4. Documented HIPAA compliance
Practices need to have their technology practices in line with HIPAA requirements and should expect an IT partner to be able to document the practice's compliance efforts. This is essential because certain records are needed in the event of an Office of Civil Rights (OCR) audit or a breach. Most practices are probably not aware of the OCR's recent statements that it's increasing its audits of practices, but partner firms certainly should be.
It's important to differentiate between HIPAA compliance of your individual vendors and your practice as a whole. Is your cloud-based EHR solution HIPAA-compliant? Of course it should be and probably is. But that doesn't mean your practice as a whole is compliant. Are you regularly updating software patches on your desktop software? Are you managing encryption on employee mobile devices?
Some IT partners, for instance, will offer practices an online portal that shows the status of the firm's compliance from the last risk assessment forward, including their efforts to remediate gaps, employee training efforts, and more.