Our partner Elizabeth Litten and I had a recent conversation with our good friend Marla Durben Hirsch who quoted us in her Medical Practice Compliance Alert article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but some excerpts regarding 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors are summarized below.
As the backdrop for her article, Marla used the $250,000 settlement of the Federal Trade Commission (the “FTC”) with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for alleged false advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA. Elizabeth has already posted a blog entry on aspects of the Henry Schein matter that may be found here.
During the course of our conversation with Marla, Elizabeth observed, “This type of problem [risk of using unreliable HIPAA software vendors] is going to increase as more physicians and health care professionals adopt EHR systems, practice management systems, patient portals and other health IT.”
The six tips listed by Marla are summarized as follows:
- Litten and Kline:
Vet the software vendor regarding the statements it’s making to secure and protect your data. If the vendor is claiming to provide NIST-standard encryption, ask for proof. See what it’s saying in its marketing brochures. Check references, Google the company for lawsuits or other bad press, and ask whether it suffered a security breach and if so, how the vendor responded.
- Kline: “Make sure that you have a valid business associate agreement that protects your interests when the software vendor is a business associate.” However, a provider must be cautious to determine first whether the vendor is actually a business associate before entering into a business associate agreement.
- Litten: “Check whether your cyberinsurance covers this type of contingency. It’s possible that it doesn’t cover misrepresentations, and you should know where you stand.”
- Litten and Kline: “See what protections a software vendor contract may provide you.” For instance, if a problem occurs with the software or it’s not as advertised, if the vendor is not obligated to provide you with remedies, you might want to add such protections, using the Henry Schein settlement as leverage.
- Litten and Kline: “Don’t market or advertise that you provide a level of HIPAA protection or compliance on your web-site, Notice of Privacy Practices or elsewhere unless you’re absolutely sure that you do so.” The FTC is greatly increasing its enforcement activity.
- Kline: “Look at your legal options if you find yourself defrauded.” For instance, the dentists who purchased the software [from Henry Schein] under allegedly false pretenses have grounds for legal action.
The primary responsibility for compliance with healthcare data privacy and security standards rests with the covered entity. It must show reasonable due diligence in selecting, contracting with, and monitoring performance of, software vendors to avoid liability for the foibles of its vendors.