If your tech and AI partners aren’t HIPAA-compliant, your company might not be HIPAA-compliant. Data breaches can happen anywhere in your supply chain, and if your business associates let sensitive information leak, you could face regulatory issues and reputational damage. That’s why it’s important to select tech and AI partners who handle all data with the care and security that HIPAA requires.

‍

HIPAA Requirements for Vendors
‍

The U.S. Department of Health and Human Services (HHS) says that HIPAA rules apply to both covered entities and their business associates. If you’re considered a covered entity and you use a vendor to help you carry out your healthcare activities or functions, you must have a written business associate contract or other arrangement with the business associate to establish specifically what the business associate is engaged to do. Additionally, the contract or other arrangement must require the business associate to comply with the HIPAA rules to protect the privacy and security of protected health information. 
‍

Business associates can perform a range of services to assist covered entities. According to CMS, examples of business associates include (but are not necessarily limited to) the following:
‍

• TPAs that assist with claims processing
  ‍
• Consultants that perform utilization reviews
  ‍
• Healthcare clearinghouses that translate claims from nonstandard formats to standard transactions and forward the transaction to payers
  ‍
• Independent medical transcriptionists that provide services for physicians
  ‍

Here’s a good rule of thumb: If the vendor comes into contact with protected health information, the company should follow HIPPA rules. Not only does this help you ensure that you’re staying compliant with HIPAA, but it also ensures the privacy and security of the patients you serve. 

‍

There Are a Lot of Ways for Sensitive Information to Get Out
‍

Patient details must be kept private. However, protected health information, such as diagnoses, prescriptions and procedures, can be exposed when companies don’t follow HIPAA rules. Incidents could involve the healthcare provider or payer, but it’s also possible for incidents to involve various business partners. Consider the following scenarios:
‍

• A hacker targets the company you use to handle billing and payment collection. Ransomware is a growing problem, and companies with sensitive data – including protected health information – are often targeted. 
  ‍
• A tech glitch exposes sensitive data at a call center. Data that’s supposed to be kept private could accidentally be made accessible to anyone who looks for it.
  ‍
• An employee at a business partner accesses or shares information inappropriately. In some cases, workers have snooped in files and even posted protected health information online or shared it with their friends – a clear breach of HIPAA and patient privacy. In other cases, they may share information with a family member, thinking it’s acceptable when it is in fact a HIPAA violation.
  ‍

The recent cyberattack on Change Healthcare is a good example of what can go wrong. According to AP News, Change Healthcare provides technology services that are used to submit and process billions of insurance claims each year. In February, Change Healthcare was hit with a ransomware attack. Hackers were apparently able to access the system because there was no multifactor authentication in place. Change Healthcare has published a HIPAA notice letting individuals know that their information may have been impacted and what they can do.
‍

Strong security processes and training can greatly reduce the risks of incidents like these. However, it’s important to ensure that your vendors are being as careful as you.

‍

HIPAA Violations Can Cause Headaches for Patients and Payers Alike
‍

For patients, HIPAA breaches are a violation of trust and may lead to concerns regarding identity theft. For healthcare providers and payers, HIPAA breaches can be a regulatory, financial and reputational nightmare. This is true even when ransomware and other cyberattacks are the cause of the breach.
‍

For example, HHS recently settled a case involved a practice management company that is a business associate for several covered entities. A ransomware attack infected the business associate’s server, and the unauthorized access was not noticed for many months. The company has agreed to pay a $100,000 penalty and comply with a corrective action plan.
‍
‍

A Partner You Can Trust
‍

Here at Liberate, we take data security, whether we’re dealing with payment details or protected health information. We’re both SOC2 and PCI compliant, and now we’re also HIPAA compliant. If you’re looking for a way to improve customer service while boosting efficiency and controlling costs – without sacrificing security – Liberate can help. Learn more about our Voice AI services.

‍