Urology Coding Alert

Ask five key questions to gauge your vendor’s HIPAA security awareness.

When you choose a cloud or electronic health record (EHR) vendor, do you consider their stance on the HIPAA Security Rule, especially if they claim to be “HIPAA certified” or “HIPAA compliant”? If you don’t, you should.

Ensuring their HIPAA understanding aligns with your requirements; asking about security measures, encryption, access controls, and breach response; and generally questioning their HIPAA compliance capabilities not only safeguards your patient information and data integrity but could also protect your practice from liability in the event of a catastrophic data breach.

So, if you’re in the process of bringing a new EHR vendor on board, or if you want to re-evaluate your agreement with your current vendor, here are some important considerations to keep in mind.

What Does ‘HIPAA Compliant’ Really Mean?

Background: Many third-party vendors say that their products or tools are “HIPAA compliant,” but the Department of Health and Human Services (HHS) and its auxiliary agencies don’t certify or validate health IT products as HIPAA compliant.

“HHS does not endorse or otherwise recognize private organizations’ ‘certifications’ regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a ‘certification’ by an external organization does not preclude HHS from subsequently finding a security violation,” HHS Office for Civil Rights (OCR) guidance says.

Figure Out How Your IT Vendors Address HIPAA

As a covered entity (CE), you should protect your practice by thoroughly vetting your business associates (BAs) and third-party vendors before you enter into any kind of business arrangement with them. This might involve an in-house or practice-created standardized review system to test their knowledge of the HIPAA basics, followed by a more comprehensive investigation of your partners’ compliance practices, breach history, and incident response protocols.

Why? As required by HIPAA, CEs — as well as BAs — must secure patients’ protected health information (PHI), and they “would be wise to use caution in evaluating companies that promise ‘HIPAA compliance,’” advises attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida.

You may be inclined to gravitate to vendors that promise their products or services are entirely HIPAA compliant or come with certifications, but be wary of these assurances, Hartsfield says. “A lot of customers want to see that characterization, and companies selling their services want to provide it. In my view, because HIPAA compliance is an ongoing process, it would be wise to avoid making representations that attempt to ensure 100 percent compliance,” she advises.

Advertisements that claim products are “HIPAA compliant” or “HIPAA certified” should always be questioned.

“If a healthcare provider is evaluating a company that says they’re ‘HIPAA compliant,’ it would be important to try to get a full understanding of what the vendor means by that,” Hartsfield says. “And if a vendor says it’s ‘HIPPA compliant,’ you may need to run the other way,” she exclaims. “Misspelling HIPAA can be a real red flag.”

Tip: Before you sign on the dotted line, you should consider asking your BAs and vendors these five simple HIPAA-related questions:

1. Are you familiar with the HIPAA Security Rule and all that it entails regarding IT, ePHI, and patient safety on the part of the business associate?
2. What tactics do you employ to diminish the chance of HIPAA security violations?