Don't Be Fooled by Vendors' 'HIPAA-Compliant' Labels

Healthcare Partner Shannon Hartsfield was quoted in AAPC's March Health Information Compliance Alert about the importance of verifying HIPAA-Compliant labels. Many vendors target the healthcare market with promises that their products are HIPAA-compliant. Unfortunately, HIPAA compliance can't be bought, and these claims won’t stop the feds from investigating if your organization has a violation or data breach. Therefore, it is important for covered entities (CEs) and their business associates (BAs) to thoroughly vet their third-party vendors before they enter into business. This might involve an initial scorecard to test knowledge of the HIPAA basics, followed by a more comprehensive investigation of their compliance practices, breach history, and incident response protocols.

As required by HIPAA, CEs and BAs must secure patients’ protected health information, and they “would be wise to use caution in evaluating companies that promise ‘HIPAA compliance,’” advises Ms. Hartsfield. “A lot of customers want to see that characterization, and companies selling their services want to provide it. In my view, because HIPAA compliance is an ongoing process, it would be wise to avoid making representations that attempt to ensure 100 percent compliance,” she says.

Advertisements that claim products are “HIPAA compliant” or “HIPAA certified” should always be questioned, she notes. “If a healthcare provider is evaluating a company that says they’re ‘HIPAA compliant,’ it would be important to try to get a full understanding of what the vendor means by that,” Hartsfield continues. “And if a vendor says it’s ‘HIPPA compliant,’ you may need to run the other way! Misspelling HIPAA can be a real red flag.”

READ: Don't Be Fooled by Vendors' 'HIPAA-Compliant' Labels (Copyright AAPC)