How to evaluate HIPAA compliant patient engagement software vendors, Part 2

This is Part two of a two-part series on HIPAA compliance for digital customer engagement. Click here for part one, which covers HIPAA fundamentals and the role of the software vendor.

HIPAA compliance is far from simple, and any vendor that says otherwise is likely not offering the degree of security and/or shared responsibility that you need to engage safely in digital patient communication. Here’s a run-down of what you should look for when assessing a vendor’s HIPAA compliance, in line with typical risk assessment items covered by third-party assessors.

Security and Encryption of PHI

Patient engagement software vendors primarily provide solutions actively involved in the transmission and storage of PHI, so the security and encryption processes that they have in place should be stringent.

Encryption is an important aspect of PHI security, as in the event a breach were to occur from a malicious third party, encryption ensures that the data they could access would not be legible or identifiable to an individual.

Here’s what to ask:

  • Does encryption apply to data “at rest” or stored in a vendor’s server – for example, chat logs? Amazon’s RDS encryption algorithm which utilizes an AES 256-bit encryption is recognized as a gold standard in this respect.
  • Does encryption apply to data “in transit”, or while it is being moved from one location to another – for example, when a patient submits PHI through an ongoing chat? Encryption through HTTPS and TLS protocol is standard in this instance.
  • Is there a complete logging and monitoring system that operates as a safeguard against unauthorized access?
  • Are the vendor’s server farms compliant with state-of-the-art security measures such as SSAE 16, CSAE 3416, and ISAE 3402 standards?
  • Are anti-malware and intrusion detection/prevention systems in place?
  • Is PHI held on laptops and mobile devices used by the vendor also encrypted?
What to watch out for: Check that the vendor takes responsibility for secure storage of data in all forms. For example, if they insist on you deleting data from their servers and transferring it to your own, the vendor is essentially shifting responsibility for the security of data at rest to you. That means if you were to not delete and move your data regularly enough and it was intercepted by a malicious third party in an attack on the vendor, you could be held liable.
  • Are physical security systems also in place, for example, is access to the vendor’s physical office location restricted by keycard and are workstations secured appropriately?

HIPAA-specific Policies and Procedures

Vendors should have clear policies and processes in place to ensure that PHI is handled in a secure and consistent way throughout the organization.

Here’s what to ask:

  • Have identity management and access controls been implemented to ensure employee access to PHI is appropriately restricted?
  • Are system activity logs regularly checked and reviewed for unauthorized or inappropriate access?
  • Are there defined processes for responding to and reporting data security incidents and data breaches?
  • Has a comprehensive list of all places where PHI resides or passes through been compiled and accounted for in policies and procedures?
  • Do policies protect PHI from improper alteration or destruction?
  • Is PHI securely and completely disposed of after an appropriate timeframe?
  • Are policies version-controlled and continuously improved, evidencing improvement and refinement in processes over time?
What to watch out for: Ensure that a range of policies allows for best-practice security processes to be applied generally, as well as HIPAA-specific policies to be applied specifically. Vendors should be able to articulate a range of policies that demonstrate information security processes, access control plans, disaster recovery plans, breach notification policies, network configuration standards, as well as risk assessments that assess compliance to these policies.

Employee HIPAA Awareness & Security Training

All of the vendor’s employees should undergo two different types of training – HIPAA-specific awareness training, as well as general security standards training.

Here’s what to ask:

  • Are both sets of training managed by a HIPAA Compliance, Privacy, or Security Officer?
  • Is documentation kept to confirm that training has been completed by all staff members?
  • Is training administered on an annual, rolling basis to all staff?
  • Are partners, employees and independent contractors included in the training?
  • Do workers with high degrees of data access have job-specific training on privacy and security procedures?
  • Have all staff read and legally attested to following HIPAA policies and procedures?
  • Has the third-party assessor interviewed staff to check their skills, knowledge and training?
  • Is the training supported by a wider security awareness program that reinforces best practices throughout the year, for example through the use of motivational slogans, login access banners, videos, posters or other awareness materials?
What to watch out for: Check that training records are appropriately stringent, and don’t allow any employees to fall through the gaps. For example, ensure that new employees receive training as part of their onboarding, as well as being delivered to all staff through annual top-ups.

Business Associate Agreements (BAA)

HIPAA-compliant vendors should be happy to sign a BAA acknowledging their liability for the security of a healthcare provider’s PHI. The vendor themselves should also ensure that any third-party firms they could transmit PHI to (for example, Amazon Web Service servers or Google Dialogflow’s language processing services) also acknowledge their responsibilities as a BA.

Here’s what to ask:

  • Are BAAs standard or custom for each healthcare provider the vendor serves? If so, what are the differences between the agreements?
  • Does the vendor charge for standard or custom BAAs?
  • Has the vendor identified all other third-party firms they could potentially transmit PHI to and ensured that they also signed a BAA?
What to watch out for: Where the vendor uses third-party firms who also need to agree to a BAA, ensure that those firms have acknowledged their responsibility for the security of PHI clearly and in writing, with reference to the specific processes they themselves agree to.

Breach Notification Processes

If a breach occurs, patient engagement software vendors have a responsibility to notify affected parties. HIPAA’s Breach Notification Rule lays out specific requirements. Vendors should therefore have a strict Breach Notification Process which should explicitly include several key criteria as outlined in the Act.

Here’s what to ask:

  • Are there guidelines for the timeliness of notification?
  • Are clear methods for notification outlined, for example written notice?
  • Are there guidelines for notification content?
  • Does the process provide notification to each individual involved in the breach?
  • Are there differentiated processes for breaches involving individuals versus larger-scale breaches?
What to watch out for: HIPAA also includes a plain language requirement to ensure that any language used in breach notifications can be easily understood and interpreted by all parties, including the affected patient(s). Ensure this is accounted for in the vendor’s policy.
  • Does the process acknowledge the role of appropriate law enforcement in breaches?

Wrap-Up

No two patient engagement software vendors will have the same processes, so when evaluating, ensure that at a minimum you ask for a copy of their BAA and most recent third-party risk assessment report. These documents will enable you to compare and contrast each vendor’s take on HIPAA compliance, their technical and operational capabilities, and the amount of responsibility they are willing to accept.

We hope that when it comes to protecting PHI, this guide provides a clear, transparent picture of what to expect from your patient engagement software vendor – allowing you to build a trusting and fruitful relationship that will endure for years to come.

About Jeff Epstein

Jeff is Comm100’s VP Product Marketing and Communications. He’s a B2B marketer with 20+ years’ experience creating compelling messaging and content for sales enablement and demand generation. Having held roles with companies including IBM, General Motors, and Comm100, Jeff knows how to connect solutions to buyers.