Every practice – no matter its size – collects and uses data every day. There is data about patients, medical files, employees, finances, and even the practice itself. You have to collect and store this data somewhere. In addition, you have to be able to access it easily whenever you need it. For a long time, paper files were the only way to record data.
As of 2018, electronic record-keeping systems have (for the most part) replaced paper-based files across the healthcare industry. Practice owners consider many factors when purchasing an EDR app or subscribing to a cloud-based EDR service:
- Cost
- Ease-of-use
- Features
- Training for users
- Interoperability
HIPAA Compliance – Have You Covered Everything?
Security and compliance are two factors that are frequently overlooked, until disaster strikes. New data breaches come to light almost every day and many healthcare entities are victims. It’s one of the reasons HIPAA compliance is more important than ever. You might have strict rules, policies, and protocols in place to ensure compliance from your own staff. But what about your vendors?
Your practice probably has an EDR, practice management software, and various other reporting tools. You might think that using HIPAA compliant software services is about the extent of your responsibility. But compliance with legislation and ensuring the security of your data goes beyond that. You can be held responsible for data theft that occurs due to mistakes by people outside your organization.
Third-party vendors pose a great risk to any healthcare organization and a significant proportion of breaches occur because of a mistake made by a vendor. Hackers may get access to your data through the vendor’s credentials, tricking their employees to reveal admin passwords or breaking the security protocols surrounding the data servers. This means you have to be very careful when purchasing or licensing software from a developer. It goes beyond checking for the HIPAA compliant label on the box (or website, as the case may be).
Criteria for Vendor Evaluation
Apart from the usual criteria of cost and ease-of-use, you need to question the vendor about compliance and security aspects before making a decision. The answers to the following questions will tell you if the vendor is a risk or an asset to your practice:
- How does the vendor ensure compliance with HIPAA (and any other legislation as appropriate)? Do they have in-house experts or do they bring in expert consultants? Changes to legislation can happen at any time and the vendor should know about the latest updates.
- Do all modules of the software comply with relevant legislation? Many vendors will provide extensions or add-ons to the basic software for specific use cases. Not all of them may be HIPAA compliant or secure. If the vendor sells different types of software (EDRs, data analytics, PM tools etc.), make sure they’re all secure and comply with HIPAA.
- What security tools and protocols does the vendor use to ensure security? Any breach within their organization can lead to an attack on your clinic. If the vendor appears reluctant to share any security-related information, that should ring warning bells for you.
- Ask about their employee training program. Humans are generally the weakest link in the security chain. Just as all your employees are certified and trained, you need to know that the vendor does the same for their workers.
A little bit of research and planning can prevent problems from cropping up later on. Every new vendor that you bring into the fold increases the probability of a breach. If the vendor complies with HIPAA and uses security best practices, you don’t have to worry about compromising your sensitive data.
