How to Make Sure Your Third-Party Vendor is HIPAA Compliant
Worried that your third-party vendor isn’t HIPAA compliant? These days, most hospitals and other health-related facilities recognize the importance of having a HIPAA-compliant practice. Ensuring HIPAA compliance within all hospitals and health-related facilities—and ensuring such compliance includes facility vendors—is important to the sustainability and growth of any facility. To protect against potential breaches or security incidents caused by third-party vendors, HIPAA-covered entities should take the following points into consideration.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996, providing the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs. HIPAA also reduces health care fraud and abuse. It mandates industry-wide standards for health care information on electronic billing and other processes. Lastly, it requires the protection and confidential handling of protected health information.
Be Committed to HIPAA
Any third-party vendor that comes into contact with or creates PHI through the work that it undertakes on behalf of the covered entity is known as a business associate (BA). Before granting access to any level of personal health information (PHI) to a BA, both the hospital and the third-party vendor must enter into a contract, also known as a business associate agreement (BAA), that details commitments to HIPAA compliance and provides assurances relating to the safeguarding of PHI. If any facility or a third-party vendor fails to comply with this process, they can expect significant financial and reputational damage.
If a third-party vendor is working with your hospital or health-related facility and is handling PHI, seek reassurance that they recognize and understand that they are a BA and therefore equally responsible for complying with HIPAA rules and regulations. It is important to understand that it is not enough for third-party vendors to simply state that they are HIPAA compliant. A request for evidence of their HIPAA compliance and administrative capabilities is recommended. In addition, ask them to review their HIPAA policies and procedures or conduct a risk assessment before committing to working together.
It’s All About the Agreement
Hospitals and other health-related facilities should never disclose PHI to any third-party vendor unless a signed BAA exists between the parties. A third-party vendor that is HIPAA compliant will not hesitate to sign a BAA that outlines all the terms as required by HIPAA.
Always be sure to take your time reading the contents and take notes of any additional terms and conditions that are present but not required by HIPAA. Additionally, if your vendor will need to disclose your facility’s PHI to a subcontractor, make sure your BAA requires them to obtain a sub-contractor BAA from their own vendors which include the same security and privacy requirements as exist in the original BAA. HIPAA obligations need to trickle all the way down from health facility to vendor to subcontractor to sub-subcontractor, and on and on, to ensure true compliance.
Understand How Your Third-Party Vendor Protects and Stores PHI
It is extremely important to understand how your third-party vendor securely collects, stores, processes, and transfers PHI. By being proactive, hospitals and health-related facilities can avoid financial and reputational damage.
At The Midland Group, we believe that keeping sensitive information confidential and accessible is of the utmost importance. We continue to use great care in evaluating and selecting the best data security partners with which to work. When you choose to partner with The Midland Group for your services, you can rest assured knowing that your patients’ information is protected with the best data theft defense solution, complete with numerous security certifications. To learn more about The Midland Group’s data security system, click here.