HIPAA: How to Handle a Vendor Selling HIPAA Services and Products
April 2003 Issue
So what do you say when sales representatives call to sell their company's HIPAA services and products? What if they tell you that if you don't buy their HIPAA manual or sign up for their training course, you will become subject to major fines or penalties? How do you know if they have the appropriate HIPAA qualifications?
In this article, I will provide you with some simple facts and questions you can use to help determine if the vendor is reliable and is qualified to help you with your HIPAA compliance efforts. By knowing the facts and asking some simple questions, you can quickly uncover whether they understand HIPAA or if they are just looking to make a quick buck.
First, Know the Facts:
The HIPAA rules and their compliance deadlines are:
- Privacy Rule: April 14, 2003;
- Electronic Transactions and Code Sets:
October 16, 2003 (if an extension was filed);
- Security and Electronic Signatures:
February 20, 2005;
- Identifiers: No deadline yet;
- Attachments: No deadline yet.
Here are general facts that can help you in dealing with a vendor:
- You have to be considered a covered entity1 to be required to comply with the HIPAA regulations; otherwise your organization is exempt.
- Only the first three rules mentioned above-Privacy, Security and Electronic Transactions and Code Sets-have been finalized and released; thus their compliance dates have been set.
- Once a rule has been finalized and released, covered entities normally have 24 months in which to comply with the rule.
Ask the Vendor Some Clarifying Questions
Here are some questions that will help you decide if the vendor is qualified and can help your organization:
For Electronic Transactions:
Ask the vendor what billing software they are familiar with? Did they mention yours?
Ask them if they have guides that you can use to implement the transaction and codes sets? Did they point you to the free implementation guides at the Washington Publishing Company's website: www.wpc-edi.com/hipaa/HIPAA_40.asp? Or are they trying to charge you for these guides?
What would they do for you that your software vendors are not already doing for you?
Ask them if their training class is customized to include your policies and procedures. In order to be in compliance, your staff must be trained on your policies and procedures.
For additional information on the Privacy Rule and the responsibilities of an O&P business, see my article exclusively online in the March 2003 issue of The O&P EDGE at www.oandp.com/edge, titled "HIPAA Privacy: Are You Ready to Comply?" (Quick Find EDHIPAA303)
Ask the vendor if there will be sweeping changes and amendments to the final Security Rule as there were with the Privacy Rule? The fact is that no one knows if there will be changes and, if there are some, whether they will be major or minor changes. Based on the history of previous published HIPAA rules, your organization may want to wait to avoid any rework, as there have always been amendments, and these amendments have generally been published a year after the final rule was published.
For All Other Rules:
Ask them if the final rule has been released or when the compliance deadline is. Did they say, "Yes, the rule was released," and provide you with a compliance deadline? If so, that is incorrect information, at least at the time of this writing.
1. Seek clarification from the source if you question what the vendor is saying. Go to the following websites, which have FAQs that cover a lot of ground and can answer most of the commonly asked questions:
- Department of Health & Human Services (DHHS): http://aspe.hhs.gov/admnsimp
- Office of Civil Rights (OCR): http://www.hhs.gov/ocr/hipaa
- Centers for Medicare & Medicaid Services (CMS): http://cms.hhs.gov/hipaa/hipaa
2. Ask for references to see what other clients say about the vendor.
3. Ask who provided legal counsel for the development of their offerings, and if you can have the legal counsel's contact information.
1 "A covered entity" means a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a standard transaction defined by HIPAA.
While all information presented here is believed to be correct at the time of writing, this article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult with an attorney.
Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. To contact Provaliant, visit www.provaliant.com or call 480.952.0656.