Why it's Critical in Digital Agency Selection

When considering a digital marketing agency (especially one that can provide detailed tracking through to qualified patient leads and appointments that may contain Protected Health Information (PHI)), you need to insure that your agency choice has built the systems and processes that will help insure your collective compliance with patient privacy regulations.  The recent (2013) implementation of the HITECH Act imposes increased accountability and liability upon Business Associates (e.g. digital agencies having access to PHI).   Specific policies, processes, and auditing procedures are required and failure to comply can mean penalties of more than $1,000,000 for both Covered Entities and Business Associates.

What MD Connect Does to Ensure Regulatory Compliance

At MD Connect, we take the protection and security of our clients’ PHI and ePHI (electronic PHI) very seriously and we have invested heavily in infrastructure, policies and staff training to insure compliance with the applicable regulations (e.g.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2013).  Our commitment to compliance includes:

  • Implementation of comprehensive policies governing data privacy and security 
  • Quarterly security audits
  • Yearly risk assessments
  • Business Associate Agreements (BAAs) in place with any and all sub-contractors having access to PHI
  • Periodic auditing of subcontractor Business Associates to insure compliance with BAA requirements
  • Business Associate Agreement (BAA)  included in standard client contracts or willingness to sign reasonable BAAs of clients own choosing
  • HIPAA/HITECH training of all employees and independent contractors with PHI access
  • Background checks (civil & criminal) on all employees and independent contractors with PHI access
  • Information system activity review
  • Maintenance of all operational PHI data storage in Tier 3 data centers (IBM)
  • Maintenance of all PHI-related e-mail and file sharing on state-of-the-art secure platform (SSAE 16 audited datacenters and AES 256-bit encryption)
  • Prohibition of PHI storage on any mobile device including all employee laptops
  • Encryption and two-factor authentication on all mobile devices with PHI access
  • Ongoing monitoring via Intrusion Detection System (IDS) (CISCO)
  • Periodic vulnerability/penetration testing of key portal servers
  • User access controls and limitations on key PHI-containing platform (Performance Portal) including 'no PHI' access roles
  • Audit and reporting capability to respond to patient requests on Performance Portal
  • Security incident monitoring & reporting
  • Data backup plan / disaster recovery plan

We are happy to share further detail of these efforts upon client request.