1. Are you HIPAA compliant?
This may seem like a no-brainer, but the answer makes all the difference. Never assume a vendor’s HIPAA compliance until they are able to show you proper documentation.
2. Which of your services meet HIPAA standards for securing Protected Health Information (PHI)?
It’s not enough for a vendor to claim they’re HIPAA complaint, you’ll want to understand exactly what services fall under the umbrella of increased security. For example, your HIPAA hosting provider should be able to answer this question and outline their recommended IT services. Common HIPAA compliant IT services could include a private firewall, either virtual or dedicated, with VPN for remote access.
3. Do you offer training for my staff?
When implementing new hardware or software, make sure you and your staff are properly trained and understand the basics of security. This will allow your team to be proactive in safeguarding your patients’ information. Most security breeches occur when insiders (i.e colleagues or staff ) exercise poor judgment or fail to follow established protocols. Proper training and implementation is paramount, and is also required by the HIPPA Security Rule. Make sure your vendor will provide some type of formal training and a proper handoff, should it be necessary.
3. Are your employees trained?
Do the employees of your vendor truly understand HIPAA compliance? Are they trained on all requirements? Will they be a resource for you and your staff as you implement new technologies and processes? HIPAA requires employees to be trained in security practices, and this does not apply solely to your staff—it applies to your vendor’s as well.
4. Do you have a disaster recovery plan?
If there is ever a disaster, you’ll want to know what your practice’s role will be in the restoration of data. What will your team be required to do, and what support will your vendor provide? Will you vendor help outline a plan for your staff? Will they need your internal IT team to be available? Make sure you have clear guidelines established before a disaster hits so you’re already prepared in the event you need to reestablish connectivity.
5. What are your back-up procedures for the data you collect?
Find out how often backups are performed, where your data is stored, and whether there are redundancies within the system. You’ll want to know if there are multiple copies of your data available in more than one place. Such redundancies will help expedite the recovery of your data in a disaster. If your vendor does not have a clear backup procedure in place, find a new one.
6. Are your processes independently audited?
According to the U.S. Department of Health & Human Services, the Office Of Civil Rights (OCR) HIPAA Audit program is in place to “analyze processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate.” OCR established a comprehensive audit protocol, with which you vendor should be familiar. Find out the compliance rate of your new vendor against this audit protocol. Is it 100%? That’s a good sign. If applicable, make sure to ask your potential vendor for a copy of their HIPPA Report on Compliance (HROC).
7. Will you provide me with references from similar sized clients?
A reputable vendor should be able to provide you with trusted references that can verify their work. It’s important to work with companies who are a good fit for you and your practice. Work with knowledgeable and reputable individuals you can trust.
1. “Five Questions to Ask Your HIPAA Hosting Provider.” 2014. OnlineTech. Available at: http://www.onlinetech.com/resources/e-tips/hipaa-compliance/five-questions-to-ask-your-hipaa-hosting-provider
2. Kibbe, D. “Ten Steps to HIPAA Security Compliance.” April 2005. American Academy of Family Physicians. Available at: http://www.aafp.org/fpm/2005/0400/p43.html
3. U.S. Department of Health & Human Services. “Summary of the HIPAA Security Rule” 2014. HHS.gov Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
4. Toth, C. “Six Questions to Ask Your Cloud Vendor.” July 2013. Physicians Practice. Available at: http://www.physicianspractice.com/pearls/six-questions-ask-your-cloud-vendor/page/0/2#sthash.jX3Zq7lf.dpuf
5. U.S. Department of Health & Human Services. “HIPAA Privacy, Security, and Breach Notification Audit Program.” 2014. HHS.gov. Available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/