fbpx

Secure Your Data: Vendor Due Diligence

Sandy Weitz, MD, advises physicians to a security analysis as part of their vendor due diligence to secure a practice's protected health information.

February 3, 2022

We regularly research vendors before we engage them to provide any service or product. After all, you wouldn’t hire them without knowing anything about them. And, when you run a private medical practice, you are responsible for protecting your patients’ protected health information (PHI.) Therefore, your due diligence needs to include a security analysis of the proposed vendor.

 

Due Diligence

The goal of due diligence is to determine that the vendor you are considering is financially solvent, legal, and trustworthy.  Due diligence is when you evaluate the other party before entering into an agreement but collecting as much data as you can.

 

Due Diligence and HIPAA

The Department of Health and Human Services (HHS) has established the Business Associate Agreement (BAA) as the legal document to be signed in conjunction with a service level agreement (SLA) or contract. The SLA simply defines the scope of practice. The BAA implies that the vendor, your Business Associate (BA), agrees to safeguard your protected health information.  In the strictest sense, the BAA between your practice and a vendor is sufficient.

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. And although a BA is supposed to have policies and procedures in place to prevent a breach, they still occur. Therefore, you will want to go beyond just signing a BAA as your due diligence. You need to take steps to determine whether your BAs will meet the HIPAA security requirements.

 

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. #privatepractice Click To Tweet

 

A Pre-Contract Vendor Security Survey

A security survey can give you invaluable insight whether a vendor can meet your security expectations. Here are some of the pre-contract questions that you should ask:

 

  1. Verify that the vendor is correctly representing themselves.
  2. Is the vendor financially sound? Do they have outstanding debts or other significant liabilities? How robust are their revenue streams?
  3. Evaluate the vendor’s reputation: Ask for references. Read publicly available reviews. Ask you colleagues.
  4. Where will your data be housed?
  5. Does the vendor conduct a security risk analysis? When was the last time the vendor completed a security risk analysis?
  6. When was the last time the vendor trained their employees on HIPAA? What is their training process?
  7. What security safeguards does the vendor have in place to protect PHI?
  8. What policies and procedures does the vendor have in and are employees following them?

 

A security issue can have significant financial consequences for your practice.  Going that extra step to understand how a vendor will prevent unauthorized access to your PHI is a worthwhile investment.

 

Do An Exclusion Search

An exclusion search can help you determine whether a vendor has been excluded from participating with federal healthcare organizations because of illegal or fraudulent behavior.

Check these exclusion lists:

  • List of Excluded Individuals and Entities (LEIE)

The Office of Inspector General maintains this list of individual providers and entities for Medicare or Medicaid fraud, patient abuse or neglect, felony convictions for healthcare-related fraud, theft, or other financial misconduct and felony convictions for unlawful manufacturing, distribution, prescription, or dispensing of controlled substances.

There’s a monetary penalty for entering a contract with an entity on the LEIE. In addition, some states maintain their own exclusion list prohibiting entities from participating in state government-run programs.

  • Centers for Medicare and Medicaid Services (CMS) Preclusion List

The CMS preclusion list prohibits prescribers, individuals, or entities from receiving payment for Medicare Advantage items or services or Part D drugs furnished or prescribed to Medicare beneficiaries for one to three years.

  • System for Award Management (SAM)

SAM is a website that lists all companies registered to do business with the federal government. Use SAM to determine whether a vendor has been suspended or debarred.

 

Key Takeaway:

Protecting your practice against a HIPAA breach requires doing more than simply signing a BAA. Before you entrust your protected health information to a BA you will want to do a thorough assessment of the potential vendor.

 

All opinions published on SomeDocs-Mag are the author’s and do not reflect the official position of SoMeDocs, its staff, editors. SoMeDocs is a magazine built with the safety of free expression and diverse perspectives in mind. For more information, or to submit your own opinion, please see our submission guidelines or email opmed@doximity.com. Do you have a compelling personal story you’d like to see published on SoMeDocs? Find out what we’re looking for here and submit your writing, or send us a pitch.

All opinions published on SomeDocs-Mag are the author’s and do not reflect the official position of SoMeDocs, its staff, editors. SoMeDocs is a magazine built with the safety of free expression and diverse perspectives in mind. Do you have a compelling personal story you’d like to see published on SoMeDocs? Submit your own article now here.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

This learning experience is powered by CMEfy - a platform that brings relevant CMEs to busy clinicians, at the right place and right time. Using short learning nudges, clinicians can reflect and unlock AMA PRA Category 1 Credit.

Of Interest

Subscribe To Our Newsletter

Get updates and learn from the best

Side Ventures [SERIES]

Side Ventures [SERIES]

Coming Soon: Guests will discuss the side ventures they’ve taken on, from the books they’re writing, to the podcasts they host, to other extracurriculars they’ve taken on.

[SERIES] Stigmatized

COMING SOON: Stigmatized [SERIES]

Coming Soon: Dr. Jay Joshi hosts this limited time series, in which he brings other healthcare professionals to the discussion table, to cover a stigmatizing topic.

Nisha Kuruvadi, DO, DABOM

Nisha Kuruvadi, DO, DABOM

Dedicated to holistic wellness, combining expertise in Internal and Obesity Medicine for individualized, transformative care.

Eva Mackey, MD

Eva Mackey, MD

Direct Primary Care Physician: I take care of patients, not the insurance company.

Linda Bluestein, MD

Linda Bluestein, MD

My patients with Ehlers-Danlos Syndromes (EDS) and Hypermobility Spectrum Disorders (HSD) inspire me every day!

Want More?

Be a part of our healthcare revolution. Don't miss a thing SoMeDocs publishes!

Disclaimer: SoMeDocs assumes no responsibility for the accuracy, claims, or content of the individual experts' profiles, contributions and courses. Details within posts cannot be verified. This site does not represent medical advice and you should always consult with your private physician before taking on anything you read online. See SoMeDocs' Terms of Use for more information.

follow us

© 2024 SoMeDocs. All Rights Reserved.

Soak up content & grow

Educational reflections..

Drop your email address below and we’ll email you the link for continuing opportunity pathways from CMEfy. Check your spam folder if you do not receive our email. We’ll also add you to our Sunday newsletter, so you can receive even more of our unique content!

Support A Platform that Celebrates Real Doctors

For just $10 a month, you can help keep this openly accessible site available to all & help us sponsor in more doctors.

Interested in subscribing
to our unique content?

Interested in subscribing to our unique content?

Play Video
Our Founder Answers Your BURNING Question

SoMeDocs

“Why should I become a member of SoMeDocs if I already have my own space online?”

Site SoMeDocs Logo, square

WANT TO STAY IN THE LOOP?

DON'T MISS A SINGLE CONTENT PIECE.