How to evaluate HIPAA compliant patient engagement software vendors, Part 1

This is the first of a two-part series about digital customer engagement and HIPAA compliance. In this post we cover the role of the software vendor in protecting Personal Health Information (PHI). The second post explores the core requirements of a HIPAA-compliant digital engagement platform.

The need to preserve the privacy and sanctity of personal healthcare data requires no deep explanation. We all understand what’s at stake, and we expect healthcare providers to go to great lengths – whether required by law or not – to defend our right to privacy. What’s new however are our expectations  around service delivery. Today, patients and clients of all kinds are increasingly demanding that the consumer experiences they have elsewhere should be mirrored by healthcare providers.

Adopting a patient-centric approach to healthcare opens up a wealth of new opportunities to attract new potential patients and earn market share through modernized, efficient services. But moving from legacy or paper-based systems to modern patient engagement software platforms introduces the risk that patient data could be inadvertently shared with the wrong people, lost, or even stolen.

The consequences of not protecting against that risk are significant – financial penalties for patient data breaches under HIPAA can quickly run into the six figures, and reputational damage can be equally as devastating. That’s why it’s important for healthcare providers looking to introduce new digital engagement channels to understand the risks and be able to assess how well potential vendors offer protection.

One regulation, different interpretations

The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 as a set of requirements to safeguard patient data – Protected Health Information (PHI) – from unauthorized access or distribution.

Before a healthcare provider starts working with a vendor, both parties must sign a contract that explains their respective commitments towards HIPAA compliance and the safeguarding of PHI. Vendors who do this are classified as “Business Associates” under HIPAA, and agreement put in place is referred to as a “Business Associate Agreement” (BAA).

HIPAA mandates that PHI should be handled privately and securely, with provisions for appropriate notifications in the event of a data breach also outlined in the Act. Business Associates need to have specific processes in place to ensure compliance.

One of the things that makes assessing a vendor’s HIPAA compliance challenging is that there are no formally acknowledged certifications that vendors can undertake to guarantee that the safeguards they have made are rigorous enough. This means that different vendors may interpret their responsibilities under the Act in different ways, and put different practices in place, while still claiming to be HIPAA compliant.

Successful partnerships require shared responsibility

Given that almost two-thirds of historical data breaches involved a Business Associate, it’s important for healthcare providers to be appropriately informed about the responsibility a vendor must accept in the event of a PHI data breach.

In the eyes of the law, if a data breach were to occur then the healthcare provider themselves would be responsible by default. It’s then up to the healthcare provider to prove that any third party contracted by them was ultimately responsible. Proper HIPAA processes on the vendor’s part should not only ensure that PHI breaches are unlikely, but they should also ensure that were any breach to take place, responsibility would be shared.

The extent of that shared responsibility, however, can vary from one vendor to the next. The degree of responsibility that vendors take on can be ascertained through documentation that explains the processes they have adopted to ensure HIPAA compliance. In other words, the deeper the processes in place, the more likely the vendor is to understand its role and responsibilities, and to have measures in place to protect PHI. This results in more confidence on the part of the healthcare provider to partner with that vendor.

Details Matter

You shouldn’t need to perform your own assessment of the vendor’s compliance to HIPAA. Patient engagement software vendors who claim HIPAA compliance should undergo thorough risk assessment with a reputable third-party firm every year. That third-party firm should assess the vendor’s security, privacy and breach notification procedures, using sometimes hundreds of measures to check that processes are appropriately strict, and produce a detailed report with the findings.

While vendors can perform their own in-house risk assessment, using a third-party assessor guarantees that vendors are being assessed in line with true best practices for HIPAA compliance. Similarly, a third-party firm known for reliable HIPAA assessments will look at the full range of potential HIPAA risk areas, and not simply assess security risks in a narrower sense without reference to the Act.

You should ask potential vendors for a copy of their most recent risk assessment report to check how they performed. In the event that the report reveals deficiencies, you should ask to see what remediation plans are in place to address them.

In part two of this series on HIPAA compliance we’ll explore the core requirements of a HIPAA-compliant digital engagement platform.


About Jeff Epstein

Jeff is Comm100’s VP Product Marketing and Communications. He’s a B2B marketer with 20+ years’ experience creating compelling messaging and content for sales enablement and demand generation. Having held roles with companies including IBM, General Motors, and Comm100, Jeff knows how to connect solutions to buyers.