Health care providers are under plenty of stress, and the final HIPAA omnibus ruling is adding to the pile. As part of their compliance strategy, many providers are turning to cloud-based communications vendors for help securing communications amongst clinicians at their organizations. But it’s important not to jump into those relationships too quickly. Here are four of the lesser-asked questions to keep in mind when evaluating these potential partners.
1. Are they willing to hold themselves accountable in the case of a breach? – There are two parts to the answer to this question:
– It starts with them proactively considering themselves a Business Associate (BA) under the final HIPAA ruling. If a vendor seems unclear or unfamiliar with the term, a red flag should go up. If they try to convince you that they aren’t a BA – be skeptical. The exclusion criteria (e.g., conduit provision) are very, very narrow, so ask yourself whether they are truly excluded or they are just trying to take the path of least resistance. Be sure you fully understand the exclusions for yourself – don’t rely solely on the vendor’s statement – and consult your legal counsel to ensure you make an informed decision.
– Further they should be willing to sign a reasonable Business Associate Agreement (BAA) that proves their partnership. Look for an indemnification clause or language in the BAA that flat out says they will reimburse you for costs related to breaches. Those are the partners you want to work with – they have skin in the game. In addition, be sure there is a clause that specifies that the BA will carry either a general liability or cyber insurance policy with adequate coverage should they, one of their subcontractors or agents, cause a breach. You want a partner which can be trusted with your patient data – and ultimately your financial and business reputation.
2. Who owns the data? And, where is it? – There should be no dispute about who owns the data that’s being created or transmitted by your cloud-based clinical communications partners – the hospital or health system should own it. Vendors may store and manage the data, but should you decide to dissolve the partnership at any point, make sure your contract states that your organization owns all the data that has been created. In addition, because of the HIPAA requirements, it doesn’t make sense to select a partner that stores its data outside the boundaries of the United States. Make sure you understand exactly where your data is going to be stored, and think long and hard before you let it go out of the country.
3. Are they in complete control of the infrastructure required to deliver their service or do they use another provider? – If your cloud-based communications provider buys its storage or compute power elsewhere, you now have a third-party relationship to consider. Say a breach occurs as a result of a compromised storage environment, and your partner has outsourced that part of its business elsewhere. Who’s responsible now? In addition to increased complexity of the environment, you’re setting yourself up for a finger pointing game should a breach occur. You don’t want any grey area when it comes to accountability, so make sure it’s clear upfront so you aren’t
4. How serious are they about HIPAA compliance?– There are a couple of ways to determine this. First, make sure they’ve proactively had their controls and infrastructure audited by a third-party firm. It’s easy for vendors to say they do certain things and that they’re meeting regulations, but if they’ve had themselves professionally audited, they’re likely reputable. Second, it’s important to note whether they have personnel dedicated to ensuring and managing regulatory compliance on their staff. If not, you have to ask yourself how well they really understand the regulations, whether they barely or clearly meet them, and whether they’re really taking HIPAA compliance seriously.
There is too much at risk not to take a measured approach to how you do business with. At the end of the day, your patient’s information, your finances and your reputation are on the line. Are you willing to bet those on your vendor partners?