Over the last year provider organizations began to roll out new technologies such as care management solutions, remote patient monitoring devices, and telehealth platforms. As more organizations look to embark on value-based care initiatives, there is a necessity in partnering with an analytics vendor to make sense of all of the disparate data sources as well as face the challenges of deciding whether to build vs. buy. As resources thin, and your organization is challenged to go to market quickly (ex: implementation of telehealth during the pandemic), you will likely choose to partner with a vendor.
One of the key questions you must ask any vendor is “how secure is your platform?” Common replies include, “they’ve had so many other organizations use their product, and they’ve never encountered any security challenges.” You may be inclined to believe that they are, indeed, HIPAA compliant, and move forward with implementing their product. What you may miss is that every year hundreds of organizations trust their business associates with protected health information, and they are then caught off guard if/when a breach occurs! As Levar Burton, actor and director of Star Trek and Reading Rainbow, says, “you don’t have to take my word for it,” but at least check out this list—you’ll definitely recognize a few names on here.
At the end of the day, your organization is still on the hook for any fines when your business associates cause a data breach, and that could be millions of dollars in liability. That’s enough to put some provider organizations out of business.
So, the real question is how can your organization ensure you are partnering with a vendor that takes the security and confidentiality of your data seriously? Consider these three items. I like to think of it as securing your home- most people don’t leave their front door wide open and all their valuables ripe for the taking!
- Is your business associate HIPAA complaint?
This is a basic principle. The National Institute of Standards and Technology publishes a set of standards, and we highly recommend that any vendor you work with follow the suggested controls contained within the NIST Framework.
Think of this as putting locks on your front and back doors.
- Is your business associate certified by a third party?
Just because they say they are HIPAA compliant doesn’t make it true– vendors and Business Associates (BAs) are your biggest risk! Ensure that the organization has a third party that tests and certifies their security controls they have put in place are working effectively to secure your systems and data. Here are the three most widely recognized external attestations/certifications: SOC 2, ISO 27001, HITRUST.
Think of this as ensuring that the burglary alarm system placed within your home works and that the organization you hired to monitor your home and valuables is really the best at what they say they do. This third-party tests that organization that you have hired to secure your home and has assured or certified they are really the BEST!
- How much liability insurance does your business associate carry?
While you can take every precaution (such as following steps 1 and 2), this doesn’t guarantee that you will be completely immune from a data breach. This simply means that you are mitigating the risk. Even the most secure systems have a non-zero chance of getting broken into. In the event that a data breach does occur, you’ll want to ensure that your vendors and business associates carry a sufficient amount of liability insurance to help absorb the damages in the event of a breach. This is something to consider during the contracting phase.
Think of this as purchasing liability insurance in the event of a break in.
Salient Healthcare understands the value of confidential and protected data, not only from the regulatory perspective but from the client’s as well. Salient has developed a strategic business plan which includes risk identification and the implementation of controls to mitigate and manage risks. In addition, Salient is subject to various internal and external risk assessments and audits. The Security and Compliance team, under the guidance and direction of the Information Security Officer (ISO), have established an information security framework and policies based on the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 4 (Recommended Security Controls for Federal Information Systems) framework and has integrated the American Institute of Certified Public Accountants (AICPA) Trust Services Principles for SOC 2 Type II compliance.
While you may be excited to get a new program off the ground, it is imperative to consider security policies when you’re partnering with a technology vendor. It’s an often overlooked safeguard that could ultimately save you both financial and administrative hardships while protecting the most important part of our healthcare, the patients.