Why is Vendor Compliance Important?
The Health Insurance Portability and Accountability Act (HIPAA) sets high standards for the protection of patient health information (PHI). As a covered entity under HIPAA, practices must be very careful about which vendors they partner with that may also have access to that PHI. Vendors are also called business associates and enter into agreements to uphold the same standards for HIPAA compliance as the hiring healthcare entity. It is the covered entity’s responsibility to obtain reasonable assurance that the vendor will use the information only for the purposes needed, and that safeguards are in place to protect the PHI under HIPAA. Practices may enter into business associate agreements with all types of vendors, such
Under the HIPAA Security Rule, each covered entity is required to conduct a risk assessment that is an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization.” There is no single method or best practice that ensures compliance with the security rule, because it may vary according to different types of covered entities and the design of their operations.
Vendor compliance is important as part of annual risk analysis activities, and as part of regulatory compliance as well. There are an abundance of resources out there, such as the HIPAA Security Risk Assessment Tool launched by HHS, and the NIST HIPAA Security Toolkit Application.
How to Screen Vendors
In today’s complex healthcare IT environments, many different companies typically have access to the computer data, creating a cybersecurity risk that can be very complex. The weakest points of data security are often points of access and transmission, which means that vendors can introduce new vulnerabilities.
If a data breach occurs from a vendor failure, not only is the vendor liable, but also the covered entity. Serious data breaches have occurred that expose sensitive PHI from thousands of patients, and many of them are tied to third-party vendors and their electronic access. Many healthcare organizations actually employ a separate cybersecurity contractor to ensure HIPAA compliance by all users, systems, and vendors.
A free HIPAA compliance checklist can be found at HIPAAjournal.com that can serve as a starting point for a vendor screening checklist.
There are some basic elements that should be a part of all risk assessments when it concerns vendor compliance:
- How is vendor access restricted? Each vendor relationship should be assessed to see who has access to PHI, how they are accessing the information, and how much access they have. Access should be restricted to job function and scope.
- Each vendor user should have a unique username and password, including a multi-level authentication.
- Each vendor account should have an automated logoff after a certain period of inactivity.
- Systems should be able to generate automatic audit reports for incidents of unauthorized access, which makes it possible to trace a data breach.
- Security settings should receive regular updates to protect data from corruption and prevent breaches during transmission. The covered entity should establish its minimum standards for encryption and transmission standards.
All provider practices can minimize their vulnerability by establishing a standardized risk assessment process and checklist. Each vendor should be thoroughly vetted according to this standard to ensure continued compliance.
FormDr is a long-trusted vendor for providers, and we take HIPAA compliance very seriously. In fact, FormDr takes away the burden of compliance by coming to the table completely prepared. We maintain very detailed compliance and security plans, transparently available on our website.