After posting a health information exchange (HIE) security best practices article last week, a reader posed an interesting question: Where do HIE vendors fit into the equation?
HIE vendors consistently deal with electronic protected health information (ePHI) during training and, while some may comply with Health Insurance Portability and Accountability Act (HIPAA) regulations because of individual HIE rules, it isn’t in writing that they have to do so. This should be a concern for everyone that’s part of the effort toward decrease healthcare data breaches because their use of this data is unregulated and there doesn’t seem to be any security standards in the HITECH Act for vendors.
There are plenty of HIEs that prioritize vendor security. For example, according to the Arizona HIE website, it requires vendors to secure and audit their services:
“HISP vendors will complete a security audit and penetration test on their technology infrastructure and provide documented results to Arizona customers. The security audit and penetration test must be repeated on a regular basis as required by law and no less frequently than annually and as there are significant technology infrastructure changes. HISPS will also notify their customers of major findings and corrective actions and all known breaches.”
But Bobby Gladd, senior meaningful use adoption support project coordinator and HIPAA staff resource for HealtHIE Nevada, thinks that the requirements need to be in line with what HIEs and healthcare providers have to deal with. He believes that the language in Sec. 13401 of the HITECH Act applies to vendors and they should obey security rules without HIEs requiring them to do so:
“(a) Application of Security Provisions. — Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.”
The wording in this section of the act certainly looks like it should apply to both vendors and HIEs. Gladd, as an HIE and EHR consultant, works with vendors all the time that don’t need to follow HIPAA rules by the book. He said that vendors have access to ePHI and should adhere to the same standards as HIEs, which don’t even store data. What if a vendor’s employee is unhappy with his job or wants to steal information? He said that while vendors aren’t the sole reason for data breaches, there should be HIPAA audits for these companies as well to reduce risk.
The government often talks about the need for standardization and better security practices. Do you agree that vendors should be subject to the same rules as healthcare providers and HIEs? Let us know below if you think increasing vendor security will have an impact on diminishing health data security breaches.
Browse all our white papers by topic: