Third Party HIPAA Compliance Checklist

Is a third-party hosting your EHR or storing your medical records? Everyday, more and more healthcare providers are outsourcing or looking to outsource their electronic record storage and maintenance to third party technology companies. This is not in and of itself a problem, however, it’s important that all healthcare providers are mindful that any third party vendor that stores, creates transmits or maintains protected health information must comply with HIPAA. Even though a third-party controls the record storage technology, healthcare providers are ultimately responsible for the privacy and security of its patients’ information.

If you’re unsure if your third party storage vendors are HIPAA compliant the following checklist can assist you in a review of a technology company’s HIPAA compliance:

Request a copy of the vendor’s HIPAA risk assessment and security safeguard policies and procedures.
Engage an IT expert with HIPAA experience to review the provided materials to analyze and ensure that all relevant safeguards are in place.
All written contracts must address how the third party vendor will guarantee availability of data in a standard format once it is transferred to and controlled by the vendor.
The written contract should require third party vendor to send you regular back-ups of stored data in a standard format. (This is to ensure if they go out of business you will not lose your patients’ records.)
The written contract should be terminable if the healthcare organization experiences any repeated availability issues.
The written contract should guarantee free access to all data in a standard format during and after the term of the parties’ agreement. Be aware that it may not be possible to migrate your data into a future system.
The written contract must require the vendor to abide by all applicable information and security laws, including HIPAA. The contract must include a Business Associate Agreement.
The written contract should require the third-party vendor to indemnify the Provider from all liabilities arising from lost, destroyed or breached stored data. Because the value of patient data is difficult to calculate, consider a liquidated damages clause.
The written contract should specify that the third-party vendor does not own the Provider’s data but has a limited license to use the data for the purposes prescribed in the contract. The license should expire when the agreement terminates.
Ensure that any terms and conditions of software use are provided before entering into a final contract and review the terms and conditions for overly-restrictive clauses (such third-party technology agreements must comply with HIPAA terms and conditions are often referred to as Click-wrap, Browse-wrap, and Shrink-wrap Licenses).

Make sure you use prudent judgment as not all third party vendors are secure. Make sure you have reviewed all of their capabilities thoroughly.

If you have any questions regarding the security of your patients’ PHI when it’s being stored by a third-party vendor, contact ITPAC today for a consultation.
This entry was posted in Uncategorized on February 3, 2014.
Major Fines for HIPAA Related Security Breaches
Leave a reply

Not staying up to date with your security responsibilities can have a huge impact on your practice. Not just in monetary punishments but in the lost trust of your patients and their families. Idaho State University recently agreed to pay $400,000 to the HHS Office for Civil Rights to settle allegations of HIPAA privacy and security rule violations. ISU had not conducted a HIPAA security risk analysis for more than five years, even after they suffered an IT breach at their Pocatello Family Medicine Clinic.

Something as simple as an IT security audit could have saved them hundreds of thousands of dollars and protected the private patient information that they were entrusted with.

Other organizations have been forced to pay major fines to the Office of Civil Rights following IT security breaches:

UCLA Health Systems $865,000
Massachusetts General Hospital $1 million
Cignet Health $4.3 million
Rite Aid $1 million
CVS/pharmacy $2.2 million
Providence Health & Services $100,000
The Hospice of North Idaho $50,000

Don’t leave your clinic open to the possibility of an IT breach and all of the harm to your finances and reputation. Protect yourself and your patients. Call ITPAC today.
This entry was posted in Uncategorized on June 27, 2013.
ACH Fraud Case Favors Bank
Leave a reply

Until recently, courts have found the bank liable in ACH/wire fraud cases when the customer sues the bank. But in the case of Choice Escrow vs. BankCorpSouth, the court favored the bank. This decision will likely have a major impact regarding how cases will be decided in the future.

There are three prongs that are considered when an ACH/wire fraud dispute goes to court:

Commercial reasonableness of procedure offered by the bank
Bank’s conduct in the accepting order (acted in good faith)
Customer responsibility when fraud losses occur

To summarize this case, Choice Escrow had an account take-over and over $40,000 was drained through their account (their computers were hacked). Choice Escrow had refused the dual controls offered by the bank because they were inconvenient.

In this situation the bank did everything right. It offered a commercially reasonable procedure (dual controls). The bank documented that the customer had declined the controls and the reason why they were declined. The bank acted in good faith when it transferred the money. Which left the responsibility for the loss with the customer because the court decided that the unauthorized transfer could have been prevented if the client had accepted dual controls.

Responsibility and liability are now shifting to the customer because banks have the systems and processes in place to establish good controls. Banks must still help customers with good security by training them and providing commercially reasonable procedures which fit the customers needs.
This entry was posted in Uncategorized on June 27, 2013.
HIPAA Security
Leave a reply
HHS provides guidance

Health and Human Services co-hosted a HIPAA Security Conference with the Office of Civil Rights a couple weeks ago. There’s still a lot of confusion about requirements for complying with the HIPAA Security rule by September 23, so the conference was a good opportunity to respond to questions.

One area that continues to be a concern for HIPAA Security Rule compliance is the use of “cloud providers.” Cloud providers are business associates, so how does an organization gain comfort around using cloud providers? It was stressed that it’s not a question of whether the cloud provider has the encryption key to access your data, the question is around the “persistence of custody” that third-party has with your patients’ data. Clear? No, it’s not, which is a good reason why organizations may want to avoid putting PHI in the cloud.

Another thing to keep in mind with Business Associates (BA) is that each health care organization needs to be auditing their BA or requesting proof that the BA has been audited. A BA cannot provide audits of any organizations they provide services to. Even if it’s a separate part of the BA organization that provides the audit, there’s no independence in that process. Unfortunately, organizations that allow their BAs to audit them are likely assuming excessive risks because the BA is not going to audit their own practices and make necessary changes. This could come back to hurt the health care organization down the road.

OCR officials also cautioned attendees that patient preferences and privacy need to be considered within the Security Rule. The patient gets to decide if they want to receive unencrypted emails, for example. Health care organizations must have email encryption in place if they plan to send information to patients over email, but if the patient receiving the data wants it to come unencrypted, then they have that choice. As a health care organization, I would strongly recommend that you get that preference in writing and that you have explained the risks to the patient. Likewise, any health care organization using mobile devices should ensure they are all encrypted. It’s your job to protect your all patients’ information at all times, but it’s their individual option to state if they wish for communications to be open.

This entry was posted in Uncategorized on May 29, 2013.
Dropbox and Other Cloud Storage
Leave a reply
Are you putting your customers’ data in Dropbox?

In the last two years I’ve seen a significant increase in the number of banks providing iPads to their Board of Directors for use during meetings. Compared to printing and mailing Board packets, using an iPad to access electronic documents is a great time saver, as well as reducing paper waste. Since iPads do not have large-scale document storage capability the risks related to losing and iPad or having it stolen and exposing confidential customer or organizational information, were pretty low. Providing iPads to Board members seemed like a nice solution.

Dropbox and services like it are a type of cloud storage and when information is placed into Dropbox the organization loses control over the security of that document. If an organization is using Dropbox as the storage location for the Board Packet and accessing that location with iPads and there is any sensitive customer information in the packet, the security of that information is at risk.

In the last couple of years there have been multiple security issues with Dropbox, including an authentication problem which allowed anyone to log into any account with any password for a period of 4 hours. There is also the potential for cross-zone scripting which would allow malicious javascript to redirect users to a malicious website without the user knowing it. There have been several security patches to fix Dropbox vulnerabilities in 2013, but other security features, such as multi-factor authentication, that were promised in response to the security issues last year but are still not available.

So while I love efficiency as much as the next person and clearly understand the value of using Dropbox, putting sensitive customer information into the cloud is extremely risky. If iPads are being utilized to share Board packets, I strongly recommend that the information is scrubbed of any sensitive customer information before sending it to Dropbox.