Thomas Neault, account executive at NetSync Network Solutions, a Dallas-based VAR, also wasn't aware of the changes to HIPAA guidelines. He said his company doesn't use third-party subcontractors, but it will still have to look for areas of risk.
"As a company, we'll do our own internal audit first to make sure we're in compliance," Neault said. "Our engineers do mostly new configuration stuff so we don't really handle things that have current patient data on them. However, if we start getting into more in-depth consulting services, we're going to have to go back and re-evaluate and make sure we're compliant."
All solution providers should very quickly review their agreements with subcontractors and get business associate contracts signed quickly, advised Semel, of Semel Consulting.
"If you wait, an online backup company may not sign an agreement. How fast can you change your online backup provider," he asked. "If you have subcontractor that touches patient data, any data you give them is a data breach if they don't sign a contract. You just breached and that is reportable and goes to government. You don't want to be doing that."
VARs should also create written policies and procedures around who handles patient data and train their employees on guidelines to protect that data. Create a "chain of evidence" for how patient data is treated, he said.
For example, if a VAR takes a PC out of the healthcare organization's environment to perform a repair, the VAR needs to carefully document where that PC went if it has patient data on it.
"You can't just throw it on the back seat of a car. Call the office; tell them you have it. Lock it in the trunk. Bring it back to your office and hand it to a service coordinator to lock in a cabinet until the service work is done. Reverse that process to bring it back to the client," Semel said.
"You want to be able to document the process to show to an auditor if there ever was a data breach," he said.
PUBLISHED APRIL 15, 2013