What to look for in a HIPAA compliant healthcare vendor

In 2023, the Medusind: Dental and Medical Billing Company vendor breach affected multiple healthcare providers and 360,000 individuals. An important lesson to take away from this breach is that healthcare organizations or covered entities must partner with vendors that demonstrate and maintain HIPAA compliance.

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards that safeguard the privacy and security of individuals’ protected health information (PHI). The legislation applies to healthcare organizations and their business associates or vendors, that sometimes handle PHI on behalf of providers. HIPAA compliance is a legal requirement that protects patients’ privacy and ultimately lets organizations focus on patient care.

To be HIPAA compliant themselves, at all times, healthcare organizations need to find vendors that value and follow the legislation. Therefore, providers need to understand what to look for in a HIPAA compliant healthcare vendor.

Related: HIPAA compliant email: The definitive guide

What is a healthcare business associate?

HIPAA defines a business associate as an individual or entity that performs specific functions and/or provides services on behalf of a covered entity. Healthcare organizations collaborate with different types of third-party companies to enhance their health operations. These companies directly engage with healthcare organizations to ensure smooth business operations. Undertakings of these business associates range from billing and IT support to medical equipment and software and include the following types of roles:

1. Third-party administrators (e.g., claims processors)
2. Email providers (such as Paubox Email Suite)
3. IT service providers
4. Cloud storage providers
5. Telehealth platforms
6. Electronic health record (EHR) providers
7. Insurance companies
8. Appointment scheduling software companies
9. Marketing and website providers
10. Billing companies
11. Medical transcriptionists
12. Data analytics companies
13. Lawyers, consultants, and accountants

Given these frontline duties, these companies may have to create, receive, transmit, or maintain PHI. If this is the case, they are then legally obligated to safeguard it under HIPAA. Sharing sensitive patient data with anyone can pose significant risks if proper security measures aren’t in place on both sides. Ultimately, healthcare organizations must seek out companies that are HIPAA compliant so that they can properly handle PHI.

What is a HIPAA compliant vendor?

Before choosing a healthcare vendor, the following questions should be asked of them to see if they are business associates that can work with PHI.

1. Do you provide services or perform functions for healthcare providers, health plans, or healthcare clearinghouses?
2. Are your services or functions integral to a covered entity’s operations?
3. Do you have a contractual agreement or arrangement with a covered entity to provide these services?

If the answer to these questions is yes, the vendor qualifies as a business associate and should adhere to HIPAA’s regulations. Thus, the vendor has a responsibility to follow the HIPAA Privacy, Security, and Breach Notification Rules. HIPAA compliant vendors must implement a layered approach to security with physical, administrative, and technical safeguards. These measures should include security incident response, disaster recovery, and backup plans.

HIPAA compliant vendors also guarantee their security by signing a business associate agreement (BAA). The BAA outlines the permissible uses and disclosures of PHI and ensures that vendors are held accountable for safeguarding patient data. In general, healthcare organizations should recognize that any business that they work with, even those that don’t handle PHI should be HIPAA compliant.

What is a noncompliant vendor?

If a vendor does not closely follow the HIPAA guidelines and/or will not sign a BAA, they may put the liability for a HIPAA violation on the provider. Moreover, if a vendor refuses to sign a BAA, a healthcare organization should find an alternative, HIPAA compliant solution. Sharing PHI with a vendor that does not demonstrate compliance puts an organization at risk of breaches, HIPAA violations, and fines.

In the event of noncompliance, covered entities need to explore their options with a vendor using already-defined processes. Having a well-defined process for addressing noncompliance allows organizations to deal with incidents promptly. It may even be necessary to terminate the business relationship. The decision to continue working with a vendor should be aligned with the terms of their signed BAA and HIPAA.

Read about: Business associate pays $2.3 million for HIPAA noncompliance

What to look for in a HIPAA compliant healthcare vendor

A 2024 Forbes article highlights the importance of partnering with the right vendor. The key to finding a HIPAA compliant vendor is to carefully examine the company’s activities and how it interacts with and protects PHI. Healthcare providers should evaluate a vendor’s security certifications, compliance history, data protection measures, incident response capabilities, and training agendas. Moreover, they should look for vendors that:

1. Will sign a BAA and mention HIPAA compliance
2. Understand and can answer questions about HIPAA
3. Have HIPAA-related policies and procedures available
4. Provide reviews, testimonials, and case studies from other healthcare organizations
5. Utilize security measures that comply with the Security Rule’s technical, physical, and administrative safeguards
6. Deliver staff training on HIPAA and PHI security
7. Show that they continuously update their security based on new laws and new issues

Currently, the U.S. Assistant Secretary for Technology Policy website provides access to HER vendor selection tools that can be applied to any vendor. Healthcare organizations must conduct such due diligence when selecting and working with vendors. Maintaining patient privacy and complying with HIPAA are critical facets of proper patient care.

Go deeper: Vetting your vendors: Certifications & HIPAA compliance | Paubox SECURE 2019

FAQs

How must a business associate secure PHI?

Business associates must implement a multifaceted approach with physical, administrative, and technical safeguards to secure PHI:

• Physical safeguards involve controlling physical access to data storage
• Administrative safeguards include robust policies and procedures
• Technical safeguards employ encryption, access controls, and secure technologies to prevent unauthorized access or disclosure

What access should vendors have to patient data?

Vendors should only have access to patient data that is necessary for their specific service provision, following the principle of least privilege.

What rights do patients have regarding business associates handling their PHI?

Patients retain significant rights concerning their PHI. These rights include accessing their information, requesting amendments, and filing complaints if they believe their privacy rights have been violated by business associates. Business associates must respect and safeguard these rights.

Are business associates directly liable for HIPAA violations, or does liability solely rest with covered entities?

Yes, business associates can be directly held responsible for violating HIPAA rules. Changes in HIPAA regulations mean that business associates have individual accountability for compliance, facing penalties independently of covered entities. This is why business associates must implement robust privacy and security measures, recognizing their direct obligation to adhere to HIPAA standards and the potential consequences of noncompliance.