— EMR, EHR and HIT (@ehrandhit) July 27, 2015
I love when my eyes are opened to an issue that I haven’t heard people talking about. That’s what happened when I heard Deborah Green from AHIMA say that health information governance includes your third party vendors. I’m not sure how many organizations realize this and treat it appropriately.
What’s ironic is that we definitely do this with HIPAA. This is particularly true in the HIPAA omnibus world. Healthcare organizations have a certain expectation around security and privacy when it comes to their third party vendors. It’s a major part of every RFP I’ve ever seen in healthcare.
Why then don’t we treat information governance with third parties the same as we do with HIPAA?
My guess is that some organizations do, but they haven’t really thought about it in this way. It’s an informal part of how they deal with third party vendors. For example, how are third party vendors storing your organization’s health data? Do they dispose of it properly? etc etc etc. These are all great health information governance questions that we’re asking ourselves, but are we asking our third party vendors these questions as well? Should we be asking them?
One challenge I think we face is that we assume that if we’re paying a vendor to do something, that the vendor is going to do it the right way. We assume that a paid service is going to be done in the best way possible. I’m sure your experience like mine is that just isn’t the case. Was it Reagan that said, Trust but verify? That seems appropriate in this instance.
What’s clear to me is that health data is going to become more and more valuable to healthcare organizations. Making sure you have a handle on that data is going to be an important part of ensuring your financial future. That includes making sure that your third party vendors use good health information governance principles as well.