fbpx
Quick summary: Sandy Weitz, MD, advises physicians to a security analysis as part of their vendor due diligence to secure a practice's protected health information.

We regularly research vendors before we engage them to provide any service or product. After all, you wouldn’t hire them without knowing anything about them. And, when you run a private medical practice, you are responsible for protecting your patients’ protected health information (PHI.) Therefore, your due diligence needs to include a security analysis of the proposed vendor.

 

Due Diligence

The goal of due diligence is to determine that the vendor you are considering is financially solvent, legal, and trustworthy.  Due diligence is when you evaluate the other party before entering into an agreement but collecting as much data as you can.

 

Due Diligence and HIPAA

The Department of Health and Human Services (HHS) has established the Business Associate Agreement (BAA) as the legal document to be signed in conjunction with a service level agreement (SLA) or contract. The SLA simply defines the scope of practice. The BAA implies that the vendor, your Business Associate (BA), agrees to safeguard your protected health information.  In the strictest sense, the BAA between your practice and a vendor is sufficient.

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. And although a BA is supposed to have policies and procedures in place to prevent a breach, they still occur. Therefore, you will want to go beyond just signing a BAA as your due diligence. You need to take steps to determine whether your BAs will meet the HIPAA security requirements.

 

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. #privatepractice Click To Tweet

 

A Pre-Contract Vendor Security Survey

A security survey can give you invaluable insight whether a vendor can meet your security expectations. Here are some of the pre-contract questions that you should ask:

 

  1. Verify that the vendor is correctly representing themselves.
  2. Is the vendor financially sound? Do they have outstanding debts or other significant liabilities? How robust are their revenue streams?
  3. Evaluate the vendor’s reputation: Ask for references. Read publicly available reviews. Ask you colleagues.
  4. Where will your data be housed?
  5. Does the vendor conduct a security risk analysis? When was the last time the vendor completed a security risk analysis?
  6. When was the last time the vendor trained their employees on HIPAA? What is their training process?
  7. What security safeguards does the vendor have in place to protect PHI?
  8. What policies and procedures does the vendor have in and are employees following them?

 

A security issue can have significant financial consequences for your practice.  Going that extra step to understand how a vendor will prevent unauthorized access to your PHI is a worthwhile investment.

 

Do An Exclusion Search

An exclusion search can help you determine whether a vendor has been excluded from participating with federal healthcare organizations because of illegal or fraudulent behavior.

Check these exclusion lists:

  • List of Excluded Individuals and Entities (LEIE)

The Office of Inspector General maintains this list of individual providers and entities for Medicare or Medicaid fraud, patient abuse or neglect, felony convictions for healthcare-related fraud, theft, or other financial misconduct and felony convictions for unlawful manufacturing, distribution, prescription, or dispensing of controlled substances.

There’s a monetary penalty for entering a contract with an entity on the LEIE. In addition, some states maintain their own exclusion list prohibiting entities from participating in state government-run programs.

  • Centers for Medicare and Medicaid Services (CMS) Preclusion List

The CMS preclusion list prohibits prescribers, individuals, or entities from receiving payment for Medicare Advantage items or services or Part D drugs furnished or prescribed to Medicare beneficiaries for one to three years.

  • System for Award Management (SAM)

SAM is a website that lists all companies registered to do business with the federal government. Use SAM to determine whether a vendor has been suspended or debarred.

 

Key Takeaway:

Protecting your practice against a HIPAA breach requires doing more than simply signing a BAA. Before you entrust your protected health information to a BA you will want to do a thorough assessment of the potential vendor.

 

Tweet this out

EARN CME

This learning experience is powered by CMEfy - a platform that brings relevant CMEs to busy clinicians, at the right place and right time. Using short learning nudges, clinicians can reflect and unlock AMA PRA Category 1 Credit.

Ad from SoMeDocs.

SoMeDocs Front Page Header

Marketing physician voices uniquely!

Our Venture Amplifies Healthcare Voices.

Ad from SoMeDocs.

SoMeDocs Front Page Header

Marketing physician voices uniquely!

Our Venture Amplifies Healthcare Voices.

Sandra Weitz MD

Physician Entrepreneur, Practice Building MD

SoMeDocs

SoMeDocs, short for Doctors on Social Media, is a physician-created & led health media company that aims to build a beautiful catalogue of verified online healthcare voices. Our goals are to teach educated professionals tools for personal success, and to showcase them to the world, and facilitate the connections needed to grow. Join us.

My Life Dimmer Switch

My Life Dimmer Switch

Dympna Weil, MD confesses how owning the dimmer switch of her life changed EVERYTHING. She shares exactly how.

Negotiation series header: David Norris

Negotiate as a Physician and Win

Catch this 8-part series, hosted by physician & business consultant David Norris, MD, MBA & produced by Dana Corriel, MD. Learn to be a stronger negotiator with these important tactics.

Conversations with Shem: Season 2

Medical literature icon Samuel Shem, author of “The House of God” returns for season 2 of conversation, in order to discuss the broken healthcare system. This time, he’s brought the guests!

Doctors on Social Media Teach Podcasting Header Image

Doctors On Social Media Teach Podcasting

Today’s health experts are sharing their expertise in audio format using podcasts. Join us as we explore how we do this and bring on the innovators who are giving it their all.

George Mathew, MD, MBA

George Mathew, MD, MBA

Trying to learn as much as I can about healthcare and the business of healthcare, to try to create access to care for all patients

Roberata E Gebhard D.O.

Roberata E Gebhard D.O.

I am passionate about Gender Equity in Medicine, and I help physicians who have experienced workplace injustice!

Heather Signorelli, DO

Heather Signorelli, DO

Physician executive and entrepreneur on a mission to help physicians through a reliable medical billing service.

Mimi Zieman M.D.

Mimi Zieman M.D.

We all have inner voices that need to be listened to, and stories to tell. Voices speaking up for women and justice are needed now more than ever.

Meridith Grundei

Meridith Grundei

Perfection is highly overrated. It’s time to start getting comfortably uncomfortable and start sharing your voice with the world!

JD Gershbein

JD Gershbein

“Linkedin is like a raffle; you must be present to win.”

Ann M. Richardson, MBA

Ann M. Richardson, MBA

“The Doctor Whisperer” – Healthcare systems transformation consultant and fierce physician, care team, and patient advocate.

SoMeDocs Logo

The Healthcare Connection Hub

Disclaimer: SoMeDocs assumes no responsibility for the accuracy, claims, or content of the individual experts' profiles, contributions and courses. Details within posts cannot be verified. This site does not represent medical advice and you should always consult with your private physician before taking on anything you read online. See SoMeDocs' Terms of Use for more information.

Grow with us.

We take rolling applications for regular contributors

We had a fantastic turnout and brought a large number of physician contributors on board our 1st & 2nd rounds. If you’re interested in being considered for a future round, submit an application now and we’ll be in touch when it opens. Regularly contributing means you share your thoughts, stories, opinions, or advice on our website, and we make it pretty/circulate. It’s essentially our large effort to collectively market health experts and grow thought leaders. We also consider applications for our “Experts for Health Experts” section, depending on the pitch. Are you ready to join us? If you prefer immediate access & want to build yourself space now, consider becoming a member.

Play Video
Our Founder Answers Your BURNING Question

SoMeDocs

“Why should I become a member of SoMeDocs if I already have my own space online?”