Is Your Data Secure? Part 1 – HIPAA Compliance

Many organizations in the non-emergency medical space have embraced technology to help streamline their operations and provide better service to their members. Having automated call taking and self-serve options for booking rides reduces the burden on staff and gives the member options on how best to achieve their transportation goals.

There are a lot of options out there for NEMT organizations to choose from, and it is not always clear what differentiates one software package from another.

One of the things that is easy to “gloss over” in the selection process is how secure the software package is, what steps the technology firm has undertaken to ensure they are a “PHI protector”.

Choosing the wrong vendor can result in costly PHI breaches, reputational damage and even rejection from bidding on certain contracts. With organizational integrity on the line, it is important to properly evaluate how secure the technology is that you want to purchase.

In this first part of our security series, we will focus on the most widely recognized standard of PHI security – HIPAA Compliance.

They say they are “HIPAA Compliant” … but are they really?

The challenge with HIPAA compliance is that there is no formal certification – it is all self-declaring. There are numerous “testing companies” that give out their own “HIPAA Compliance Certificates”, but it is impossible to tell if they are valid and properly protect PHI. So, what is to stop a technology firm from putting on their promotional material that they are HIPAA complaint, even though they aren’t? In short…nothing.

Ask the firm for proof of an external audit and a statement of HIPAA Attestation from a reputable HIPAA testing firm. A HIPAA Attestation means a testing company has conducted a risk assessment and audit of a firm’s technology with regards to the HIPAA regulations. Verify that the testing company has the proper expertise by checking out their website and asking for references.

Bottom line – you should never trust a technology company to just say they are HIPAA compliant. Ask to see the proof in the form of a letter of HIPAA Attestation, and their audit report that has their risk score and how many critical or high vulnerabilities they have. If the technology firm can’t supply you with the letter and report, it means they haven’t done the proper due diligence to say they are HIPAA compliant. And that means your data is at risk.

Moving Forward

Technology is a great way to reduce administrative burden and increase the member experience. To ensure your data is properly safeguarded, it is important to confirm that your prospective vendor is HIPAA Compliant. Ask to see the details of what they are claiming before committing to them. Otherwise, you could find yourself in a precarious situation with your member’s data, and your reputation, at risk.

Read “Part 2 – HITRUST and Hosting” of this series

Steve Dewis

Steve Dewis is the General Manager for Momentm. He has spent the last 25 years directing technology companies, specializing in operations, strategy, change management and risk mitigation. Steve is a tribal leader who strives to build a high performing culture and deliver exceptional value for his customers. He is a registered professional engineer and avid swimmer and downhill skier.

Latest Insights

Cookie Settings

By using this website, you agree to our use of cookies. We use cookies to provide you with a great website experience and to improve our communications with you. If you continue without changing your settings, we’ll assume you’re happy to receive all cookies on this website. If you wish, however, you can change your cookie settings at any time. Click “Find Out More” for detailed information about how cookies are used on this website.