HIPAA was created primarily to protect the confidentiality and security of healthcare information. As a physician’s practice, you are responsible for ensuring you use HIPAA compliant IT service vendors, particular those who store and transmit your data.
The Healthcare Information and Management Systems Society (HIMSS) put together a list of detailed questions to ask your potential service providers. The list below identifies the areas you should assess and why.
1.) Data protection – Your provider should have policie in place that ensure protection from a data breach and that provide recovery in case data is lost. HIPAA requires you to protect all PHI, and your hosting provider needs to meet the same standards.
2.) User security – The major tool for protecting data is user access, so the potential provider needs to have policies in place around this. Ask how your employees will access data and get comfortable with whether the requirements are strict enough.
3.) Regulatory Compliance – Ask if the provider is certified as HIPAA compliant and how. They should be able to provide audit reports following either HIPAA, SOC 2 Type II, or SSAE 16 Type II regulation compliance. If they meet any of these, they will satisfy the requirements you need to be HIPAA certified with your IT.
4.) Business Continuity – In addition to having back-up procedures to protect from data loss, they should have a business continuity plan that ensures that you will still be able function if their data center suffers an outage or disaster. Ask how long after an event until they resume operations. Most providers should be able to continue within four hours.
5.) User Privacy – You should ask how employees at their sites are trained in dealing with data and how data besides the PHI is treated. You should expect protection of all data that passes through their systems, not just patient data.
6.) Multi tenancy – By definition, hosting providers store and service multiple clients in basically the same space. Ask how they keep multi-tenant data separate, and what resources you’ll be sharing with other clients. Be sure you’re comfortable with the service level you’ll get in relation to the other clients.
7.) System security – Your hosting provider is an extension of your office, so you should understand and be confident that their system security measures are adequate. Ask about physical security, network access security, and vulnerability tests.
8.) BAA – HIPAA expects a Business Associates Agreement (BAA) and not having one can be seen as negligent. You can download a sample BAA from the HHS.gov website. In addition to outlining your service agreement, the BAA should specify how data is protected and what happens to your data after you terminate the contract.