When it comes to Protected Health Information (PHI) and HIPAA, most people only think about clinical settings such as being in the hospital or doctor’s office. However, it’s important for foundations to adhere to the strict HIPAA compliance standards when handling patient data for donor outreach. Since we have years of experience managing sensitive patient data, we have some suggestions to help you navigate HIPAA safely and securely.

Work closely with your hospital’s privacy or security office

After spending a long time working with PHI, it’s strongly recommended that you consult with your hospital privacy office and/or security department when handling patient data. Identifying information coming from a patient encounter is considered PHI which includes all demographics. You should always consider any account level information coming from the patient database (your EMR) to be PHI. The processing of data that contains PHI is regulated. Therefore, it’s important to make sure all your database services are compliant with those requirements and meet the security provisions of the hospital entity. 

Only work with vendors who are handling your data that are strictly HIPAA compliant

Your vendors should always adhere to the security requirements of the hospital on how to transfer, store, and access PHI submitted to them. This requires specialized procedures for HIPAA even down to how data is partitioned within their servers. Another important requirement should be signing a Business Associate Agreement (BAA) with your vendors. This document governs the requirements of vendors (making them just as accountable under HIPAA as the covered entity) and is the starting point for compliance.

Ask your hospital security department to vet your vendors’ security level with data

If a vendor is handling sensitive data, your hospital security department should require a security assessment survey so that they can properly evaluate the vendor’s HIPAA compliance competencies.  Internally, you should also have HIPAA compliance policies and procedures in place. We have foundation clients that rely on their hospital security team to develop and deploy their own policy and procedures.

Seek out HIPAA security consulting firms for complicit cooperation

There are many specialized HIPAA security consulting firms. Both hospitals and vendors that work with hospitals use these firms to make sure that everything is compliant. These specialized consulting firms do a great job of periodically assessing compliance. While HIPAA compliance may seem daunting, it’s a very necessary and important consideration when your foundation and vendors are handling sensitive patient data. Security breaches and resulting lawsuits occur more than they should but if you take the extra, necessary steps, you’ll be saving yourself a ton of pain.