If they aren’t a hospital, insurance company, or primary care provider, then they need to sign a Business Associate Agreement (BAA) establishing that they understand their responsibilities as a covered entity. If a vendor refuses to sign such an agreement for any reason, then they are not HIPAA compliant. Work with them only at your own risk.
Pretty obvious, right? You might as well say that if a business refuses to follow HIPAA, they aren’t HIPAA compliant. BAAs are required under HIPAA, as I’m sure you well know.
What you might not know is that there are other ways you can determine whether or not a vendor is compliant – whether or not they’re even worth your correspondence. Because while I’d like to believe that no vendor has ever signed a BAA under false pretenses, I’m certain that’s untrue. There will always be people who either don’t understand the rules or try to bend them for their own gain.
It’s up to you to tell the difference between these shysters and legitimate covered entities. Fortunately, they tend to share a few very obvious red flags in common.
They Don’t Actually Understand HIPAA
The surest way to suss out the difference between a legitimate vendor and a scam is to test their knowledge. Ask them the following questions about their internal security controls and data management processes. A vendor that’s actually adhering to HIPAA should have no trouble answering any of them:
- What’s the difference between administrative, physical, and technical controls, as defined by HIPAA? Can you give examples of such controls as they are used within your organization?
- What will happen to the PHI we have entrusted to you after the contract expires? If you do not plan to retain it, what process will you use to delete it?
- What specific measures has your organization put in place to ensure data is secured in a compliant fashion?
- What specific measures have your partners and subcontractors put in place to ensure data is secured in a compliant fashion?
- When was the last time your BAA form was updated?
- Which specific services do you provide that are covered by HIPAA?
- What is your disaster recovery process?
- What is your incident response process?
- Do you have references you can provide from other healthcare clients you have worked with in the past?
Audits? What Audits?
Before you sign a BAA with a vendor, it’s important that you request certain documentation. An organization that’s above-board should have no problem providing you with an up-to-date audit report and a comprehensive compliance policy. They should also be willing to undergo a third-party assessment if they cannot provide you with an audit.
Pay close attention to any audit reports you do receive. It’s important to ensure that audits are carried out by reputable third parties rather than by internal staff. That way, you can be absolutely certain you aren’t in for a nasty surprise or two down the road.
They Don’t Have A Compliance Team
Even if a vendor provides you with documentation, that doesn’t mean you’re in the clear. As part of your evaluation process, insist on speaking to the person (or persons) responsible for overseeing the vendor’s compliance efforts. If they refuse, walk the other way.
A vendor that does not have a dedicated compliance team is one you likely don’t want to work with.
Keep Your Eyes Peeled
A vendor needs to be willing to sign a BAA to work with PHI – but that’s only the first step towards HIPAA compliance for covered entities. It’s easy to say you’ll comply with the ins and outs of HIPAA. It’s much harder to fake doing so, especially under scrutiny.
By learning to recognize the signs that a potential vendor isn’t actually compliant, you can ensure you’re taking every step necessary to meet your duty of care as a health organization – your duty of care to each and every patient you work with.