The Health Insurance Portability and Accountability Act (or HIPAA) sets the standards for protecting sensitive patient data. To protect yourself from liabilities, any outside vendor you work with must have the same high standards for compliance that you do. With the stakes so high, choosing a vendor is no small task.
When you’re in the market for a HIPAA-compliant contractor, the various requirements and considerations can sometimes feel downright overwhelming, not to mention all the different providers vying for your business. Taking the time to follow a checklist of reviews can help you save time, money, and headaches and ensure you’re entering the best agreement for your organization.
- Clearly understand your needs.
When selecting a HIPAA-compliant vendor, it is important to clearly understand what your organization’s needs are and what services you require. Do you need help with data security or privacy compliance? Are you looking for additional training in HIPAA regulations?
Or are you searching for a healthcare answering service that provides live answering, order entry, and customer service? Knowing each vendor’s scope of services and how they might fit your organizational goals can help you make an informed decision.
- Research multiple vendors.
This means looking at the different service offerings, examining customer reviews, and getting references from previous clients. Look for a vendor that is highly rated by other clients and well-regarded in the healthcare industry.
Asking friends, family, and colleagues for referrals can save you time and energy. Request quotes from all vendors you’re considering, so you have transparent pricing information when comparing one service to another. Also, be sure that all potential vendors know your organization’s specific requirements or special considerations.
- Understand what HIPAA compliance entails.
Many vendors claim to be “HIPAA compliant” without truly understanding this. To ensure you’re dealing with a legitimate provider, ensure it fully understands HIPAA’s Security Rule and Privacy Rule requirements.
- Ensure formal written agreements are in place.
To protect your organization from potential liabilities, ensure all necessary contracts are signed before beginning any business relationship with a HIPAA-compliant vendor. These should include Business Associate Agreements and Service Level Agreements — which HIPAA requires you to enter when you contract with any third party that handles protected health information — and termination clauses if needed.
- Screen for security.
With the stakes so high, it is integral that you thoroughly screen potential vendors’ security capabilities. This includes exhaustive background checks of their policies, procedures, and technology infrastructures to ensure they operate ethically and securely handle protected health information (or PHI). It is also important to assess how vendors handle updates as technology changes.
- Maintain control.
Seek vendors that provide detailed logs of all activity related to PHI access and movement within their systems. To ensure HIPAA compliance, vendors should have robust auditing, monitoring, tracking, and reporting systems. Furthermore, their staff should have HIPAA training programs to ensure everyone is fully aware of all privacy and security requirements necessary to work with PHI.
Ensure that the vendor limits access to the most sensitive personal health information to only those with a legitimate need to know and that it carefully weighs any different levels of access to the system, including roles and user IDs. No single user should have access to all PHIs; instead, user access should be limited to relevant and necessary data to prevent accidental or intentional breaches.
- Conduct periodic audits.
Once you have selected your vendor, maintain a healthy relationship by conducting regular audits to ensure that it follows all HIPAA guidelines, actively monitors its activities, and compares them against established policies and procedures.
Selecting a HIPAA-compliant vendor is an integral part of protecting sensitive PHI. Understanding your needs, researching multiple vendors, learning HIPAA compliance requirements, establishing written agreements, screening for security measures, and monitoring through audits are key to helping you select the right HIPAA-compliant vendor.
By following a checklist of considerations to ensure vendors are up to par with regulations and industry standards, you will be protected against any potential future liabilities and ensure that your PHI is protected. You’ll be assured that your organization’s data remain safe and secure.