Recently our management team traveled to Las Vegas to update their Compliance and Privacy certifications. Upon their return we reviewed our processes and the privacy requirements for data and procedures. Most of the requirements involved a strong technical support team. After the meeting I wondered how well others in the industry implement these processes. In thinking back over the last seven years of working with providers of varying sizes it occurred to me that few really truly meet the requirements completely and took it to the highest level. Not everyone has their data protected both electronically and physically (locked doors/cabinets, employee and visitor entry logs, screen protectors, etc.).
Electronic safeguards are the ones I think people often do not address adequately, if at all. Items like database and file system encryption, email encryption or secure messaging, encrypting data in transit, role-based permissions with need to know access, secure remote backups, multiple backups with tested recovery plans, automatic session log-off or locking, remote wipe and theft protection. While nothing is full proof in this world today, making use of the many tools to protect your data and to eliminate or minimize the damage from a breach seems well worth the time.
I would think any provider that truly has a long term approach to their business would want to know what your vendor is doing to protect your data. I suggest that anyone with HIPAA data have this discussion with their vendors, especially their billing company. And if you have your own technical resources, internal or external get them involved in the conversation also. There is never too much protection, but there is a point where it is too little.