What questions do you need to ask to find a reputable HIPAA compliance firm.
Getting a third party’s assistance is often less work and cost than trying to comply with HIPAA yourself. The question is…how do you select a reputable firm?
Here are some questions you should ask before outsourcing HIPAA.
Before you start the process of vetting your future vendor, you’ve got to ask yourself what you want from the relationship. Here are some preliminary questions to ask yourself as you create your list of wants.
Pay special attention to that final question. Many companies focus on getting you compliant but don’t have the expertise, technology, or know-how to actually get you secure… which is the whole point of HIPAA compliance.
As you list out your vendor requirements, I suggest prioritizing them based on importance to your compliance program. Here’s a sample list I put together:
If you have more than a couple of providers or you are a business associate, you need an onsite HIPAA audit instead of trying to complete your HIPAA risk analysis and HIPAA risk management plan by yourself.
Generally speaking, larger organizations have more complex network technology and processes. It is because of this fact that hiring a security expert to physically come onsite to ensure your organization has adequately met all HIPAA requirements is so important.
As a business associate, you want the covered entities you work with to know you are dedicated to HIPAA compliance. This assurance can only be gained by having a 3rd party compliance and security expert validate your adherence to HIPAA and your commitment to protecting the data they are entrusting to you.
If you are a small doctor’s office, a HIPAA audit may be cost prohibitive. A Guided HIPAA Compliance service might better suit your size.
See also: SecurityMetrics HIPAA Guide
Many companies provide compliance tools or templates, but don’t support their tools with live experts to help you get through the process. If you’d rather undergo the HIPAA process yourself, just purchasing a template for compliance likely won’t be enough for your organization.
Most of the individuals I have met who are in charge of HIPAA compliance (even compliance/risk officers) do not understand the technical nuances of the HIPAA Security Rule enough to do a complete and thorough job on their own.
For example, do you understand the correct way to configure your network firewall? What about encrypting your patient data when transmitting through email? Do you know how to ensure two-factor authentication in your remote access application?
Unless you’re a security expert, the answer is probably no.
Having an expert available to answer your questions and help you through technical items will 1) help you become more secure and 2) help you accurately and thoroughly attest to your HIPAA compliance.
Getting help is more than just an available customer service team. Because HIPAA is not just a one-time thing, it’s a good idea to stay up on the latest mandates, tips, best practices, etc.
Research the educational resources your compliance vendor offers, such as:
Like I mentioned above, one of the main reasons to outsource HIPAA compliance to a vendor is because they have expertise that you don’t. However, beware of vendor ‘experts’ who aren’t experts in HIPAA or security, like lawyers, accountants, or IT vendors.
A good rule of thumb when determining if your vendor has the right kind of expertise is to ask the question: Does this HIPAA expert know the technical properties of encryption, firewalls, and vulnerability scanning, and how each relate to HIPAA compliance and security?
Attorneys and CPAs understand the HIPAA Privacy Rule and general legalese. In fact, I bet they’re really good at crafting privacy policies. However, they have little to no experience with security. (A very important trait when considering the HIPAA Security Rule)
IT specialists, on the other hand, understand technical aspects well, but don’t understand the security side or the HIPAA mandate behind it. It’s difficult for them to fulfill HIPAA requirements for a business.
Seasoned HIPAA security experts provide best practice tips, proper training, and security consultation.
They have years of experience in both healthcare and security fields.
Look for third party indications that the company you’ll be working with is experienced and validated through a third party:
Many companies provide effective online compliance training courses, policies, or templates, and market that as their HIPAA compliance product. Unfortunately for those vendors, there is much more to HIPAA than a policy or training exercise.
That’s why I recommended looking for a full-service HIPAA vendor.
HIPAA isn’t just about completing a risk analysis, or having a notice of privacy practices sent to patients. There are many facets required of entities, so having one vendor that offers HIPAA policies and procedures, employee HIPAA training, vulnerability scanning, a business associate compliance program, a risk analysis, onsite HIPAA audits, and breach protection can minimize time, cost, and the headache of finding different vendors for each.
Some great services outside of normal HIPAA regimen include:
Pricing isn’t everything, but if you have a budget to stick to, you want to make sure you get your money’s worth. Unfortunately, all too often I see entities that don’t take HIPAA and patient data security serious enough and allocate too little budget. Please understand that HIPAA is a cost of doing business in the healthcare world, it’s not cheap, and our patients have entrusted us with their information expecting that we will protect it properly.
See Also: Five Things to Consider When Making a HIPAA Security Budget
If your budget is pretty stringent, and educating upper management about the risks and costs of a data breach have failed, here are some tips to ensure your vendor will fit your budget:
Not only should your vendor be cost-effective, they should also be able to deliver to your goals in the timeframe you specify. Vendors with documented and customizable HIPAA plans unique to your organization are preferred for this reason.
There are too many variables in each healthcare organization for anyone to make the decision for you. The right choice for you depends on:
A final word of caution: For the sake of your patients’ data security, stay away from companies just focused on “getting you compliant”, not “getting you secure.” HIPAA vendors like that are just looking to make a quick buck, not looking to help you meet every HIPAA requirement and secure your patient data.