In 2023, the Medusind: Dental and Medical Billing Company vendor breach affected multiple healthcare providers and 360,000 individuals. An important lesson to take away from this breach is that healthcare organizations or covered entities must partner with vendors that demonstrate and maintain HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards that safeguard the privacy and security of individuals’ protected health information (PHI). The legislation applies to healthcare organizations and their business associates or vendors, that sometimes handle PHI on behalf of providers. HIPAA compliance is a legal requirement that protects patients’ privacy and ultimately lets organizations focus on patient care.
To be HIPAA compliant themselves, at all times, healthcare organizations need to find vendors that value and follow the legislation. Therefore, providers need to understand what to look for in a HIPAA compliant healthcare vendor.
Related: HIPAA compliant email: The definitive guide
HIPAA defines a business associate as an individual or entity that performs specific functions and/or provides services on behalf of a covered entity. Healthcare organizations collaborate with different types of third-party companies to enhance their health operations. These companies directly engage with healthcare organizations to ensure smooth business operations. Undertakings of these business associates range from billing and IT support to medical equipment and software and include the following types of roles:
Given these frontline duties, these companies may have to create, receive, transmit, or maintain PHI. If this is the case, they are then legally obligated to safeguard it under HIPAA. Sharing sensitive patient data with anyone can pose significant risks if proper security measures aren’t in place on both sides. Ultimately, healthcare organizations must seek out companies that are HIPAA compliant so that they can properly handle PHI.
Before choosing a healthcare vendor, the following questions should be asked of them to see if they are business associates that can work with PHI.
If the answer to these questions is yes, the vendor qualifies as a business associate and should adhere to HIPAA’s regulations. Thus, the vendor has a responsibility to follow the HIPAA Privacy, Security, and Breach Notification Rules. HIPAA compliant vendors must implement a layered approach to security with physical, administrative, and technical safeguards. These measures should include security incident response, disaster recovery, and backup plans.
HIPAA compliant vendors also guarantee their security by signing a business associate agreement (BAA). The BAA outlines the permissible uses and disclosures of PHI and ensures that vendors are held accountable for safeguarding patient data. In general, healthcare organizations should recognize that any business that they work with, even those that don’t handle PHI should be HIPAA compliant.
If a vendor does not closely follow the HIPAA guidelines and/or will not sign a BAA, they may put the liability for a HIPAA violation on the provider. Moreover, if a vendor refuses to sign a BAA, a healthcare organization should find an alternative, HIPAA compliant solution. Sharing PHI with a vendor that does not demonstrate compliance puts an organization at risk of breaches, HIPAA violations, and fines.
In the event of noncompliance, covered entities need to explore their options with a vendor using already-defined processes. Having a well-defined process for addressing noncompliance allows organizations to deal with incidents promptly. It may even be necessary to terminate the business relationship. The decision to continue working with a vendor should be aligned with the terms of their signed BAA and HIPAA.
Read about: Business associate pays $2.3 million for HIPAA noncompliance
A 2024 Forbes article highlights the importance of partnering with the right vendor. The key to finding a HIPAA compliant vendor is to carefully examine the company’s activities and how it interacts with and protects PHI. Healthcare providers should evaluate a vendor’s security certifications, compliance history, data protection measures, incident response capabilities, and training agendas. Moreover, they should look for vendors that:
Currently, the U.S. Assistant Secretary for Technology Policy website provides access to HER vendor selection tools that can be applied to any vendor. Healthcare organizations must conduct such due diligence when selecting and working with vendors. Maintaining patient privacy and complying with HIPAA are critical facets of proper patient care.
Go deeper: Vetting your vendors: Certifications & HIPAA compliance | Paubox SECURE 2019
Business associates must implement a multifaceted approach with physical, administrative, and technical safeguards to secure PHI:
Vendors should only have access to patient data that is necessary for their specific service provision, following the principle of least privilege.
Patients retain significant rights concerning their PHI. These rights include accessing their information, requesting amendments, and filing complaints if they believe their privacy rights have been violated by business associates. Business associates must respect and safeguard these rights.
Yes, business associates can be directly held responsible for violating HIPAA rules. Changes in HIPAA regulations mean that business associates have individual accountability for compliance, facing penalties independently of covered entities. This is why business associates must implement robust privacy and security measures, recognizing their direct obligation to adhere to HIPAA standards and the potential consequences of noncompliance.