HIPAA Vendor Assessments

HIPAA Analytics offers healthcare providers, vendor (Business Associates) due diligence consulting to ensure vendors meet required levels of HIPAA privacy and security. The assessment process is generally customized to meet provider requirements that focus on the nature of the vendor services, business process, types of data, and technology that support the provider. Depending on the scope of the assessment, project tasks may include;

  • Developing a due diligence vendor questionnaire and supporting the vendor completion.
  • Providing validation of questionnaire responses.
  • Providing ongoing activities related to the development, implementation, maintenance, and adherence to the vendors policies and procedures covering the privacy and security of patient protected health information (PHI) in compliance with federal and state laws.
  • Collaborate with vendor business and technology departments to define and develop compliance policies and procedures in connection with provider/vendor service agreements.
  • Coordinating and communicating due diligence requests with contacts within the vendor business units and other third-party service providers
  • Evaluate and score due diligence materials related to a vendors HIPAA privacy and security compliance program.
  • Work closely with vendors to remediate any gaps or weaknesses related to a vendor’s compliance program.
  • Provide training to vendor business units related to the requirements for complying with the provider contract and business associate agreement.
  • Review, revise and, at times, draft policies, procedures, and guidelines to ensure business processes are in compliance with provider and vendor program.
  • Develop and maintain reports to communicate to provider compliance issues found or non-compliance with the vendor compliance program.
  • Develop and/or enhance tools to assist vendor in complying with provider contract and vendor business associate agreement.

Contact us for more information on HIPAA vendor assessments and services.

Based in Minneapolis/St. Paul, MN we are centrally located to serve clients anywhere in the nation.



Producers Agreement Adds HIPAA Requirements for Insurance Agents and Risks for Insurance Carriers

In a recent blog, I discussed the Business Associate provisions found within the Health Insurance Portability and Accountability Act (HIPAA). In that discussion, I pointed out that most healthcare organizations and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses (Business Associates).

The Privacy Rule allows covered entities and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

Insurance Carriers Contract with Agents (Business Associates)

As a result of the Business Associate provisions of HIPAA, insurance carriers have added HIPAA Business Associate specific requirements to the Producers Agreement, due to the fact:

1.Insurance carriers most often use independent insurance agents

2.Allow the disclosure (and collection) of protected health information to the agent

3.Are required to obtain satisfactory assurances in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

A Developing Risk for Insurance Companies and Their Agents

In speaking with insurance company officials, I have asked how their agents meet the “contractual” obligations of their producer’s agreement, as it relates to the administrative, physical and technical safeguards the agents are required to implement? The answers vary from, “we provide HIPAA training for those agents who attend one of our conferences” to “we leave that up to the agents”.

In my opinion, the risk associated with thousands of agents handling protected health information, without a formal HIPAA compliance program adds unnecessary risk to the company and agent. To get a better idea of exactly what an agent is contractually agreeing to, let’s take a look at an example of a producer’s agreement covering confidentiality of information and security and privacy (HIPAA)…


4. Producer agrees that it will implement appropriate safeguards to prevent the use or disclosure of Protected Health Information in any manner other than pursuant to the terms and conditions of this Agreement.

5. Producer shall, within five (5) business days of becoming aware of a disclosure of Protected Health Information in violation of this Agreement by Producer, its officers, directors, employees, contractors or agents or by a third party to which Producer disclosed Protected Health Information pursuant to paragraph 2 of this Section of the Agreement, report any such disclosure to Company.

6. Within five (5) business days of a request by Company for access to Protected Health Information, Producer shall make available to Company such Protected Health Information for so long as such information is maintained. In the event any individual requests access to Protected Health Information directly from Producer, Producer may not deny access to the Protected Health Information requested. Rather, Producer shall, within two (2) business days, forward such request to Company.

7. Within ten (10) business days of receipt of a request from Company for the amendment of an individual’s Protected Health Information, Producer shall incorporate any such amendments in the Protected Health Information that Producer maintains. In the event that an individual’s request for the amendment of Protected Health Information is made directly to the Producer, Producer may not deny the requested amendment. Rather, Producer shall, within two (2) business days, forward such request to Company.

8. Within ten (10) business days of notice by Company to Producer that it has received a request for an accounting of disclosures of Protected Health Information regarding an individual during the six (6) years prior to the date on which the accounting was requested, Producer shall make such information regarding its disclosures available to Company as is required for Company to make the accounting. At a minimum, Producer shall provide Company with the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the Protected Health Information, and, if known, the address of such entity or person, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of such disclosure that includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to Producer, Producer shall within two (2) business days forward such request to Company.

9. Producer hereby agrees to implement an appropriate recordkeeping process to enable it to comply with the requirements of this Section.

10. Producer hereby agrees to make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Producer on behalf of, Company available to the Company and to the Secretary for purposes of determining Company’s and Producer’s compliance with the Privacy Standards.

11. At termination of this Agreement, if feasible, Producer shall return or destroy all Protected Health Information received from, or created or received on behalf of, Company that Producer maintains in any form and shall not retain any copies of such information, or if such return or destruction is not feasible, extend the protections in this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of such information infeasible.

12. With respect to Electronic Protected Health Information, no later than the compliance date for the Security Standards and at all times thereafter, Producer shall comply with the requirements of the HIPAA Security Standards set forth in 45 C.F.R. Parts 160 and 164, Subpart C (“Security Standards”), and, in particular, shall:

a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that Producer creates, receives, maintains, or transmits on behalf of Company as required by the Security Standards;.

b) Ensure that any agent, including a subcontractor, to whom Producer provides such information agrees to implement reasonable and appropriate safeguards to protect it; and

c) Report to Company any Security Incident of which it becomes aware.

13. This confidentiality provision shall survive the termination of this Agreement.

Diffusing Liability for Insurance Company and Agent

After reviewing the sample confidentiality and HIPAA provisions of the producer’s agreement above, the question becomes -

1.How will an agent accomplish (or more specifically, meet the contractual obligations) of the producer’s agreement?

2.What compliance management tools will be available as an agent resource?

Take a look at a sampling of agent requirements and resource needs below.

Clearly, the table above points out the need for a formal compliance program for agents. Equally important, is the opportunity for the Company to make HIPAA management tools available to agents to in order to obtain satisfactory assurances that the agent (business associate) will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the Company comply with the duties under the Privacy Rule and Security Rule. In doing so, HIPAA liability will be diffused for both the agent and Company.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us