The vendors you choose to help run your business will determine your business success level. Ultimately, your vendor’s vulnerabilities are your vulnerabilities, which is why HIPAA emphasizes the importance of business associate compliance. Business associate vendors must be compliant with HIPAA standards. So how do you ensure that you are choosing HIPAA compliant vendors?
What is a Business Associate?
While not all vendors are considered business associates, many are. So does HIPAA consider a business associate vendor? A business associate vendor is any entity that creates, receives, transmits, or stores protected health information (PHI) on behalf of a healthcare organization. Some examples of business associates include electronic medical record platforms, email service providers, cloud storage services, online appointment schedulers, teleconferencing tools, and electronic payment software. When choosing which vendors are appropriate for your practice, you are obligated to vet them to ensure that they are HIPAA compliant vendors.
What Makes a Vendor HIPAA Compliant?
Many of the requirements that healthcare organizations need to meet also apply to business associates. HIPAA compliant vendors must ensure the confidentiality, integrity, and availability of PHI. To do so, they must implement safeguards to prevent unauthorized access or disclosure of PHI.
HIPAA compliant vendors implement the following.
Access Management
A key component of HIPAA compliance is controlling who has access to PHI. In today’s environment, most PHI is stored in an electronic format, making access management the best way to do so. Access management incorporates several components, including user authentication, access controls, and audit logs. To implement user authentication, unique login credentials must be given to each user of a platform or software.
HIPAA points to the need for unique login credentials in their minimum necessary standard, which requires PHI access to be limited to only the information needed to complete a specific task. Under this standard, employees must be given access to only the PHI they need to perform their job functions through unique login credentials, known as access controls. PHI access must also be tracked to ensure the minimum necessary standard is adhered to. To accomplish this, organizations must keep audit logs. Audit logs enable administrators to track which employees access what data and how long they access it. Tracking PHI access also establishes regular access patterns for each employee to detect inappropriate or unauthorized access quickly.
Data Security
As hacking incidents continue to plague the healthcare sector, data security is of utmost importance. End-to-end encryption (E2EE) is the best way to prevent hacking incidents. E2EE prevents unauthorized access to data as it is transmitted through receipt.
Although not explicitly mandated by HIPAA, the Security Rule states that “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
Data Backup
Businesses working with PHI must also implement data backup procedures. Establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI) is essential to implementing an effective data backup plan. In the case of a breach or natural disaster, data backup facilitates business continuity and the quality of patient care.
HIPAA Business Associate Agreement
Regardless of how secure a vendor is, they are not a HIPAA compliant vendor if they do not sign business associate agreements (BAAs). Vendors that will not enter into a BAA with their healthcare clients cannot be used for business associate services.
A BAA is a legal agreement between a healthcare provider and their business associate vendor that requires each signing party to be HIPAA compliant and agree to maintain its compliance. A business associate agreement is essential to compliance as they ensure that each party implements measures to safeguard PHI.
