Third-Party Vendors Size Doesn't Matter
That’s right folks – if you are a healthcare third-party vendor size doesn’t matter when it comes to HIPAA compliance. Healthcare third-party vendors that create, receive, maintain, and/or transmit protected health information is required by law to comply with the regulations.
Did You Know?
A healthcare third-party vendor, referred to by the Department of Health and Human Services (HHS) as a business associate (BA), were invited to the HIPAA party in February 2013. Even after all this time, HIPAA compliance still remains a challenge for many Covered Entities (CEs) and their third-party vendors alike.
From Then Until Now
As reported by HIPAA Journal in their August 25, 2017, blog post, “HIPAA Business Associate Compliance”:
“In late 2016 – almost four years after the Final Omnibus Rule was enacted – the California Healthcare Foundation funded research into HIPAA Business Associate compliance. In the compilation of the “Business Associate Compliance with HIPAA” report, researchers conducted telephone interviews with sixteen Covered Entities ranging in size from small physician offices to large integrated health systems.
The researchers focused on the number and size of contracted third-party vendors, the types of services performed by third-party vendors, the “sophistication levels” of BAs, and the Covered Entities efforts to conduct due diligence on BAs and oversee HIPAA Business Associate compliance. It is important to note that, in California, BAs may also be covered by the state´s Confidentiality of Medical Information Act (CMIA).”
Sadly, even after almost ten years third-party vendors remain unaware of their responsibilities and/or unsure how to comply with the HIPAA Security Rule in their environment.
Why Does It Matter?
Simple, third-party vendors can and have been held directly liable to civil and, in some cases, criminal penalties for making uses and/or disclosures of PHI that were not authorized. In 2018, there were 71 healthcare breaches that affected 5.4 million patients.
It is important that Covered Entities and their third-party vendors understand patients are entrusting them with their most private and intimate details. They do expect the provider and third-party vendors to comply with the HIPAA rules and keep their information secure!