If a vendor doesn’t want to provide information, or can’t provide good data, the organization needs to perform a risk assessment to determine if they are willing to accept the risk presented from the lack of information.
Update organization BAAs: After doing the two steps above, organizations should have listings of their vendors and their BAAs. For vendors with BAAs, review those BAAs. Have the agreements been updated to reflect the HITECH Omnibus requirements? Are the agreements complete with the names of both parties and the appropriate signatures? Is the contact information correct? If the vendor doesn’t have a BAA, it’s past time to get a BAA. If the vendor with access to PHI refuses to sign a BAA, it’s time to terminate that relationship!
Monitoring vendors for PHI security is not a “one time” review. A vendor who had a great security person who understood HIPAA and the organization's requirements can have a financial setback and replace the experienced security director to save money. A vendor who assured an organization that their data was stored and processed in the USA can suddenly outsource to an offshore location for processing of the account. While this monitoring can take time and resources, as many have learned in healthcare, a little prevention can often head off a major issue.
About the Author: Carol Amick is an experienced healthcare compliance professional with over 20 years of experience in healthcare. After starting her career at HCA she moved on to become a compliance consultant for a “Big 4” accounting firm and has since served as the internal audit director, compliance director and privacy officer for several healthcare providers. Carol has worked with post-acute care, outpatient, and acute care providers to develop and implement effective compliance programs. During her time as compliance and privacy director Carol has led numerous investigations into PHI breaches and responded to outside investigations by the OCR, OIG and other regulatory agencies.
Back to HCB News
