Getting familiar with HIPAA laws is a lot to wrap your head around.
If your contact center works with healthcare data (like a health network or hospital) you’re required by law to comply with HIPAA. And, if you’re a business associate of a healthcare provider who handles Protected Health Information (like a claims processor or insurance company), you have to be compliant, too.
But those laws don’t always translate to your technology vendors.
Because there is no standardized law for third-party vendors, you have to do your own homework on how to keep your customers’ info safe. And, how to keep your company clear of hefty fines.
We’re talking through what you need to look for when you work with third-party technology vendors who aren’t required to comply with HIPAA.
What you need to know to keep your data safe.
There’s no certification you or your vendors can get that says, “Hey, I’m compliant!”
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is actually a law that mandates privacy practices for businesses who handle PHI (like lab records or medical bills with your name or social security number).
The law used to cover healthcare providers only, but now it extends to business associates of healthcare providers. So, if you use a clearinghouse for medical claims, or if you hire a consultant to analyze your data, they get access to your PHI. Because of their access to sensitive information, they must be HIPAA compliant, too.
But let’s say you’re a healthcare provider who uses a technology vendor for web chat on your website. That vendor isn’t required by law to be HIPAA compliant.
This is where the water gets murky.
Your web chat app might be for booking appointments or asking FAQs to your front office team. That means it’s not intended to communicate PHI. But, you also can’t stop a patient from giving away some personal identifiers via chat. If a patient lets some protected info slip and your vendor isn’t HIPAA compliant, that’s a violation. And your business is responsible for the fines.
With that in mind, many tech vendors opt to abide by HIPAA laws, so they won’t interfere with your compliance. It’s best to seek out these vendors and partner with them, so you take on less risk.
How to partner with a vendor that supports your HIPAA Compliance.
Without an obvious badge or certification of compliance, it’s important to ask the right questions to ensure your data is safe.
To help technology vendors navigate the world of HIPAA, certain alliances and governing bodies offer frameworks and best practices to follow to ensure compliance. Look to resources like the Cloud Security Alliance (CSA) and National Institute of Standards and Technology (NIST) for specific criteria on how tech vendors handle compliance.
And, ask your vendors if they look to these resources for guidelines and best practices. If they do, chances are they’ll have documentation to explain how they approach HIPAA and keep your information safe.
Here are three areas to examine when talking to a vendor:
Organizational security – is the business itself HIPAA compliant?
Companies have to self-assess their level of compliance. There’s a Security Risk Assessment Tool specifically for HIPAA compliance that documents how a company safeguards against and mitigates any security risks.
Technology vendors who choose to comply with HIPAA need structural protections in place – like badge-protected offices and VPN connections for their internal networks. These are a few of the protections outlined in the security risk assessment, but it dives much deeper.
To keep your contact center data protected, partner with vendors who’ve completed thorough security risk assessments.
Hosting Security – is the software on-premises or in the cloud, and are all hosting partners compliant?
Next up, you’ll need to evaluate how your technology vendors host their software. If a vendor has on-premises software, that means all your contact center data runs through their servers. The company is in charge of maintaining them, putting up firewalls, and keeping server data encrypted to stay HIPAA compliant.
If you’re using a vendor with cloud-based software, you’ll need to find out where they host their platform. Then, you’ll have to see if the platform host is compliant, too. For instance, the Sharpen platform is hosted by Amazon Web Services (AWS). AWS uses external auditors for risk assessment, and they’re HIPAA compliant. Therefore, the Sharpen platform is hosted in a HIPAA compliant environment.
Product security – is my data and contact center platform protected?
This piece of the HIPAA puzzle dives in on the technology’s architecture. It looks at how the platform itself handles data.
To give you an idea, to be HIPAA compliant, a technology platform has to have an automatic log-off function. This function protects unauthorized people from getting access to PHI if someone leaves a device unattended. Like if someone leaves for lunch without turning off their computer right at the moment a lurker sneaks into the office.
And, this area looks at how data is handled and transferred, too. HIPAA compliance requires that companies encrypt all data in transit, not just at rest. So, compliant companies have to ensure they build their platforms with integrity and the right protections in place to keep data safe at every second.
If you’re a business or contact center who handles PHI, you have some critical vetting to do before you pick a technology vendor. You have to know how your technology vendors support your compliance, or how they might put it at risk.
Need to do some in-depth research on potential vendors? We can help with that. Click to download our RFP template with 101 questions to ask your vendors before you pick a partner.
We originally wrote this post on January 18, 2016, and we updated it for new insight on August 6, 2019.