Protect Your Practice: Vendor Due Diligence

When you run a private medical practice, you’re invariably going to hire vendors outside of your practice to perform services. If you are going to share protected health information with that vendor, you will need a Business Associate Agreement (BAA) to be HIPAA compliant. But before you sign a contract for services and the BAA, you will want to conduct due diligence to choose the most qualified vendor.

What is Due Diligence?

Due diligence is when you evaluate the other party before entering into an agreement. The goal of due diligence is to determine that the vendor you are considering is financially solvent, legal, and trustworthy. 

Due Diligence in the Context of HIPAA

The Department of Health and Human Services (HHS) established the BAA as the legal document to be used in conjunction with a service level agreement (SLA) or contract. Said another way, you need to have both the SLA that defines the scope of practice and the BAA for any vendor who will have access to protected health information.  In the strictest sense, having a BAA between your practice and a vendor counts as adequate due diligence.

The BAA implies that the vendor, your Business Associate, has agreed to safeguard protected health information. The business associate is supposed to have policies and procedures. That said, vendor breaches are common. And you have no control over how the business associate runs their business.

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are responsible for addressing the breach. Therefore, you will want to go beyond just signing a BAA as your due diligence. You need to take steps to determine whether your BAs can and will meet HIPAA security requirements.

A Pre-Contract Vendor Security Survey

While asking a vendor to complete a security survey before negotiating an agreement may not be required, it can help determine whether the vendor can meet your security expectations.

Pre-contract questions should address these issues:

1. Identity: Is the vendor who they claim to be? Or do they misrepresent themselves?
2. Finances: Are they financially sound? Do they have outstanding debts, weak revenue streams, or other significant liabilities?
3. Reputation: Ask for references. Read publicly available reviews. Ask your colleagues.
4. Geography: Where will your data be housed?
5. Does the vendor conduct a security risk analysis? When was the last time the vendor completed a security risk analysis?
6. When was the last time the vendor trained their employees on HIPAA? What is their training process?
7. What security safeguards does the vendor have in place to protect ePHI? 
8. What policies and procedures does the vendor have and are employees following them?

Security is not simply a HIPAA issue; it is a business issue that can have significant financial consequences. Going that extra step to understand how your vendor will prevent unauthorized access to your data is a small price for the hassle and cost it will save you. Click here to download a sample HIPAA business associate security questionnaire to use when you are evaluating potential vendors.

Doing an exclusion search will inform you of red flags

An exclusion search can help you determine whether a vendor has been excluded from participating with federal healthcare organizations. An exclusion indicates that the vendor has engaged in illegal or fraudulent behavior.

You will want to check these exclusion lists:

1. List of Excluded Individuals and Entities (LEIE)

The Office of Inspector General maintains the LEIE. Individual providers and entities get on the list for Medicare or Medicaid fraud, patient abuse or neglect, felony convictions for healthcare-related fraud, theft, or other financial misconduct, and felony convictions for unlawful manufacturing, distribution, prescription, or dispensing of controlled substances.

One of the reasons that you will want to do an exclusion search of the LEIE is because the government can issue a monetary penalty for entering a contract with an entity on the LEIE. In addition, some states maintain their own exclusion list prohibiting entities from participating in state government-run programs.

2. Centers for Medicare and Medicaid Services (CMS) Preclusion List

The CMS preclusion list prohibits prescribers, individuals, or entities from receiving payment for Medicare Advantage items or services or Part D drugs furnished or prescribed to Medicare beneficiaries. Prescribers, individuals, or entities are on the preclusion list for one to three years.

3. System for Award Management (SAM)

SAM is a website that lists all companies registered to do business with the federal government. Use SAM to determine whether a vendor has been suspended or debarred. 

Protecting your practice against a HIPAA breach requires doing more than simply signing a BAA. Before you entrust your protected health information to a BA you will want to do a thorough assessment of the potential vendor.