Vendors and HIPAA

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure

An important part of establishing strong security for an organization rests with how it interacts with its vendors. The creation of a chain of entities creating, interacting with, storing, or otherwise handling sensitive patient information starts at the top, but can easily and frequently go down many layers. Given the layered approach, every time an organization introduces a new sublayer that organization must keep security as a forefront consideration. The risks associated with vendors not appropriately deploying security measures can be seen with the increasing number of data breaches resulting from an issue at the vendor level. Given that reality, what should or should not happen at each vendor level?

Do: Incorporate Security Into All Operations

Security cannot happen overnight. It should be incorporated into development and operations from the beginning. Making security a fundamental component of operations helps drive awareness of the requirements as well as attention to detail.

While it is important to incorporate security, it is also necessary to consider the security parameters being implemented. For example, just putting basic measures into place that are not industry standard or updated are not sufficient. The security measures should look to best practices and consider new developments to avoid missing evolving threats. One example could be reviewing standards or guidance published by the National Institute of Standards and Technology (NIST). NIST is often cited as providing best practices that can help make a compromise of a system as difficult as possible.

If security is made a basic part of an organization’s culture, then everyone within the organization begins to feel empowered to raise a concern if any potential issue could arise or if any problem is identified. Additionally, empowering all individuals to be cognizant of security issues can be expected to be strengthen overall operations of an organization.

Further, addressing security upfront prepares an organization to satisfy the security requirements contained in the HIPAA security rule. As already suggested, an organization should look to industry standards and/or best practices. Putting those measures into place will help an organization be above and beyond the baseline requirements contained in HIPAA. As a quick reminder, the Security Rule under HIPAA can provide a solid foundation for good security, but just following HIPAA alone will not result in best protections. However, if an organization is playing in healthcare, skipping the basics called for by HIPAA cannot be avoided.

Don’t: Ask the Entity Engaging the Vendor to Explain HIPAA

While HIPAA can be viewed as a little difficult to understand or follow all of its nuances, an entity should not seek to have the party contracting for its services explain the requirements. Putting a query like that on the table demonstrates a clear lack of understanding and an argument that the organization should be better prepared before seeking to get into the healthcare industry.

While it is acceptable and understandable to not be entirely clear on the requirements of complying with HIPAA, then an organization should obtain outside help to implement a compliance program. Trying to push that obligation onto the entity paying for a service will engender puzzlement at best and could result in a service not being utilized. At the same time, if that sort of query is presented, then the contracting party should also reconsider use of the particular vendor or ensure that no information subject to HIPAA flows through the service provided by the vendor. Both are valid options, but underscores the need to thoroughly vet a vendor and be clear on how the vendor’s services will be used. Not being clear on expectations and requirements upfront can lead to compliance problems quite quickly.

Do: Take Time to Become HIPAA Educated

As already suggested, security starts with knowing applicable requirements. Compliance is impossible if understanding is missing. That means seeking and obtaining assistance from appropriate resources. An appropriate resource, as already discussed, is not the entity contracting for an organziation’s services. A good resource can be a healthcare attorney, compliance consultant, or anyone else with a solid grounding in HIPAA. Finding a consultant who knows HIPAA can help improve compliance by the organization.

Part of the compliance plan and education about HIPAA (which is necessary under the regulations) is to continually educate everyone within the vendor. Annual training is an element called for by HIPAA, but sending out ongoing informational pieces is also part of the education process. When awareness about HIPAA is embedded so much into operations, then it spurs a circular beneficial process that enhances overall security.

Once an organization is educated about HIPAA, then additional opportunities can also be found for advancement. Removing the mystery also reduces the level of scariness about HIPAA. By getting past the misinformation or knee-jerk reactions concerning HIPAA, then operations can be enhanced or new services provided. Knowing what is possible can facilitate clearer discussions and keep everyone on the same page.

Don’t: Claim a Product or Service is HIPAA Certified

If an organization claims it and/or its service or product is HIPAA certified, then some of the steps (mostly education about HIPAA) are clearly missing. Let’s get the basic statement out of the way first: no HIPAA certification exists. Neither the regulations nor the Office for Civil Rights has or recognizes certification. Any organization trying to claim it is certified as HIPAA compliant is creating a smokescreen. While an outside company can audit the scope of compliance, any certification is not official recognition of compliance. The outside certification is only that a third party is making a statement about the scope of compliance.

Diving a little deeper, it is also important to avoid claiming a product or service in and of itself is certified because it is entire entities that need to comply. Appropriately developing and configuring a product or service is part of demonstrating compliance, but the product or service does not standalone.

Ask Questions and Do Diligence

Before any engagement occurs, both sides should feel free to ask questions about the scope of compliance or practices. Since sensitive information is often flowing between the organizations in healthcare, it is more than justifiable to get comfortable upfront. If an organization does not want to answer questions or be clear about how it will protect or respect information, then that should likely be seen as a red flag. When it comes to HIPAA, introducing unnecessary complexity or advancing a misunderstanding is not helpful. Instead, be clear and get good information. That will help everyone in the end.

This article was originally published on The Pulse blog and is republished here with permission.