HIPAA Review of Technology Vendors

Ray Barrett interviewed Kelly Koch from Compliancy Group. In this informative conversation, Ray and Kelly delve into the steps required by healthcare providers to remain compliant with HIPAA law when working with third-party vendors. Kelly was able to help dispel much of the confusion surrounding this important topic and layout some clear “does and don’ts” when it comes to HIPAA and working with other organizations.

Kelly has over 25 years of customer service experience, including a background in retail banking and accounting. She is currently an Account Manager for Compliancy Group, where she advises health care decision-makers and medical vendors on HIPAA compliance. She effectively communicates the government regulation and necessary standards of HIPAA and how Compliancy Group can help simplify the process. In her spare time, Kelly is actively involved in the non-profit organization Pull-Thru Network (PTN), which raises awareness and education for children and families affected by ARM, IA, VACTERL syndrome, and other birth defects.

In the interview Kelly discusses with Ray, if you are a HIPAA-covered healthcare provider, you must ensure that all vendors that touch your patient/client protected health information (PHI) are able to furnish a HIPAA business associate agreement or BAA, and that vendors have a BAA with any subcontractor that also has access to PHI. This is a required step when dealing with vendors and the subcontractors that work for vendors and handle your clients’ PHI. Kelly and Ray discuss how to evaluate the quality of a BAA and how to determine what is covered under that agreement and what is not covered. HIPAA covered entities must also obtain satisfactory assurances that the vendor will appropriately safeguard all PHI. See the references below. 

Regarding the privacy of your client, it is important to know who has access to their personal information. What steps are you, the provider, and your vendors taking to ensure confidentiality? Is there encryption being used, both at rest and in motion? Do you and your vendors have on-site office security to prevent the theft of hardware? Kelly mentions that with the rise in employee-related security incidents, there is a major need for staff training. This is true for the provider as well as vendors and subcontractors. They discuss the importance of strong passwords and multi-factor authentication as well as what a staff plan would look like if a breach were to ever occur. 

Vendors ought to have contingency plans and test those plans to reduce the risk of providers losing access to clients’ data during technology failures.  They should also have a convenient easy way for covered entities to audit access logs which shows when the technology was accessed, what data was accessed, and where it was accessed from.  Providers should seek vendors who provide a convenient way to securely export their data.  

Covered entities are required to conduct a risk analysis of using technology, and to create a risk management plan to mitigate the identified risks.  Ray explains that in analyzing technology he has identified risks, associated with each technology choice, which the provider must work to lessen or eliminate.  He shares that some technology providers will offer products to their customers that sacrifice security for the benefit of convenience. Identifying and mitigating these risks is vital to complying with HIPAA law and professional codes of ethics.  

When a clinician is working for an organization they must determine who is the covered entity in relation to the patient’s protected health information (PHI).  The covered entity is the owner of the records and must ensure the Confidentiality, Availability, and Integrity of all PHI. When the clinician is an employee of an organization the employer is normally the covered entity.  However, when a clinician is working as an independent contractor they must carefully review their contract to ensure that it clarifies who is the covered entity. Ray and Kelly discuss bring-your-own-device (BYOD) policies and bring-your-own-service (BYOS) decisions.  They also discuss the importance of retaining all e-PHI and determining where e-PHI is stored when clinicians communicate with clients via electronic media.  

HIPAA compliance is not an easy task for a provider and could turn into a full-time job in itself. This is why utilizing consultants is so important. Telehealth Certification Institute can help a provider by assisting with selecting technology, providing risk analysis, and helping the provider create a risk management plan. This takes the guesswork out of selecting and utilizing a technology vendor. Compliancy Group assists providers with the process of HIPAA compliance by using their web-based compliance solution, The Guard, along with guided, ongoing support. Because of the benefits Compliancy Group can bring to clinical practices and IT providers, Telehealth Certification Institute has an affiliation agreement with them. Use our affiliate link to receive the first three months of using The Guard for free.

In summary, HIPAA covered entities are required to not only acquire a HIPAA BAA from HIPAA business associates but to vet them out for privacy and security measures.  Providers should choose vendors that are sustainable, reliable, and trustworthy. 

 

The following are references from HIPAA law. 

 

The BAA requirement: 

  • § 164.308 Administrative safeguards. 

(b)(3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that  meets the applicable requirements of § 164.314(a).

The requirement to Vet out vendors:

  • § 164.308 Administrative safeguards. 

(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. 

  • § 164.502 Uses and disclosures of protected health information: General rules. 

(e)(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. 

The requirements of a BA in regards to subcontractors:

  • § 164.308 Administrative safeguards. 

(b)(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information. 

  • § 164.502 Uses and disclosures of protected health information: General rules.  

(e)(1)(ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information. 

(2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e). 

The requirement to conduct a risk analysis and create a risk management plan:

  • § 164.308 Administrative safeguards. 

(a)(1)(ii)(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

Media

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.