Medicare Compliance & Reimbursement

Ask these 5 questions to gauge your vendors’ HIPAA security knowledge.

If you’re in the market for a new cloud or EHR vendor, you may want to investigate their views on the HIPAA Security Rule before you sign any contracts — especially if they guarantee their products are “HIPAA certified” or “HIPAA compliant.”

Why? Simply put, you cannot buy HIPAA compliance. And, when a firm makes unsubstantiated claims that promise such things, you should probably investigate and look into other IT options.

Background: Many third-party vendors say that their products or tools are “HIPAA compliant,” but the Department of Health and Human Services (HHS) and its auxiliary agencies don’t certify or validate health IT products as HIPAA compliant.

“HHS does not endorse or otherwise recognize private organizations’ ‘certifications’ regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a ‘certification’ by an external organization does not preclude HHS from subsequently finding a security violation,” HHS Office for Civil Rights (OCR) guidance says.

Figure Out How Your IT Vendors Address HIPAA

As a covered entity (CE), you should protect your practice by thoroughly vetting your business associates (BAs) and third-party vendors before you enter into any kind of business arrangement with them. This might involve an in-house or practice-created standardized review system to test their knowledge of the HIPAA basics, followed by a more comprehensive investigation of your partners’ compliance practices, breach history, and incident response protocols.

Why? As required by HIPAA, CEs — as well as BAs — must secure patients’ protected health information (PHI), and they “would be wise to use caution in evaluating companies that promise ‘HIPAA compliance,’” advises attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida.

You may be inclined to gravitate to vendors that promise their products or services are entirely HIPAA compliant or come with certifications, but be wary of these assurances, Hartsfield says. “A lot of customers want to see that characterization, and companies selling their services want to provide it. In my view, because HIPAA compliance is an ongoing process, it would be wise to avoid making representations that attempt to ensure 100 percent compliance,” she advises.

Advertisements that claim products are “HIPAA compliant” or “HIPAA certified” should always be questioned.

“If a healthcare provider is evaluating a company that says they’re ‘HIPAA compliant,’ it would be important to try to get a full understanding of what the vendor means by that,” Hartsfield says. “And if a vendor says it’s ‘HIPPA compliant,’ you may need to run the other way,” she exclaims. “Misspelling HIPAA can be a real red flag.”

Tip: Before you sign on the dotted line, you should consider asking your BAs and vendors these five simple HIPAA-related questions:

1. Are you familiar with the HIPAA Security Rule and all that it entails in regard to IT, ePHI, and patient safety on the part of the business associate?
2. What tactics do you employ to diminish the chance of HIPAA security violations?
3. What kind of HIPAA compliance training do your employees receive and is it updated and reinforced?
4. Has your company ever been the focus of an OCR investigation after a data breach?
5. Do you have an incident response plan and how will your staff alert CEs when their patients’ data has been compromised?