Security Must-Haves for Your Healthcare Data Management Provider: Key Questions to Ask

Healthcare organizations always have to be vigilant about data security. In fact, most approach it with a security-first mindset, internally. You should extend that same perspective to all your business partners, especially your healthcare data management provider. You need to have the utmost confidence in their security measures. Here’s how you can accurately assess them.

Assessing a Healthcare Data Management Provider

When seeking out a healthcare data management provider, there are specific security questions you should ask. Performing this due diligence should satisfy any concerns over compliance and safety protocols. 

Critical Questions to Ask:

• Have you ever had a PHI (protect healthcare information breach)? 
• Do you use HIPAA business associate agreements (BAA)?
• How are your processes HIPAA compliant?
• What encryption do you use? Is data encrypted during transit, rest, or both?
• Do your employees complete annual HIPAA compliance training?
• Does the provider use a data colocation provider with certifications? Is the data center have physical security 24/7?

What Are the “Right” Answers?

• PHI data breaches: Of course, you want this to be a no. However, should a provider have a breach in its history, you should ask for all applicable information regarding notifications, fines, and corrective measures.
• HIPAA BAA: These are mandatory when you share PHI. Before beginning any work, a vendor should provide this. It’s a big red flag if they don’t!
• HIPAA compliant processes and data security: The vendor should have rigorous and detailed security protocols relating to encryption, cybersecurity, data centers, adherence to HITRUST, two-factor authentication, and business continuity.
• Encryption: PHI should be encrypted during transit and at rest using 256-bit standards.
• HIPAA training: Every employee in a healthcare data management company should have annual training and certify their understanding of HIPAA through a scored test. 
• Data center details: Providers should use a top-tier colocation center that has a long list of certifications. The data center should be HIPAA and HITRUST compliant. Additionally, such an entity should have SOC 1, 2, & 3 Type 2 certifications. Finally, the location should have 24/7 physical security.

As you compare providers, create a matrix to check off their answers to these questions. Then you can accurately evaluate them. It should be a crucial part of your screening process. 

Dedicated to Security

We are proud to say we’ve never experienced a data breach in our over two decades of business. Pharmacies and healthcare organizations trust us with their PHI every day, and we have strong, consistent protocols in place. We also use one of the most reputable colocation companies, Flexential.