Healthcare News & Insights

5 areas hospitals should examine when outsourcing medical records

If your hospital outsources any business function involving patients’ medical records, including billing or maintaining an electronic health records (EHR) system, your facility could face consequences if your business partners aren’t careful with patients’ protected health information (PHI). Here, Scott Byers, president of EDM Americas, lays out a five-step strategy hospitals can use with business partners to protect themselves from scrutiny. 


178991922 While your hospital may be well-versed in HIPAA regulations, not every organization with which you do business is dedicated to following proper protocol. And once you partner or outsource work to another company with access to your patients’ medical records, any violation on its part may be linked to you.

Although business associates aren’t directly liable for violations of the security rule – and certain portions of the privacy and breach notification rules – it’s your brand, reputation and patient on the line.

So it’s important to differentiate between an organization that’s simply versed in privacy lingo and one that understands the repercussions and acts accordingly.

Shared burden of security

Every company storing patients’ PHI must take adequate steps to prevent unauthorized and unlawful access to their medical records. And when engaging an outsourcing partner, there are vital steps hospitals must take as well.

Here are five assessment steps hospitals should use when vetting a potential partner or business associate:

1. Check for proper credentials and effective encryption practices. It’s important to ensure that a potential partner has all the certifications needed to manage PHI and medical records in compliance with HIPAA regulations. Evaluate the encryption methods and standards the company uses, as well as the privileges and permissions required to access, alter and distribute data.

Additionally, potential partners must have documented and certified procedures in place for handling, storing, sharing and transferring information, such as ISO 9001 certification.

2. Evaluate third-party compliance reviews. Check that any company you’re considering doing business with undergoes a third-party HIPAA compliance review, such as a report on controls at a service organization. These reviews assess security, availability, processing integrity and confidentiality to ensure that security and privacy standards are being upheld and updated.

By establishing this, you aren’t merely taking the potential partner’s word about whether that organization follows the documented processes. There are various companies that conduct these reviews, and most provide reports upon completion. The reputable partner should also conduct a biannual risk assessment to guarantee that all controls and systems meet HIPAA requirements.

3. Verify that employees are vetted and trained on protocols. Before you partner with a company, verify that its employees are being properly trained on HIPAA and its impact, the confidential nature of health and medical records, and how to handle personal information and prevent security breaches.

Additionally, all employees must have:

  • signed a confidentiality agreement, which should remain in place during and beyond employment
  • received criminal background checks, and
  • undergone drug testing.

4. Ensure proper resource allocation. Make sure potential partners have resources specifically allocated to upholding HIPAA compliance standards. Do they have dedicated personnel? A partner must be active and engaged in HIPAA compliance, not merely have a plan on the shelf.

Partner companies should also have protocols in place for how to handle a breach or exposure of PHI in patients’ medical records, and you should be aware of these before an event, not during. Having resources and training programs in place, as well as exposure protocols, is important to ensure awareness and preparedness.

5. Perform an inspection. The last step is to perform a physical inspection of the company’s facilities. Engage and participate in work processes on-site to make sure the business passes the test. See how securely the grounds, offices and data rooms are structured, and ensure that the staff is using proper tracking mechanisms – like bar codes – for medical records.

Never rely on the information you’re given; check it out yourself. This can be a physical tour or a virtual tour performed using FaceTime, Skype or other tools.

The importance of a site inspection can’t be overemphasized. It’s more common than you might expect to find organizations with representatives who are able to use all of the HIPAA compliance and security jargon – while working alongside broken or disabled security cameras, propped-open doors, or stacks of untracked boxes filled with patients’ medical records.

Outsourcing work to a partner has many valuable benefits for a hospital, but HIPAA obligations remain with the facility, so reasonable steps must be taken to prevent data breaches of patients’ medical records. This strategy should serve as the standard hospitals should follow before sharing any information or access with an outsourced partner.

Scott Byers, JD, is the president and CEO of EDM Americas, a global company dedicated to information lifecycle management and meeting the demands of multichannel businesses communications in health care and other industries.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.