization can implement to ensure a smooth audit process, especially when it comes to privacy.
[00:09:09] Swathi West: Like I mentioned, any, any privacy assessment or audit will examine your organization’s privacy protection policies and procedures, right? So every audit that’s where we come in, we wanna make sure you have the policies and procedures, and that’s where we’re gonna audit against which, you know, for example, for privacy, that includes what information you’re collecting and word stored and how it’s managed.
And, uh, specifically in the light. Your loss and regulations that you have to comply with. We want to make sure you have policies and procedures. So, so that’s the first step when you’re thinking about a privacy audit, make sure you have those policies and procedures that you need to comply with that specific framework.
And you know, another tip I would say is definitely discuss with your operations and legal teams to understand what regulations you need to comply with, or, um, you know, you have to abide by depending on where you do. Um, like I mentioned, you know, like we discussed earlier in previous chats too, is that it is important to understand which regulations an organization should comply with.
That’s the first good step. Right? So for example, if they’re collecting and processing personal information of individuals who either live in EU or, you know, you’re collecting EU resident information, you have to comply with GDPR and at the same, um, same way, if your, if your business serves California residents, In us, you have to meet if you meet one or more three requirements that the CCPA, which is the California consumer privacy act calls for you are required to comply with CCPA.
So it’s always important to understand, even if you are not collecting or processing personal information of individuals in EU or California, for example, or other countries, or. It’s, you know, it’s important to understand that you have, do you have plans to do so? Or where, where, where are you heading towards?
So you’re not collecting today, but is it is part of your operations plan to go. Towards, um, EU or do operations in, um, in European union related countries or anything like that. So make sure you’re aware of where your next step is or where you’re heading, because it’s just not California, for example, in states, right?
Even today, Nevada has already enacted as state, uh, data privacy law, similar to EU general data privacy regulation that we see today. And, uh, New York and Florida are also other states that not far behind in. Um, complying with or proposing legislations of the national data, privacy protection in us. So it’s just.
If you’re not doing business or, uh, it’s not just California or GDPR now, all the other states are, um, trying to do, uh, implement these privacy laws. So early on in the process, please reach out to, um, your internal partners as well, partners like BARR to help answer your questions regarding your privacy regulations or the compliance frameworks.
And, um, we’re here to help, uh, achieve your compliance needs. If you have any questions.
[00:12:08] Claire McKenna: Awesome. Thank you so much for that answer Swathi. It really sounds like, you know, BARR can help all these organizations be future ready. So, um, that was my last question. Thank you for sharing all of this information with us on how to add privacy to existing assessments and how organizations can leverage BARR to help them do so.
And thank you everyone for tuning in. We look forward to seeing everyone next time on cyBARR chats. Thank you.