We got a question from a listener asking us for more information on selecting a HIPAA Compliant IT company. The answer wasn’t something we can do in a short and sweet HIPAA Answers episode so we have created an episode to discuss it. What will really make your IT company be better than the rest…..[podcast]
A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations.
Most CEs and many BAs don’t really understand what they need from their Technology Provider at all, much less when it comes to HIPAA. That means you need to count on them to know specifically what you need when it comes to HIPAA requirements. Also, we don’t see how anyone can handle security today without a professional IT team on staff or one under contract. With those assumptions in mind, here are some things you should be expecting from the Tech Support Team for your business.
6 Things To Expect From HIPAA Compliant IT
You need a Technology Provider that looks at the big picture not just a count of routers, computers, servers, and your other devices. Many CEs and BAs require a variety of vendors to come in with software and equipment to meet your needs. There are almost always several different systems and devices that will be outside the normal list of equipment supported by any Technology Provider. They should do a hardware inventory and ask about devices that contain PHI, all devices with PHI. A cardiologist may have heart monitors they send out with patients, oncologists have drug inventory systems, imaging centers have MRIs that connect to the network, plus many other examples. All of these devices could contain PHI and pose a risk to security, but no one in the office actually understands they should be worrying about them too. A Technology Provider that is versed in HIPAA understands that to be the case and takes action for you.
You need a Technology Provider who asks more questions than expected. If they see something odd in your offices, the Tech Provider shouldn’t think “that’s weird, but you didn’t ask me to worry about that” and move on. You really may not understand you NEED them to worry about a particular practice, or lack of one, in your office. Their team should have a system for, at the very least, reporting back to their office if a Tech noticed something that could be a problem while onsite or doing remote support. You should expect that they will be asking questions to protect you, not just to sell something. If they do bring things to your attention, they should be documenting what they have told you no matter how you choose to respond to the issue. There has to be a reasonable level of trust between you and that Technology Provider. They are your experts that you really need in today’s connected world.
You need a Technology Provider that is proactive in providing you with the reports, audits, follow-up, and monitoring that HIPAA requires. You may think it is overkill to receive regular reports of your monitoring status and activity. However, it is vital that you have these documents in place to prove it is a regular process being properly monitored as required in the Security Rule. They shouldn’t just keep the reports for you either. They should keep a copy for themselves AND send one to you. I can’t count the number of times we have encountered offices that think their IT support is taking care of those reports only to find out they don’t exist when asked for them at any given moment. They should set up some system where those reports will go automatically and let you know when something is added or needs attention. And another very important thing, do not let some Tech Person throw a huge log report at you with pages of technical transactions. You need a Management Summary of the activity not every detail of activity that has occurred.
You need a Technology Provider that isn’t afraid to say “I don’t know, but I will see what I can find out.” The healthcare industry is huge, complex, and constantly changing. Anyone that tells me they know about all of it is immediately suspect. Your Technology Provider should work with you and ask what you use and if you have checked Best Practices or Security White Papers concerning security settings with those applications. They don’t have to know all the answers; they just have to go find the information for you once they learn what you use. They should determine where data is moving between all those applications and devices to confirm that you have the security covered for all of it. In order to do this for you, both of you must trust that, if either of you don’t know the answer, you won’t make one up nor treat the other party as inadequate for not knowing.
You need a Technology Provider who will double check and document even the smallest changes done while supporting you. The Wall of Shame is full of cases involving well meaning Tech Support accidentally opening up a major hole that created a breach. A Tech moves some PHI data to a spare server just to test something but forgets to remove it. A firewall is opened up for a one time process and left open long term. New equipment is installed and there is no checklist to confirm all the necessary security elements were addressed. They should have checklists, forms, etc. that their Tech’s complete for every project. If they touch settings or data, it should be documented and confirmed. You should get copies of those too.
You need a Technology Provider that takes HIPAA seriously. Some vendors take a 3-hour class and a quick quiz to “cover” HIPAA in their company. It is impossible to protect their clients properly with that approach. All the previous points should make that clear. It isn’t just another certification to check off their list. This new world where both CEs and BAs are separately and equally liable for HIPAA has yet to produce the worst case scenarios that are bound to happen with that lax approach. It seems easy money to many but eventually that will hurt someone badly. Both the Technology Provider and all their clients may suffer before others realize this isn’t easy and certainly not a way to make a quick buck. Ask plenty of questions about how they address HIPAA requirements.
If nothing else, use this list to weed out the less than desirable ones.