Best practices for healthcare organizations when partnering with vendors

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards to safeguard the privacy and security of protected health information (PHI). The act applies to healthcare organizations or covered entities and their business associates or vendors, who handle PHI on behalf of providers. HIPAA compliance is a legal requirement and builds trust with patients and better patient care.

It is up to each covered entity to choose HIPAA compliant vendors and understand the best practices when choosing and working with a vendor.

Related: HIPAA compliant email: the definitive guide

What is a healthcare vendor or business associate?

Healthcare organizations often collaborate with third-party vendors or business associates that handle PHI while enhancing health operations. Their duties encompass a broad spectrum of functions, including the creation, receiving, transmission, or maintenance of PHI. For a vendor to know it is a business associate, it should ask itself the following questions:

~ Do you provide services or perform functions for healthcare providers, health plans, or healthcare clearinghouses?

~ Are these services or functions integral to a covered entity’s operations?

~ Do you have a contractual agreement or arrangement with covered entities to provide these services?

If a vendor answers yes to these questions, they fall under the category of a business associate. Ultimately, organizations that qualify as business associates are required to adhere to HIPAA regulations as explained in the HIPAA Privacy and Security rules.

If vendors do not follow the responsibilities as outlined, they may be directly liable for certain HIPAA violations. In fact, recent Paubox statistics show that over one-third of breaches in 2023 (37.5%) had a business associate involved.

Related: Business associate pays $2.3 million for HIPAA noncompliance

Examples of healthcare vendors

1. Third-party administrators (e.g., claims processors)
2. Email providers (such as Paubox Email Suite)
3. IT service providers
4. Cloud storage providers
5. Telehealth platforms
6. Electronic health record (EHR) providers
7. Insurance companies
8. Appointment scheduling software
9. Marketing and website services
10. Billing companies
11. Medical transcriptionists
12. Data analytics companies
13. Lawyers, consultations, and accountants

Really, any business that works with a healthcare organization and handles PHI in any way, is probably a healthcare vendor. If a business associate, a healthcare vendor must understand and follow HIPAA. A recent Forbes article says that “healthcare organizations need to partner with vendors that are knowledgeable about the industry, entrenched in the mission of improving patient care and ready to engage in an ongoing partnership.”

Finding a HIPAA compliant vendor that works for you

Maintaining patient privacy and complying with HIPAA are critical aspects of proper patient care. By following these steps before working with a vendor, you can ensure that all your vendors meet HIPAA standards and can protect PHI.

1. Assess HIPAA compliance capabilities. A vendor assessment involves evaluating security measures, encryption protocols, access controls, and employee training programs. Review a vendor’s history of handling PHI and inquire about previous security incidents and breaches.
2. Ask about security measures already in place. Focus on the Security Rule’s technical, physical, and administrative safeguards to ensure comprehensive protection. Require encryption for data at rest and in transit.
3. Verify HIPAA-related policies and procedures. Look at all policies and procedures on the handling of PHI securely and responsibly.
4. Check the extent of employee and HIPAA awareness training. Staff should be educated in protecting patient privacy, the proper handling of PHI, identifying and reporting security incidents, and maintaining a secure work environment.
5. Examine the security incident response, disaster recovery, and backup plans. Ensure that vendors have well-defined security plans that outline the steps taken in the event of a data breach or security incident.
   
   

Hiring a HIPAA compliant vendor

Healthcare organizations must seek out vendors willing to prioritize healthcare and HIPAA and participate in ongoing communication. Once sure that a vendor meets your expectations, sign a business associate agreement (BAA) with them before sharing any PHI. A BAA legally binds a vendor to comply with HIPAA regulations and protects patient data.

Elements of a good BAA include PHI handling provisions, obligations and responsibilities, reporting and response procedures, and indemnification and liability. It outlines vendor responsibilities as well as the permitted uses and disclosures of PHI. In all, an agreement helps to establish accountability and compliance expectations.

Tips for managing vendors

Ensure vendors always adhere to HIPAA requirements. Conduct due diligence when selecting and keeping vendors and regularly review their security practices to mitigate potential risks. To maintain HIPAA compliance throughout vendor collaborations, covered entities should check off the following:

• Limit vendor access to PHI on an as-needed basis
• Establish and maintain clear communication channels
• Regularly monitor and audit what vendors are doing and how they are doing it
• Continuously review vendor plans for security incidents and disaster recovery
• Swiftly resolve security incidents

In the event of noncompliance, covered entities need to address the problem with the vendor using an already-defined process. It may even be necessary to terminate the business relationship. The decision to continue working with a vendor should be aligned with the terms of the BAA and HIPAA.

FAQs

How must a business associate secure PHI?

Business associates must implement a multi-faceted approach with physical, administrative, and technical safeguards to secure PHI:

• physical safeguards involve controlling physical access to data storage,
• administrative safeguards include robust policies and procedures,
• technical safeguards employ encryption, access controls, and secure technologies to prevent unauthorized access or disclosure.

What happens if there is a PHI breach involving a business associate?

Business associates must act swiftly in the event of a PHI breach. They must report the breach to the covered entity and depending on the severity and scale of the breach, notifications to affected individuals and the HHS Office for Civil Rights are required.

What rights do patients have regarding business associates handling their PHI?

Patients retain significant rights concerning their PHI. These rights include accessing their information, requesting amendments, and filing complaints if they believe their privacy rights have been violated by business associates. Business associates must respect and safeguard these rights.

How can a covered entity determine if a third party is a business associate?

Covered entities need to look closely at the services the third party provides to determine if a third party is a business associate. The key is to carefully examine the specific activities of the third party and how much they interact with PHI. This thorough assessment allows covered entities to accurately identify business associate relationships and ensure compliance with the stringent privacy and security standards set by HIPAA.

Are business associates directly liable for HIPAA violations, or does liability solely rest with covered entities?

Yes, business associates can be directly held responsible for violating HIPAA rules. Changes in HIPAA regulations mean that business associates have individual accountability for compliance, facing penalties independently of covered entities. This is why business associates must implement robust privacy and security measures, recognizing their direct obligation to adhere to HIPAA standards and the potential consequences of noncompliance.