It can be a stressful time when you are adding a new vendor or switching vendors for your critical services. This is the time to create a plan and do a risk analysis to make sure everything gets transitioned and set up properly. Things can go wrong if there’s no plan in place. Today, we review some tips to help you prepare for a vendor transition.
In this episode:
6 Vendor Transition Tips – Ep 364
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Say What!?!
[05:39] Question from a listener: How does HIPAA apply with deceased patients?Health Information of Deceased Individuals | HHS.gov
The HIPAA Privacy Rule applies to the PHI of a decedent for 50 years following the date of death of the individual. Of course, there is much more to it than that simple statement. There are several considerations included in the law that makes attempts to balance the privacy interests of surviving relatives and those with close relationships to them with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes.
That’s where the Personal Representative parts of the law kick in. These reps have the ability to authorize uses and disclosures following the same rules as the individuals during that 50 year period.
HHS has some great information on this topic including more detailed information on this explanation, some FAQs on it and details on the identification of personal representatives.
Guidance: Personal Representatives | HHS.gov
405(d) Tip of the Week
[09:43] The task group publishes new information and conducts webinars each month. To keep up to date with what is happening you can follow us but getting it immediately on your own is way better than waiting on us.Subscribe to the notification lists on the 405d website at: 405d.hhs.gov/subscribe. Subscribe and check out what is happening.
Vendor Transition Tips
[11:08] When you add a new vendor or switch vendors for your critical services it is time to do a plan and a risk analysis to make sure everything gets transitioned and set up properly. Things get missed, techs make mistakes, services are set up, and more can go wrong. No one likes to do this part, but when no one does it, problems are more likely to occur. Here are some tips to help you prepare for a vendor transition the next time you make any changes.When should you take the time to make a plan and a risk analysis?
- Major upgrades of equipment or applications
- Adding new modules or features
- Switching out any security devices such as access points, firewalls, switches, even if they are small.
- Switching providers of any core services to critical applications or infrastructure such as ISPs, MSPs, EHRs, Accounting, HR, phone systems, etc.
What should you include?
Make a list of all of the services that are being transitioned, removed, or added.
Each of those items needs to be evaluated for what must be done and what can go wrong.
Some examples of what we are talking about would be things that would prevent some of the issues we describe here.
Account for all your devices and applications
[24:04] Switching AV software. Reports after the switch seems to cover all devices, but there was no report from the previous vendor to compare to for certainty. Eventually, scans noticed devices weren’t protected. The remaining licenses eventually expired. The previous vendor saw them there, saw they were expiring and did nothing. Out of almost 1k machines a couple of hundred were on the old license and not accounted for on the new license.Make sure someone double check results
[29:14] New firewall installation. Three rounds of configuration reviews and confirmations done before the install. Transition takes place, but the tech used the first version of the configuration not the approved final version of the firewall configuration. Scans found the problems – long story on that one.Account for all your applications required and licenses purchased
[32:21] Setup of the new application server all looks good until everything goes officially live for full processing. Some of the software didn’t have enough licenses purchased. Not a cheap problem, but so far along it was even more expensive to go backwards.Confirm service transition requirements are documented and confirmed
[37:36] New billing service takes over. Some of the payer payments and keep going to the previous billing service from the insurance payers because paperwork was submitted, but never went through completely. The old company was in no hurry to provide the EOB details and cash. It took some time to get the paperwork completed.Get documentation from service providers now
[40:31] Configurations to connect to remote locations were on firewalls. No documentation, no access to the configuration files, no admin login available. The whole infrastructure had to be rebuilt without any knowledge of the security in place. Specific configuration was required to secure medical device traffic and all had to be figured out on the fly during the switch over.So there you have it. Anytime you are transitioning vendors or adding or removing critical services or applications, you should always do a risk analysis. Having documentation of how things are configured and the functions they provide your office is key to building a plan for the transition.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
