Trust but verify is the new standard when it comes to Business Associate relationships today. They must sign a BAA but you really need to ask some binding-contract-948442_640questions to confirm those BAs understand and are doing the things they have agreed to do for you. Today, we are discussing HIPAA compliant vendor vetting – both why and how you should be thinking about it differently than you have in the past.

Covered Entities (CEs) haven’t really worried about the details of the contracts too much as along as the vendors would sign them. Many vendors have signed, and continue to sign, BAAs without any concerns at all for what the contract actually says they are going to do in their business. For so many years a BAA was just something you had to sign in order to do the work in healthcare. It didn’t matter at all if you did anything with it other than put it in the file with other ones you had signed. The new world of HIPAA compliance, huge data breaches, and civil fines and penalties means neither side of the contract can function that way any longer. It is imperative that HIPAA compliant vendors are vetted in some manner to confirm you really are protecting your patients, clients, business, and reputation.


Sure we have a “HIPAA compliant” solution

  • FTC case against Henry Schein Practice Solutions, Inc. $250,000 settlement
    • They claimed they were a “HIPAA Compliant Vendor” but the encryption was not compliant. They claimed that its Dentrix G5 software was HIPAA compliant and using “industry-standard encryption”.
    • Their third-party database engine vendor informed them that the form of data protection used in Dentrix G5 was a proprietary algorithm that had not been tested publicly.  The database not meeting industry standards makes their database encryption less secure and more vulnerable than widely used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.
    • BTW, Windows EFS uses AES 256 by default (unless we are talking about XP which is a perfect segue to the next topic).
  • Vendors who are still using XP for their solutions for some reason
    • “We can’t upgrade that one because it runs our XYZ machine (or connection)” and they don’t have a version that works with Windows 7/8/10.
    • Australia Jan 2016: One of Melbourne’s largest hospital network shut down by a virus outbreak that was spread from XP computers.
    • Pathology department is where the virus struck first.
    • “Critically abnormal” hematology and biochemistry results are being telephoned to staff on wards including the intensive care unit and emergency department.
    • “This will take some time so staff must not attempt to fix the problem themselves” was their first release.  The PR update the next day said “As of 10am this morning, many programs affected by the virus are up and running including pathology and pharmacy.”
    • One article reported about the hospital response: “When asked if the virus would jeopardise the safety and privacy of patient’s records, she made no comment.”
  • HIPAA Compliant IT provider that caused breaches for their clients
    • Oral Surgeon website set up and managed by their IT vendor who said they were definitely HIPAA Compliant.  Left patient forms in the publicly available area of the server.
    • Other BAs that have signed the required BAA but still caused a breach.David's Rant
      • Cottage Health mess they are in with the cybersecurity vendor.
        — BTW, in arbitration now not settled yet and may come back to court.
      • Firewall left open after upgrades.
      • Data uploaded to company server for just a minute while we fix a problem but forgot all about that.
  • HIPAA is easy claims by a HIPAA Compliant Vendor tools
    • Up to 40% is not an appropriate claim –  we figured it out.
    • Just run our tool and you are done – HIPAA requires regular audits and documentation.
    • Just use our templates for your P&P and you are done – if you just have them but don’t follow them or train using them they don’t help at all.
    • Just use our report which tells you everything you should be doing – but it doesn’t tell you how to do any of it.
    • Here is your assessment in a nice 3 ring binder including your implementation plan, see you next year when I will do it again – that just leaves you hanging.
  • Remember just saying you are a HIPAA compliant vendor doesn’t mean you understand HIPAA
    • Anybody can sell HIPAA services.
    • Make sure they really know something about HIPAA and they aren’t just selling you a solution.
    • If a HIPAA compliant vendor doesn’t understand what you need then how can they know this product is right for you?

HIPAA Compliant Vendor: Trust But Verify

  • Don’t just tell me you’re HIPAA compliant, prove it.
    • If OCR says it to you then why can’t you say it to them?
  • Trust but verify approach to everything even if they say they are a HIPAA Compliant Vendor.
  • The “Oh, they signed the BAA so it’s ok” approach will not protect you when things go wrong – your patients/clients won’t care that you had them sign something but never made sure they were doing anything.
  • Exactly what makes your product or service HIPAA compliant?
  • Exactly how does your product or server make HIPAA easy?

What happens if we break up?

  • If you give them complete control how do you get control back?
    • The BAA says they must return OR destroy the PHI unless they are willing to protect it forever themselves.
    • Does it say they have to give you access to your own systems?