​A complex set of regulations like HIPAA requires constant work to keep up to date within an organization. With requirements ranging from six unique audits per year to training to vendor management, it is not a task that most healthcare organizations can devote the time to. An organization must be more than just familiar with the rules, they must study rulings against other organizations, stay up to date with any changes, update policies, and know cyber security well.  This begs the question, who’s handling HIPAA for you and are they up to the task?

But I have a lawyer or IT guy for that…

Understandably, the complexity and time intensive nature of HIPAA drive most small and medium sized healthcare organizations to outsource this work to a variety of vendors. Some of which include lawyers, IT Management companies, and other Managed Services Providers. It’s no surprise that companies are left with mixed results. IT companies are missing the security or HIPAA knowledge, lawyers don’t know security or tech, and most other vendors are missing some key component to complete HIPAA compliance. The key is finding a partner for HIPAA that can bring all the pieces together.

So how do you tell if your vendor is doing HIPAA compliance correctly? Well, knowing the regulations is one way, but then again, if you had the time you wouldn’t be outsourcing the work.

​We have compiled a few rules of thumb for you and your vendor to follow when it comes to compliance. 

Rules of thumb

1. Do you have a Business Associate(BA) agreement with your HIPAA compliance vendor?

If you don’t, your organization is already off to a bad start. Part of HIPAA that any vendor that interacts with Patient Data (ePHI) should be signing an agreement. See sections 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e).This is a must, especially if they are updating systems or have access to computers and printers. Aside from being a requirement for compliance, this offloads some of your risk as a business by informing the vendor that they must protect the patient information.

Case: Raleigh Orthopaedic Clinic, P.A. of North Carolina was fined $750,000 for not having BA Agreements in place and not having policies in regards to Business Associate Agreements.

Ask your vendor for copies of all of your BA Agreements and visit hhs.gov for sample agreements.

2. Do you have written policies in place for employees?

If not, your employees are being held to a standard that does not exist. Without written policies there’s no way to hold your employees accountable for any misstep that may occur. Don’t expect employees to handle patient information with care if there is no policy. It’s also important to note that verbal briefings won’t hold up in an investigation.

Case: Among other issues, Hospice of Northern Idaho was found to not have written policies in place for mobile devices and was fined $50,000.

​Ask your vendor for a copy of all your policies and a cheat sheet for all the employees. 

3. Do you know your gaps in security?

Every organization has security gaps and if you’re unsure of yours, a proper risk assessment has not been conducted. From my experience in the healthcare community, these are rarely done by qualified[JS1]  people. And by qualified, I mean either experience in the cyber security field or possessing applicable certifications. In other words, having the wrong person/organization assess your security not only doesn’t fulfil the HIPAA requirement but it is like having me look for anomalies in an X-Ray; unless there is a bone broken in half and the pieces are laying beside each other, I’m not sure what I am looking for.

Case: Catholic Health Care Services was fined $650,000 in part due to not having a recent comprehensive risk assessment.

Ask your vendor to show you their credentials, years of experience and certifications as well as a copy of your risk assessment with a security gap analysis.


HIPAA compliance is not an easy feat and if it was, healthcare organizations would not be outsourcing the work. I just caution that you check with your vendors and understand what they are doing. Ultimately, HIPAA is solely your responsibility.

If you would like a FREE COPY of our HIPAA check list, follow this link.

Or if you have any other questions please contact us here


Micheal Small
Co-founder + Ethical Hacker

Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. His passion and appetite for the cyber world is unparalleled with exposure to virtually every industry, he continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates. ​

Leave a Reply