You’ve been diligent about developing the needed policies and procedures to ensure HIPAA compliance within your organization. It’s been challenging, but your internal audits have been positive, and you are confident your internal processes are up to standard. Are you as confident about your vendors and their HIPAA compliance? If your vendors aren’t compliant, who pays the price? You do. As the outsourcing organization, you are responsible for the HIPAA practices of all vendors who have access to, work with, or store your sensitive PHI. Beyond the vendors who physically touch your data, such as IT providers, data centers, and document shredders, HIPAA compliance requirements could extend to other vendors who may have access to your contacts database, or even the data center where your IT provider backs up their own data (see: How Many Degrees of Separation Are There Between You and Your Data?)
The 2013 HIPAA Omnibus Rule implemented the most stringent vendor security management provisions to date with specific requirements for both the covered entity (the organization) and their business associates. Areas include strengthening privacy and security protection, modifying liability assessment standards, and holding HIPAA business associates and their subcontractors to the same PHI protection standards.
So how do you ensure your vendors are HIPAA compliant? First of all, conduct a thorough vendor screening. Unfortunately, it’s not as simple as asking “Are you HIPAA compliant?” although that is a sensible start. Your vendor must also be able to back up their assurances by producing appropriate documentation such as their HIPAA policies, training, audits, as well as their own business associate agreements. The more exhaustive your screening, the fewer the surprises down the road.
Second, ensure your business agreement includes provisions covering notifications of any business model changes, any new subcontractors, and ongoing documentation of compliance and audits. Once your agreement ends, ensure provisions are in place for the appropriate disposition, access, and destruction of retained data.
Third, conduct appropriate monitoring. The degree of that monitoring should depend on the level of potential PHI exposure risk (on site access vs. actual hosting e.g.) with the emphasis on sustained, effective HIPAA compliant practices and documentation. Put yourself in the place of the OCR (Office of Civil Rights) and ensure you have all the documentation they would ask for in the event of an investigation (policies, procedures, training, investigations, evaluations, facility assessments, system data, breach and notification protocol, etc.).
This is only a broad overview of ensuring vendor HIPAA compliance (why would we subject you to more?). Of course, your particular vendor screening and management process will depend on your particular organization and the nature of your business relationship. Nonetheless, the more robust your vendor risk management program is, the better off you’ll be.
Ensuring vendor HIPAA compliance simply requires you to be very diligent in managing your vendors, but this also requires a significant commitment of resources. We want to make it simple. As experts in vendor screening and management, we can help with all of your vendor screening or management needs. Give us a call or send us an email and we’d be happy to provide you with a free consultation around your vendor risk management program, helping you identify best practice opportunities and areas of improvement.