Electronic and mobile healthcare technologies have exploded in the past decade, making patient data easier to collect, analyze, and share. But they’ve also made it that much more complex for medical practices to stay secure and HIPAA-compliant.
Healthcare data is among the most sensitive types of data, and HIPAA compliance is serious business. If you want to ensure the technology you employ at your practice is HIPAA compliant, ask your tech vendor these six important questions.
Are you HIPAA-compliant?
Too obvious? Maybe. But you should never assume your vendor is HIPAA compliant until you see the paperwork to prove it. It’s best to see documentation from an independent auditor that your vendor is 100% compliant against the latest OCR HIPAA Audit Protocol. Don’t feel silly asking either—this is the security of your practice and your patients we’re talking about.
Do you have documented policies and procedures in the case of a data breach or other disaster?
When healthcare data is breached, lost, or otherwise compromised, strict timelines come into play in terms of notifying all impacted parties. Without properly documented policies and procedures, you or your vendor could miss those deadlines and face costly lawsuits.
This documentation should also include a Business Associates Agreement (BAA). The BAA needs to thoroughly communicate what happens to your practice’s data once you terminate service with that vendor.
How is data encrypted, stored, and/or backed-up?
These are the more technical details about what your vendor will actually do to protect your data. Are there separate database and web servers? Is data being stored in the cloud? Are there private firewalls? What encryption standards will be used? How many copies of the data will be stored, and will any copies be stored off-site? Will there be a VPN for remote access?
If the IT jargon goes over your head, ask the vendor to explain or run these technical specifications by an IT professional - either one on your staff or another trusted and knowledgeable individual, preferably with experience in healthcare data.
Is your staff trained well enough to troubleshoot and answer questions?
Certainly your vendor’s staff will be trained in using the technology itself. But are they trained to use the tech in terms of HIPAA compliance? It’s not enough to know how to encrypt or restore backed-up data. HIPAA requires a range of specific security protocols, including physical security, logical security, risk response and reporting, passwords and workstation use, and data protection, to name a few. Your vendor’s staff must be trained in these, or you risk the security of your patients’ data due to ignorance or negligence.
Also, it’s best if the staff can not only do the work themselves but also answer questions about the software and hardware to you and your employees.
Do you provide training for my employees?
While your tech vendor may do much of the heavy lifting in terms of installation and maintenance, you and your employees are going to be entering and accessing this data on a regular basis. It’s important that your vendor offer training in at least the basics of data security when using the technology suite you choose for your practice. The right training can prevent needless data breaches, loss, and other security complications.
Do you have references from other practices similar to my own?
Every size business has different security needs, so knowing that your vendor has worked with other practices of your size can offer some peace of mind. If a vendor scoffs at your references request, you may want to rethink the relationship. You need to be able to trust this person and his references if he expects you to hand over invaluable patient data.
Never be afraid to ask questions—especially when it comes to ensuring the safety and security of your patients’ healthcare information. Asking the right questions now could save you from headaches in the future.