By Tim Mullahy
It’s not always easy to determine an organization’s level of compliance with HIPAA at a glance. Thing is, whether they’re a software vendor or simply a service provider, every party your healthcare practice works with needs to be compliant. Here are a few questions you can ask to determine if they are – or if you should simply walk away.
In a hyperconnected world, internal security isn’t the only thing that matters. Even a small organization might be part of a web of vendors, contractors, and business partners. Any of those organizations could be a weak link, a target that puts everyone else at risk. Where Protected Health Information is concerned, that’s unacceptable.
It’s why HIPAA requires that every organization dealing with PHI – whether they’re a covered entity or a business associate – remain in full compliance. Sure, it makes things a little challenging when it comes to choosing a new software vendor or establishing a new business partnership. But it’s a necessary evil.
To that end, it’s your organization’s responsibility to perform a thorough analysis of each vendor it shortlists. Here are a few questions you can ask as part of that analysis.
1. What Security Controls Do You Have In Place?
The first thing you need to establish is whether or not your prospective vendor has taken all the necessary steps to not only keep your PHI safe but to protect it in accordance with HIPAA. All electronic health records should be readily available to those who need them to do their job, but access should otherwise be strictly controlled. There should be multiple layers of security in place to guard against unauthorized parties, and all access must be logged.
Physical safeguards are also a necessity, including workstation and device protection. There also must be procedures and protocols in place to ensure the proper management of all PHI. These policies should establish permissible use and acceptable disclosure of all PHI, in addition to your vendor’s disaster response plan – we’ll discuss the latter in a moment.
Finally, healthcare data should be backed up on an encrypted server to ensure both its safety and integrity. It’s all there in the HIPAA Security Rule – a rule with which any vendor worth their salt should be familiar.
2. Have You Been Audited Against OCR’s HIPAA Audit Protocol?
Speaking of HIPAA compliance, covered entities and business associates alike should regularly submit to an independent audit. Ideally, they should also be willing to provide you with the details of said audit. Mind you, if a vendor hasn’t been audited, that doesn’t mean they aren’t compliant – just make sure they’re willing to allow a third-party audit of their systems, processes, and data.
If a vendor refuses to submit to an audit or simply changes the subject, don’t work with them. Just walk away. They aren’t worth the headache they’ll cause for you.
3. What Are Your Disaster Policies and Procedures?
In addition to physical safeguards and software controls, HIPAA’s security rule requires comprehensive backup, disaster recovery, and emergency mode operation plans. Your vendor needs policies in place that establish how it will respond to a wide range of emergencies such as fires, floods, hardware failure, natural disasters, and cyberattacks. These plans must clearly lay out how the vendor will maintain the integrity of PHI during an emergency scenario.
More importantly, they must establish who is responsible for everything from communication to restoring downed systems after an emergency passes.
4. Which Specific Services Of Yours Are HIPAA Compliant?
Compliance is a complex beast. Many vendors offer a range of different services and work with businesses that span multiple industries. What that means is that not all of their offerings are HIPAA compliant (nor do they need to be).
It’s therefore important that you establish up-front which of the vendor’s products and services meet HIPAA’s standards. Make sure these align with the services you require. If they don’t, check with the vendor to see if they would be willing to custom-build a compliant system for your organization.
5. How Do You Approach Security With Business Associates and Subcontractors?
One of the most frequently overlooked aspects of HIPAA compliance involves third-party organizations. Unfortunately, it’s also one of the most frequent areas of focus from regulators and auditors. In the interest of due diligence, you need to ask a prospective vendor about their business associates, their subcontractors, and the subcontractors of their business associates.
They should be able to list off every single one. More importantly, if any of those partners even touch PHI, they should have a signed business associate’s agreement with them. It may seem a bit draconian at first glance, but many organizations have been breached due to lax security at one of their partners or contractors.
6. Do You Have A Business Associate’s Agreement?
Speaking of a BAA, ask your vendor about theirs. Granted, you likely already have your own drafted up. And if you don’t, you should.
Why ask then? Simple – to see how conscientious a prospective vendor is. A good vendor will have a well thought-out, thorough BAA that establishes everything about their relationship with anyone who signs it, including their responsibilities concerning PHI.
7. How Do You Handle Employee Training?
As you well know, the most secure system in the world is functionally useless if it’s placed in the hands of someone who’s either ignorant or poorly trained. For this reason, it’s important to ask up-front if a prospective vendor trains their employees in HIPAA compliance. Each staff member should have knowledge of HIPAA security policies, access controls, reporting, data protection, and all other relevant processes.
While you’re on the topic, you might also bring up whether or not the vendor is willing to offer your staff training on how to use its solution. Not every platform is easy to use for a newcomer, after all. The more you can do to get your own staff over the learning curve for your software, the better.
8. Do You Have Any References You Can Provide Me?
Last but certainly not least, check with your prospective vendor to see if they can provide you with references or recommendations from past clients. Pay particular attention to practices similar in size or nature to your own. And if all else fails, review websites do exist.
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry