If you’re using any IT services such as online backup, antivirus, or monitoring, or you use such a company for onsite or remote support, you need to make sure you’re using a HIPAA compliant IT company.

But, how do you know if an IT company is HIPAA compliant?  You need to ask the right questions, and do a little bit of research.  Here are some things to look for in a HIPAA compliant IT company.

Business Associate Agreement (BAA)

The first and most obvious thing you’ll need from a HIPAA compliant IT company is a Business Associate Agreement.  It’s usually a good idea to adapt the company’s own BAA, as theirs will be specific to the services that they offer.  Alternatively, you might have a BAA that you like to use for your third party contractors.  If that’s the case, make sure to look theirs over as well so that you can incorporate the specifics of what the company is offering you.  IT companies provide a range of services, and each one will need to be addressed in the BAA that you sign with them.

Speak with their HIPAA Privacy Officer

Since all business associates and contractors must adhere to the same strict standards under HIPAA that you do, they will for sure have their own HIPAA Privacy Officer.  This person should be your point person for chats about HIPAA, and having gone through the extensive process of creating a compliance policy binder, this person will have valuable information at their fingertips.

You should ask specific questions to the privacy officer at the HIPAA compliant IT company that you are working with.  You can even ask for copies of forms and policies that they use when handling patient data.  For example, if your IT company ever takes a PC into their facility to work on it, or restores a server on their bench, they will need to have very strict policies and forms that must be followed if they are truly to comply.

Think outside the box on this one – ask their privacy officer to speak to compliance across their business, not necessarily within the specific services that they provide, but throughout their entire business model.  Here are a couple of questions you can ask:

  • Is any patient data kept at their office?
    • If “no” is the answer, then ask them if they work on servers and workstations on their bench.
      • If “yes” is the answer, then they are likely lacking the policies they need for compliance.
    • If patient data is kept at their office, then ask for the methods they use to ensure audit trails for access of that data.
  • What is their Disaster Recovery Plan?
    • Even if they don’t keep patient information onsite, they will need a disaster recovery plan.
    • Do they test it?  When was the last time?

There are many other questions you can think of to ask.  Asking pointed questions to the HIPAA privacy officer is a great way to assess whether or not you have a HIPAA compliant IT company as a business associate.

Assess their Remote Software

Even if your IT company doesn’t ever have patient data in their facility, they will lay their eyes on patient data as a matter of course.  During remote support, patient charts might be open.  Or, looking at data may be required to go into accounts in order to troubleshoot different issues.  Here are some questions to ask about their remote support policies:

  • Are their remote connections encrypted?
  • Are their remote connections auditable?
    • Can they run reports on who has accessed what system, when, and for how long?
    • Does each tech have their own username and password to the remote management software?
  • Do they have a time-out period for open sessions?
  • Is two-factor authentication in place?
    • Are there any autologins?
    • Does each network accessed require a different password than any other?

If you’ve asked all the questions you need to confirm that you have a HIPAA compliant IT company, then you can believe that they will help you maintain your own compliance.  On the other hand, if your IT company is lacking in their own compliance, chances are that they won’t do a great job getting you to compliance either.  Do you research, ask the right questions, and for good measure, look over some of their internal policies and forms so you know how they handle patient data when it does arrive in their facility.

Do You Use a HIPAA compliant IT company?