Does your HIPAA-Compliant Vendor Actually Practice Compliance?

by ih-coc admin

In recent news, a third-party IT Vendor for the Arc of Erie County indirectly caused a $200,000 fine to be levied on this non-profit by the NY Attorney General. The vendor in question, Best Medical Transcription out of Georgia, was “hired to transcribe dictations of medical notes, letters, and reports by doctors at Virtua”. The violation took place when “the vendor misconfigured a password-protected file transfer protocol (FTP) server, allowing the site to be accessed without a password” (Donovan, 2018). The HIPAA violation was uncovered by a forensic investigator, who was able to find Arc of Erie County clients’ ePHI on a basic internet search using a variety of search engines.

This lack of a log-in requirement, one that was not uncovered by any internal review or QA check, was all it took for the Arc of Erie County to now be subject to a review and revision of its security and privacy-related procedures.

When it comes to third-party IT vendors, apart from password requirements, the following technical steps are recommended to ensure compliance with the HIPAA Security and Privacy Rules:

  • Encryption for both in-transit and at-rest data
  • Installation of SSL certificates
  • Backups used to maintain mandated availability requirements should be offsite CDP backups that allow for easily accessible remote copies of the data.
  • Additional security maintenance can be provided by firewall and multifactor authentication (Popa, 2018)

However, these technical steps are not enough. According to HIPAA mandates, a third party that engages with PHI or ePHI through the services it is contracted to provide to the covering entity (for example, a clinic, medical support, social services, or health organization) is considered a business associate. According to Spannbauer (2018), before an organization grants access to any vendor, “both parties must enter into a contract that details commitments to HIPAA compliance and provides assurances relating to the safeguarding of PHI and ePHI.” Such a contract is officially titled Business Associate Agreement (BAA).”

To ensure your organization remains sufficiently risk-averse, take measures to ensure your third-party vendor is practicing appropriate levels of HIPAA compliance. For instance, prior to sharing any patient information with a third-party vendor or Business Associate (BA), ensure that the vendor shows evidence of the following:

  • Proof of their commitment to HIPAA and that they understand they are operating as a BA, documented as

o   Evidence of the vendor’s HIPAA compliance

o   Evidence of the vendor’s administrative capabilities

o   Evidence of the vendor’s HIPAA policies and procedures, “such as a recent risk analysis and evidence of employee training”

  • Proof that they understand and properly apply the HIPAA Security Rule and the HIPAA Privacy Rule to their processes and procedures that defines how this vendor collects, stores, shares, transmits, and disposes of PHI or ePHI.
  • Evidence of risk management policies, including a designated HIPAA Privacy and Security officials, a response plan for security breeches and notifications of the same.
  • A signed copy of the BAA always on hand, appropriately completed (Spannbauer, 2018).

It is also ideal if your organization makes sure to

  • Review the Vendor’s Service Level Agreement (SLA) for HIPAA Implications, as SLAs relate directly to technical issues related to protecting and securing ePHI
  • Check in with other existing or past clients of the vendor to gain insight into the compliance levels maintained by the vendor (Chin, 2018)

Occasionally, it is not a BA that is responsible for an organization’s HIPAA violation, but a separate department, especially when the organization is “single, multi-disciplinary entity, like a university” (Sheppard Mullin Richter & Hampton LLP, 2018).

For a multi-disciplinary entity, including medical organizations with a research wing, HIPAA allows for such organizations to seek designation as a “hybrid entity standard” as defined in 45 CFR §164.105(a) (Sheppard Mullin Richter & Hampton LLP, 2018). Such a designation would allow such organizations to distinguish between its HIPAA-covered and non-HIPAA-covered departments. The initial cost of such a designation would allow such organizations to “better manage its HIPAA compliance risk” (Sheppard Mullin Richter & Hampton LLP, 2018).



Chin, C. (2018, January 5). HIPAA Tip #6: Choosing HIPAA Compliant Vendors Wisely. Retrieved September 25, 2018, from

Donovan, F. (2018, September 11). Arc of Erie County Hit With $200K Fine for HIPAA Violation. Retrieved September 25, 2018, from

Sheppard Mullin Richter & Hampton LLP. (2018, September 24). Are You a "Hybrid Entity" under the Health Insurance Portability and Accountability Act of 1996? The $4,348,000 Question | Lexology. Retrieved September 25, 2018, from

Spannbauer, B. (2018, August 09). Are your vendors HIPAA compliant? Find out before it's too late. Retrieved September 25, 2018, from