Which HIPAA compliance company is right for you?

Tod Ferran HIPAA Security Analyst
By: Tod Ferran
Getting a third party’s assistance is often less work and cost than trying to comply with HIPAA yourself. The question is…how do you select a reputable firm?
HIPAA Buyer's Guide HIPAA Compliance
Here are some questions you should ask before outsourcing HIPAA.

What are your objectives?

Before you start the process of vetting your future vendor, you’ve got to ask yourself what you want from the relationship. Here are some preliminary questions to ask yourself as you create your list of wants.
  • Do you have HIPAA goals? What are they?
  • Do your employees need training? How often?
  • How long do you want the relationship to last?
  • How much control do you want over your compliance?
  • Are you just looking to check HIPAA compliance boxes? Or are you actually looking to secure patient data?
Pay special attention to that final question. Many companies focus on getting you compliant but don’t have the expertise, technology, or know-how to actually get you secure… which is the whole point of HIPAA compliance.

As you list out your vendor requirements, I suggest prioritizing them based on importance to your compliance program. Here’s a sample list I put together:
  1. Views HIPAA as an ongoing security process, not a one-time sale
  2. Good client references
  3. Offers great customer support
  4. Offers employee security training
  5. Can help us complete HIPAA risk analysis by the end of the year
  6. Vendor pricing fits compliance budget
  7. Willing to have a weekly call with compliance officer
  8. Annual visit onsite to analyze HIPAA security
  9. Will work with our business associates for HIPAA compliance
  10. Online reporting tool to track progress

Do you need a HIPAA audit instead?

If you have more than a couple of providers or you are a business associate, you need an onsite HIPAA audit instead of trying to complete your HIPAA risk analysis and HIPAA risk management plan by yourself.

Generally speaking, larger organizations have more complex network technology and processes. It is because of this fact that hiring a security expert to physically come onsite to ensure your organization has adequately met all HIPAA requirements is so important.

As a business associate, you want the covered entities you work with to know you are dedicated to HIPAA compliance. This assurance can only be gained by having a 3rd party compliance and security expert validate your adherence to HIPAA and your commitment to protecting the data they are entrusting to you.

If you are a small doctor’s office, a HIPAA audit may be cost prohibitive. A Guided HIPAA Compliance service might better suit your size.

How much help do you need?

Many companies provide compliance tools or templates, but don’t support their tools with live experts to help you get through the process. If you’d rather undergo the HIPAA process yourself, just purchasing a template for compliance likely won’t be enough for your organization.

Most of the individuals I have met who are in charge of HIPAA compliance (even compliance/risk officers) do not understand the technical nuances of the HIPAA Security Rule enough to do a complete and thorough job on their own.

For example, do you understand the correct way to configure your network firewall? What about encrypting your patient data when transmitting through email? Do you know how to ensure two-factor authentication in your remote access application?

Unless you’re a security expert, the answer is probably no.

Having an expert available to answer your questions and help you through technical items will 1) help you become more secure and 2) help you accurately and thoroughly attest to your HIPAA compliance.

Getting help is more than just an available customer service team. Because HIPAA is not just a one-time thing, it’s a good idea to stay up on the latest mandates, tips, best practices, etc.

Research the educational resources your compliance vendor offers, such as:

How much expertise does this company have?

Like I mentioned above, one of the main reasons to outsource HIPAA compliance to a vendor is because they have expertise that you don’t. However, beware of vendor ‘experts’ who aren’t experts in HIPAA or security, like lawyers, accountants, or IT vendors.

A good rule of thumb when determining if your vendor has the right kind of expertise is to ask the question: Does this HIPAA expert know the technical properties of encryption, firewalls, and vulnerability scanning, and how each relate to HIPAA compliance and security?

Attorneys and CPAs understand the HIPAA Privacy Rule and general legalese. In fact, I bet they’re really good at crafting privacy policies. However, they have little to no experience with security. (A very important trait when considering the HIPAA Security Rule)

IT specialists, on the other hand, understand technical aspects well, but don’t understand the security side or the HIPAA mandate behind it. It’s difficult for them to fulfill HIPAA requirements for a business.
Seasoned HIPAA security experts provide best practice tips, proper training, and security consultation.
They have years of experience in both healthcare and security fields.

Look for third party indications that the company you’ll be working with is experienced and validated through a third party:
  • Product awards
  • Customer testimonials
  • Credentials (HCISPP, CISSP)
  • Experts with backgrounds in healthcare and security

What other services does the company provide?

Many companies provide effective online compliance training courses, policies, or templates, and market that as their HIPAA compliance product. Unfortunately for those vendors, there is much more to HIPAA than a policy or training exercise.

That’s why I recommended looking for a full-service HIPAA vendor.

HIPAA isn’t just about completing a risk analysis, or having a notice of privacy practices sent to patients. There are many facets required of entities, so having one vendor that offers HIPAA policies and procedures, employee HIPAA training, vulnerability scanning, a business associate compliance program, a risk analysis, onsite HIPAA audits, and breach protection can minimize time, cost, and the headache of finding different vendors for each.

Some great services outside of normal HIPAA regimen include:
  • Breach protection: breach protection programs reimburse costs relating to compromise up to a financial limit (e.g., $100,000)
  • Vulnerability scanning: automated, affordable, high-level tests that identify known weaknesses in network structures. Some are able to identify more than 50,000 unique external weaknesses.
  • Penetration Testing: also known as an ‘ethical hack’, a team of white hat hackers will test your website, patient portal, or other Internet-facing networks and applications to see if there is a way into your patient data using common hacker tools.

What do your budget and timeframe allow?

Pricing isn’t everything, but if you have a budget to stick to, you want to make sure you get your money’s worth. Unfortunately, all too often I see entities that don’t take HIPAA and patient data security serious enough and allocate too little budget. Please understand that HIPAA is a cost of doing business in the healthcare world, it’s not cheap, and our patients have entrusted us with their information expecting that we will protect it properly.

See Also: Five Things to Consider When Making a HIPAA Security Budget

If your budget is pretty stringent, and educating upper management about the risks and costs of a data breach have failed, here are some tips to ensure your vendor will fit your budget:
  • Ask your vendor for a free trial or discount to test out their services
  • Start with a reduced plan, and add services to it as your budget increases
  • Ask if you can cancel parts of the product (such as customer service) to reduce cost
  • Be sure to document your efforts not only in attempting to be HIPAA compliant, but also in educating management on the need to make security and compliance a very high priority.
Not only should your vendor be cost-effective, they should also be able to deliver to your goals in the timeframe you specify. Vendors with documented and customizable HIPAA plans unique to your organization are preferred for this reason.

Who should you choose?

There are too many variables in each healthcare organization for anyone to make the decision for you. The right choice for you depends on:
  • Your size
  • Your budget
  • How much time you can devote to HIPAA
  • How much assistance you require from security experts
  • Etc.
A final word of caution: For the sake of your patients’ data security, stay away from companies just focused on “getting you compliant”, not “getting you secure.” HIPAA vendors like that are just looking to make a quick buck, not looking to help you meet every HIPAA requirement and secure your patient data.

I’d love to answer your questions about how to choose the right HIPAA compliance vendor for your organization. Feel free to set up a call with me or one of our experienced security experts

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.