Stacey A. Borowicz

Third-Party Technology Must Comply With HIPAA

December 16, 2013Articles
Now more than ever, healthcare providers are looking to outsource their standard healthcare functions, such as medical record storage, to third party technology companies. Be mindful that any technology that stores or transmits protected health information must comply with HIPAA. Even though a third-party controls the record storage technology, the healthcare provider has the ultimate responsible for the privacy and security of its patients’ information.

The following checklist will assist you in your review of a Tech Company’s HIPAA compliance:
  1. Request a copy of the Tech Company’s HIPAA risk assessment and security safeguard policies and procedures.
  2. Engage an IT expert with HIPAA experience to review the provided materials to analyze if the relevant safeguards are in place.
  3. The written contract should address how the Tech Company will guarantee availability of data in a standard format once it is transferred to and controlled by Tech Company.
  4. The written contract should require Tech Company to send Provider regular back-ups of stored data in a standard format.
  5. The written contract should be terminable if the Provider experiences repeated availability issues.
  6. The written contract should guarantee free access to all data in a standard format during and after the term of the parties’ agreement. Beware that it may not be possible to migrate your data into the Provider’s future system.
  7. The written contract should require the Tech Company to abide by all applicable information and security laws, including HIPAA. The contract should include a Business Associate Agreement.
  8. The written contract should require the Tech Company to indemnify Provider from all liabilities arising from lost, destroyed or breached stored data. Because the value of patient data is difficult to calculate, consider a liquidated damages clause.
  9. The written contract should specify that the Tech Company does not own the Provider’s data but has a limited license to use the data for the purposes prescribed in the contract. The license should expire when the agreement terminates.
  10. Ensure that any terms and conditions of software use are provided before entering into a final contract and review the terms and conditions for overly-restrictive clauses (such terms and conditions are often referred to as Click-wrap, Browse-wrap, and Shrink-wrap Licenses).
Please exercise caution:  Not all Tech Companies or their products are secure.