Health Information Management

Find the right contract vendor

HIM-HIPAA Insider, December 29, 2009

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Covered entities must carefully select and contract with software vendors and investigate the security concerns that arise when any third party has access to patients’ protected health information (PHI). Use these tips whenever you consider contracting with a vendor to handle PHI:

  • Exercise due diligence. Whenever third-party vendors have access to your data, a greater risk of a privacy or security breach exists. “You’re counting on someone else to uphold your standards,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA. Approach the job of finding a vendor seriously, she says. That means doing your homework.
  • Ask the right questions. For example, ensure that you understand how the vendor will protect your information and how it will segregate your data from other clients’ data. “You don’t want a data bleed and your data exposed to other customers,” Borten says. A vendor might promise to encrypt transmissions, but you need more information than that, says Borten. “It’s a first step, but there should be many other security measures,” she says.
  • Interview the right people. “You don’t want to talk to the marketing staff; talk to the technical staff,” says Borten.
  • Ensure that vendors understand HIPAA and their new responsibilities as BAs. Borten recommends reviewing the list of HIPAA security rule requirements with vendors. This provides an opportunity to learn how vendors handle risk analysis and incident responses, for example. “Certainly, some vendors are savvy enough to give you the right answers,” says Borten. “But if you see the ‘deer in the headlights’ response from them, that should be your warning sign that they are not quite there yet.”

Editor’s note: For more tips, view the December 2009 issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular