Is My Vendor REALLY HIPAA-Compliant?

Healthcare organizations continue to grow more reliant on the use of third-party vendors that help them deliver quality care and assist with administrative tasks. Covered entities are increasingly outsourcing their back-office operations such as billing, claims processing, or transcription to third parties to help reduce expenses. Covered entities are also using vendors for population management and services such as telemedicine, or even what used to be considered core services such as radiology or neonatal management.

Covered entities know that if the third party has access to protected health information (PHI), the vendor needs to comply with HIPAA regulations and sign a Business Associate Agreement (BAA). But does that provide you with enough “protection” in the event of an investigation by the Department of Health and Human Services Office of Civil Rights (OCR)? Probably not! A BAA will not always protect a covered entity in the event of a PHI breach by its vendor. If the covered entity does not obtain “satisfactory assurances” of the vendor’s security the covered entity may be liable for the breach.

Often vendors will post a notice on their website saying “HIPAA Compliant” often with a fancy logo.  But what does that mean? Potentially nothing! The Federal Trade Commission (FTC) entered into a settlement agreement with SkyMed International, Inc. which stated that SkyMed deceptively displayed seals that attested to its purported compliance with HIPAA which the FTC indicated “signaled to consumers that a government agency or other third party had reviewed respondent’s information practices and determined that they met HIPAA’s requirements.” The complaint pointed out that in fact no government agency or independent third party has reviewed SkyMed’s information security practices.  

If you can’t rely upon a “seal” on a website, what should you be doing? Do you have to audit every vendor to make sure they are HIPAA compliant? Potentially yes! 

Questionnaires

Organizations often send out questionnaires to vendors to determine if they have appropriate security.  The questionnaires will ask potential vendors about their security and allow the organization to perform a basic evaluation. Unfortunately, history has shown that these are not always reliable. Without a more in-depth review, it’s impossible to confirm if the questionnaire is simply telling the requestor the information they want to hear. If you are using questionnaires, consideration should be given to requesting proof and evaluation of evidence of implementation of key controls. Consideration should be given to confirming that the vendor does comprehensive risk assessments with remediation plans for identified gaps. Your vendors should also be periodically performing key system security measures such as vulnerability scans, penetration testing, and updating security controls based on emerging threats.

Third-party Assessments

Another option is to rely upon a third-party assessment. Does the vendor have certifications such as ISO or HITRUST? Have they had a SOC 2 audit performed by a CPA? Have they had their HIPAA compliance reviewed? While ISO, HITRUST, and other certifications are backed up by formal requirements and documented audits, as demonstrated by the SkyMed complaint there is no government-approved “HIPAA Certification.” Your vendor should be able to provide you with evidence of a formal evaluation of their security. Make sure the certification or review covers the product you will be using. A SOC 2 assessment that covers a completely unrelated area of a business doesn’t really protect you if there’s a problem. If there is a formal report provided, evaluate it to see if the gaps identified raise concerns. If they do, ask for the remediation plan. If your vendor is “HIPAA Certified” find out what their assessor reviewed and how that evaluation was performed. Was it just a “self-assessment questionnaire” or a formal audit covering all the HIPAA requirements?

Ongoing Evaluations

So you have evaluated your potential vendor and decided they have the required security to trust them with your PHI. You’re done! Or maybe not! Ensuring security is an ongoing process. You need to gain an understanding of who your vendor is sharing their data with. Are they doing the same investigation you did before they share your PHI? What is their process for verifying that their vendors are compliant?

You also need to confirm that the security that was in place when you selected the vendor remains in place. Just because your vendor had good security in place when you selected them does not mean those good practices will be in place down the road. If they have certifications that you are relying upon be sure they are keeping those current. If you performed an evaluation of their security, consider periodic updates based on the potential risk associated with that vendor. 

CompliancePoint has the healthcare, cybersecurity, and privacy expertise to help your organization achieve HIPAA compliance. Contact us at connect@complinacepoint.com to learn more about our services.