From AHIMA: Look Closer at Vendor HIPAA Compliance

Health care providers need to ensure that their information technology vendors and their business associates understand and are compliant with the provisions.


With stronger HIPAA privacy and security requirements now in effect, health care providers need to ensure that their information technology vendors and their business associates understand and are compliant with the provisions.

Larger vendors understand, but many smaller ones may not--and hospitals often contract with small local vendors, particularly shredding firms, notes Nancy Davis, privacy officer at 15-hospital Ministry Health in Milwaukee, serving parts of Wisconsin and Minnesota. And that could cause trouble when the HHS Office for Civil Rights starts auditing business associates as expected in 2014.

In an interview at the American Health Information Management Association’s annual conference in Atlanta, Davis noted that she routinely assesses business associate compliance with HIPAA. And Ministry Health soon may have another business associate as its health information management vendor, IOD Incorporated, recently acquired ApeniMED, which also serves the HIM field. Now, Davis will assess ApeniMED’s awareness of the updated rules and may ask for additional validation of compliance. Assessments however are not a one-way street, as some vendors now are asking provider clients for validation of their own compliance with HIPAA, Davis says.

Vendors often want providers to sign a vendor-developed business associate agreement, which is understandable as they don’t want to be beholden under multiple different BAAs from customers, Davis says. But she advises providers to push back with their own BAA and negotiate enough that vendors will accept the provider agreement. Providers will find that they win the argument most of the time because vendors want the business, she adds.

 

 

More for you

Loading data for hdm_tax_topic #reducing-cost...