Are your vendors HIPAA compliant? Find out before it’s too late
Organizations operating within dentistry and the health-care industry more generally face constant regulatory pressure at the federal and state levels. The Health Insurance Portability and Accountability Act (HIPAA), for example, sets rules relating to the safeguarding of protected health information (PHI) that significantly impact the way organizations collect, store, and transmit their patients’ medical data. Failure to abide by these rules can have significant repercussions for HIPAA-covered entities.
Maintaining sufficient HIPAA-compliance standards within an organization is one thing, but keeping PHI protected once it leaves the relative security of a practice’s four walls is another challenge entirely. In circumstances where third party vendors come into contact with PHI—via data-storage services, communication providers, or document-disposal companies, for example—organizations must ensure any organization undertaking the work is also fully HIPAA compliant.
Under HIPAA, any third party that comes into contact with PHI through the work it undertakes on behalf of the covered entity is known as a business associate, or BA for short. Before granting any level of access of PHI (or its electronic equivalent, ePHI) to a BA, both parties must enter into a contract that details commitments to HIPAA compliance and provides assurances relating to the safeguarding of PHI and ePHI. This contract is known as a business associate agreement (BAA).
Failure to comply with this process can pave the way for significant financial and reputational damage. Last year, for example, a children’s digestive health center was ordered to pay a settlement of $31,000 to the US Department of Health and Human Services following an investigation into one of its BAs, which had been storing patient records for several years in the absence of signed BAA.1
More recently, Dignity Health reported a breach to HHS after it allowed a BA to receive PHI without a valid BAA being in place. Despite the fact the contractor was trusted and had been used previously, the lack of an up-to-date BAA between the two parties—which was caused by a clerical error—meant that PHI was being exchanged unlawfully.
To protect against potential breaches caused by third-party vendors, HIPAA-covered entities should take the following points into consideration.
Commitments to HIPAA
If a vendor is working in association with your business or providing services that result in the handling of PHI, seek reassurance that they recognize themselves as a BA. It is not enough for vendors to simply claim that they are HIPAA compliant; request evidence of their HIPAA compliance and administrative capabilities and ask to review their HIPAA policies and procedures, such as a recent risk analysis and evidence of employee training.
Understand how your BAs protect and store PHI
It is essential to understand the steps each of your BAs takes to collect, store, process, and transfer PHI. Never disclose PHI to any BA unless a signed BAA exists between both parties.If possible, check whether the BA has a designated HIPAA privacy or security officer and gain an understanding of how the organization plans to handle security incidents and breach notifications. And if that organization plans to outsource the handling or processing of your PHI to a third party, they must have a signed BAA with that third party to ensure that the chain of responsibility remains unbroken.
Read the small print
A fully compliant vendor will not hesitate to sign a BAA, outlining all the terms as required by HIPAA. Be sure to read the contents of this carefully and take note of any additional terms and conditions that are permitted but not required by HIPAA.
Don’t be fooled by the conduit exception rule
Some entities come into contact with PHI but do not have direct access to it, such as internet service providers, couriers, or the United States Postal Service. These entities act as mere conduits of information, and as such are not required to sign a BAA. With the exception of the examples above, almost every other type of company that handles protected health-care information will be required to sign a BAA.
To avoid significant financial and reputational damage, dentists and dental practices should ensure their vendors are taking the proper steps to remain compliant. By taking the proactive steps described here, dentists can gain peace of mind—knowing they've minimized their business' risk and kept their patients' data safe.
Author’s note: For information on secure faxing for covered entities and business associates to transmit ePHI, visit enterprise.efax.com/industry/healthcare.
1. Swann J. Health-care provider pays $31K for lack of privacy contract with vendor. Bloomberg BNA website. https://www.bna.com/healthcare-provider-pays-n57982087161/. Published April 26, 2017.
2. Updated: Dignity Health units disclose breaches in Arizona, Nevada, and California affecting more than 60,000 patients. DataBreaches.net website. https://www.databreaches.net/dignity-health-units-disclose-breaches-in-arizona-nevada-and-california-affecting-more-than-60000-patients/. Published June 4, 2018.
A 20-year industry veteran, Brad Spannbauer currently oversees product strategy and planning and provides direction and market leadership for j2 Cloud Connect's worldwide business as a senior director of product management. His focus in the health-care and legal verticals led to Spannbauer's involvement with the j2 Cloud Services compliance team, where he leads the team as the company’s HIPAA privacy and compliance officer. To find out more visit eFax Corporate.