Many organizations in the non-emergency medical space have embraced technology to help streamline their operations and provide better service to their members. Having automated call taking and self-serve options for booking rides reduces the burden on staff and gives the member options on how best to achieve their transportation goals.
There are a lot of options out there for NEMT organizations to choose from, and it is not always clear what differentiates one software package from another.
One of the things that is easy to "gloss over" in the selection process is how secure the software package is, what steps the technology firm has undertaken to ensure they are a "PHI protector".
Choosing the wrong vendor can result in costly PHI breaches, reputational damage and even rejection from bidding on certain contracts. With organizational integrity on the line, it is important to properly evaluate how secure the technology is that you want to purchase.
In this first part of our security series, we will focus on the most widely recognized standard of PHI security – HIPAA Compliance.
The challenge with HIPAA compliance is that there is no formal certification – it is all self-declaring. There are numerous "testing companies" that give out their own "HIPAA Compliance Certificates", but it is impossible to tell if they are valid and properly protect PHI. So, what is to stop a technology firm from putting on their promotional material that they are HIPAA complaint, even though they aren't? In short...nothing.
Ask the firm for proof of an external audit and a statement of HIPAA Attestation from a reputable HIPAA testing firm. A HIPAA Attestation means a testing company has conducted a risk assessment and audit of a firm's technology with regards to the HIPAA regulations. Verify that the testing company has the proper expertise by checking out their website and asking for references.
Bottom line - you should never trust a technology company to just say they are HIPAA compliant. Ask to see the proof in the form of a letter of HIPAA Attestation, and their audit report that has their risk score and how many critical or high vulnerabilities they have. If the technology firm can't supply you with the letter and report, it means they haven't done the proper due diligence to say they are HIPAA compliant. And that means your data is at risk.
Technology is a great way to reduce administrative burden and increase the member experience. To ensure your data is properly safeguarded, it is important to confirm that your prospective vendor is HIPAA Compliant. Ask to see the details of what they are claiming before committing to them. Otherwise, you could find yourself in a precarious situation with your member’s data, and your reputation, at risk.