Tough questions to ask vendors about HIPAA compliance

The cloud revolution has many wonderful advantages such as lower costs, faster ROI and more powder in the hands of customers. However, when using cloud services your company data is no longer hosted on your physical IT infrastructure so there are some new legal and technical issues that have to be addressed.

Related: Are HIPAA and interoperability at odds?

Companies that work with private health information are required by federal law to comply with the Health Insurance Portability and Accountability Act (HIPAA.) Passed in 1996, HIPAA requires businesses to have security policies and data encryption to protect personal health information and electronic health records. Many companies choose to host sensitive information with another company, known as a Business Associate. In such cases the Business Associate also must be HIPAA-compliant.

But how can you tell if your Business Associate meets HIPAA requirements?

Before establishing a relationship with a vendor, it is important to verify that a vendor will sign your  Business Associate Agreement (BAA) by having it reviewed by the vendor’s legal team. A BAA is a contract between a HIPAA-covered entity and a HIPAA Business Associate. During the review, their legal team may raise issues or concerns, which you should work to resolve quickly.

Further reading: 10 HIPAA mistakes practices must avoid

 Also, determine if it will be possible to have the most relevant terms and conditions you need accepted by the vendor. Often there are specific state mandates that must be in a BAA for it to be HIPAA compliant. If the vendor does not agree with your company and state requirements, then you can quickly cross them off your list and look for a new vendor.

Levels of compliance

Some vendors say that they are HIPAA compliant, but that does not guarantee they will sign your BAA. For example, many IT help desk software and customer service vendors will not sign a customer BAA since there is additional liablility. Therefore, it is imperative to ask detailed questions about the vendor’s willingness to sign your BAA. If they will not sign your BAA, you may have to host the application on your internal infrastructure.

Next: HIPAA-eligible services include the following...

Other vendors may mention, often during the sales process, that since they host on Amazon Web Services (AWS), they are by default HIPAA compliant. In reality, though, only nine products that AWS offers are HIPAA compliant.

According to AWS, “customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store and transmit PHI in the HIPAA-eligible services defined in the AWS BAA.” The nine HIPAA-eligible services include:

·       Amazon DynamoDB

·       Amazon EBS, Amazon EC2

·       Amazon Elastic MapReduce (EMR)

·       Amazon Elastic Load Balancer (ELB)

·       Amazon Glacier

·       Amazon Relational Database Service (RDS) [MySQL and Oracle engines]

·       Amazon Redshift

 Amazon S3

Using these products does not assure HIPAA compliance, because they are only “HIPAA-eligible” and require special configuration and customization of the environment.

Related: Does HIPAA hit its mark?

Another important question to ask the vendor is if they have experienced HIPAA security compliance experts assisting and auditing their HIPAA compliance implementation on AWS. Most software companies do not have the security and HIPAA expertise to maintain compliance on an ongoing basis.

Finally, vendors may not sign your BAA, but will offer to sign a weakened version of a BAA with no real liability protection for your company. Some vendors may only tell you this late in the sales process. The best way to save time and effort is to ask the vendor to sign your company’s BAA early on in the process, and if they refuse, then get a copy of their BAA and see if it meets your requirements.

Next: Understanding pricing

If you are having trouble finding a vendor, you can do a web search for “HIPAA help desk,” “HIPAA customer service” and similar terms. Here are some more questions to ask vendors about HIPAA compliance:

1. What is your back-up strategy and are the back-ups encrypted? HIPAA compliance requires that all back-ups are encrypted for high security.

2. Is all data encrypted at rest as well as in transit? Using https in a browser will encrypt data while it is in motion in an active session. However, data must also be encrypted while it is resting on your vendor’s database servers.

Further reading: Don't skimp on your HIPAA risk assessment

3. Does your vendor follow an Agile Software Development (ASD) process? An ASD process is a quick turn development process that has a continuous flow of product updates, bug fixes and security fixes. This process is necessary so that applications and infrastructure are patched and upgraded on an ongoing basis. Agile best practices are to have a new release at least once per month.

5.  Does your vendor have data breach insurance? A data breach can be costly as a BAA shifts liability from you to the vendor.

Pricing

Also be aware that additional charges often apply for HIPAA-compliant products. The general pricing on a vendor website does not usually include HIPAA add-on costs. There is typically a more expensive version of the product that you must purchase for HIPAA compliance. So be sure to ask vendors about pricing as well.

It is vital to ask vendors tough questions about HIPAA compliance to ensure you are confident in their ability to protect patient data, meet compliance regulations and protect you against a data breach or HIPAA violation.