The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection, and entities that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure compliance. This is a sizeable and important task in its own right, but when outside vendors enter the equation, healthcare organizations are presented with a myriad of new challenges that they must navigate to ensure compliance and protect patient privacy.
Start from the Beginning with Vendor Management
Vendor management is critical. Organizations must fully identify and inventory all vendors, which includes selection, contract negotiation, understanding and reducing risk, controlling costs, and ensuring business continuity. Vetting vendors is crucial to understand who they are, their reputation, and their history from a security perspective. It’s not just about connecting systems; it’s about understanding what data is used for, where it will go next, and who can access it.
Obtain Evidence of Vendor HIPAA Compliance
It isn’t enough to simply vet vendors. To ensure HIPAA compliance across all vendors. organizations must ask for evidence of a vendor’s full HIPAA compliance, including policies, procedures, and employee trainings on HIPAA. Service Level Agreements (SLAs) can address technical issues related to HIPAA compliance and PHI, such as system availability, data backups, system recovery, security responsibilities, and PHI use, disclosure, and retention requirements.
Put the NIST Cybersecurity Framework (CSF) to Work
NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST CSF, aligned with HIPAA requirements, helps organizations manage data, personnel, devices, systems, and facilities. It includes developing and documenting an inventory of information system components and reviewing and updating this inventory regularly to ensure effective information system component accountability.
Understand Your Chain of Vendors
Managing HIPAA data across vendors involves dealing with third-party hosting. The application might not be hosted by the third party directly, leading to a chain of vendors that could potentially handle PHI. This complexity adds layers of risk and requires thorough vetting and understanding of each entity’s role in managing the data.
Communicate and Continually Assess Vendors
Healthcare organizations must measure their vendors against operational excellence, high availability, reliability, security, and compliance, and communication is key to this process. This includes assessing third-party reviews measuring the performance of Security, Availability, Processing Integrity, Confidentiality and Privacy controls.
In conclusion, managing HIPAA data across vendors is a complex task that requires a comprehensive approach to vendor management, stringent compliance checks, regular inventory and review of system components, clear communication, and a commitment to continuous improvement in security and compliance measures. Organizations must be diligent in their efforts to protect PHI and ensure that all vendors involved in handling this data adhere to the highest standards of privacy and security.
If you have concerns about your vendor HIPAA compliance or are seeking to improve your own data protection measures, our team can help. Please contact Joe Compton at Jcompton@medicmgmt.com to set up a conversation.