But I have a lawyer or IT guy for that…
So how do you tell if your vendor is doing HIPAA compliance correctly? Well, knowing the regulations is one way, but then again, if you had the time you wouldn’t be outsourcing the work.
We have compiled a few rules of thumb for you and your vendor to follow when it comes to compliance.
Rules of thumb
If you don’t, your organization is already off to a bad start. Part of HIPAA that any vendor that interacts with Patient Data (ePHI) should be signing an agreement. See sections 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e).This is a must, especially if they are updating systems or have access to computers and printers. Aside from being a requirement for compliance, this offloads some of your risk as a business by informing the vendor that they must protect the patient information.
Case: Raleigh Orthopaedic Clinic, P.A. of North Carolina was fined $750,000 for not having BA Agreements in place and not having policies in regards to Business Associate Agreements.
Ask your vendor for copies of all of your BA Agreements and visit hhs.gov for sample agreements.
If not, your employees are being held to a standard that does not exist. Without written policies there’s no way to hold your employees accountable for any misstep that may occur. Don’t expect employees to handle patient information with care if there is no policy. It’s also important to note that verbal briefings won’t hold up in an investigation.
Case: Among other issues, Hospice of Northern Idaho was found to not have written policies in place for mobile devices and was fined $50,000.
Ask your vendor for a copy of all your policies and a cheat sheet for all the employees.
Every organization has security gaps and if you’re unsure of yours, a proper risk assessment has not been conducted. From my experience in the healthcare community, these are rarely done by qualified[JS1] people. And by qualified, I mean either experience in the cyber security field or possessing applicable certifications. In other words, having the wrong person/organization assess your security not only doesn’t fulfil the HIPAA requirement but it is like having me look for anomalies in an X-Ray; unless there is a bone broken in half and the pieces are laying beside each other, I’m not sure what I am looking for.
Case: Catholic Health Care Services was fined $650,000 in part due to not having a recent comprehensive risk assessment.
Ask your vendor to show you their credentials, years of experience and certifications as well as a copy of your risk assessment with a security gap analysis.
If you would like a FREE COPY of our HIPAA check list, follow this link.
Or if you have any other questions please contact us here.
Co-founder + Ethical Hacker
Micheal has over 13 years combined experience in Information Security, Information Technology, and Physical Security. He has tackled some of the most daunting certifications in the industry and his passion for the cyber world is unparalleled with exposure to virtually every industry. He continues to hone his skills in Incident Response, Penetration Testing, and Consulting. Recognizing the need for change in cyber security, he volunteers to help entrepreneurs, veterans, and recent graduates.