We regularly research vendors before we engage them to provide any service or product. After all, you wouldn’t hire them without knowing anything about them. And, when you run a private medical practice, you are responsible for protecting your patients’ protected health information (PHI.) Therefore, your due diligence needs to include a security analysis of the proposed vendor.

Due Diligence

The goal of due diligence is to determine that the vendor you are considering is financially solvent, legal, and trustworthy.  Due diligence is when you evaluate the other party before entering into an agreement but collecting as much data as you can.

Due Diligence and HIPAA

The Department of Health and Human Services (HHS) has established the Business Associate Agreement (BAA) as the legal document to be signed in conjunction with a service level agreement (SLA) or contract. The SLA simply defines the scope of practice. The BAA implies that the vendor, your Business Associate (BA), agrees to safeguard your protected health information.  In the strictest sense, the BAA between your practice and a vendor is sufficient.

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. And although a BA is supposed to have policies and procedures in place to prevent a breach, they still occur. Therefore, you will want to go beyond just signing a BAA as your due diligence. You need to take steps to determine whether your BAs will meet the HIPAA security requirements.

A Pre-Contract Vendor Security Survey

A security survey can give you invaluable insight whether a vendor can meet your security expectations. Here are some of the pre-contract questions that you should ask:

1. Verify that the vendor is correctly representing themselves.
2. Is the vendor financially sound? Do they have outstanding debts or other significant liabilities? How robust are their revenue streams?
3. Evaluate the vendor’s reputation: Ask for references. Read publicly available reviews. Ask you colleagues.
4. Where will your data be housed?
5. Does the vendor conduct a security risk analysis? When was the last time the vendor completed a security risk analysis?
6. When was the last time the vendor trained their employees on HIPAA? What is their training process?
7. What security safeguards does the vendor have in place to protect PHI?
8. What policies and procedures does the vendor have in and are employees following them?

A security issue can have significant financial consequences for your practice.  Going that extra step to understand how a vendor will prevent unauthorized access to your PHI is a worthwhile investment.

Do An Exclusion Search

An exclusion search can help you determine whether a vendor has been excluded from participating with federal healthcare organizations because of illegal or fraudulent behavior.

Check these exclusion lists:

• List of Excluded Individuals and Entities (LEIE)

The Office of Inspector General maintains this list of individual providers and entities for Medicare or Medicaid fraud, patient abuse or neglect, felony convictions for healthcare-related fraud, theft, or other financial misconduct and felony convictions for unlawful manufacturing, distribution, prescription, or dispensing of controlled substances.

There’s a monetary penalty for entering a contract with an entity on the LEIE. In addition, some states maintain their own exclusion list prohibiting entities from participating in state government-run programs.

• Centers for Medicare and Medicaid Services (CMS) Preclusion List

The CMS preclusion list prohibits prescribers, individuals, or entities from receiving payment for Medicare Advantage items or services or Part D drugs furnished or prescribed to Medicare beneficiaries for one to three years.

• System for Award Management (SAM)

SAM is a website that lists all companies registered to do business with the federal government. Use SAM to determine whether a vendor has been suspended or debarred.

Key Takeaway:

Protecting your practice against a HIPAA breach requires doing more than simply signing a BAA. Before you entrust your protected health information to a BA you will want to do a thorough assessment of the potential vendor.