MRO Corp specializes in healthcare information management, assisting healthcare professionals by securely handling medical record release and disclosure processes. They streamline the retrieval, storage, and exchange of patient records, ensuring compliance with regulatory requirements, reducing administrative burdens, and enhancing patient privacy, ultimately improving the efficiency of healthcare operations.
They state on their website that MRO Corp is HIPAA compliant which is clearly a positive sign, but the Health Insurance Portability and Accountability Act (HIPAA) legislation states that you can’t stop here and you need to thoroughly vet the vendor.
According to the HIPAA rules for Covered Entities and Business Associates:
'If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.'
Source: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
Below we provide some general guidelines on how to first quickly screen this vendor for the HIPAA compliance fundamentals, and if all initial checks pass successfully, then to proceed and do your own in-depth audit to ensure that this vendor will qualify as your HIPAA-compliant Business Associate.
✅ They communicate they are HIPAA compliant which is a positive sign, as they legally commit from their side using such public statements.
'MRO has adopted the HIPAA Privacy and Security Policies and Procedures to comply with the health information privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (ARRA Title XIII) (“HITECH Act”), and finalized in the HIPAA Omnibus Final Rule of 2013 (“Final Rule”)'Source: HIPAA Compliance with MRO
✅ They state they will sign their standard BAA with covered entities/business associates, which is again a good sign because if they don’t sign a BAA then it’s a deal-breaker for HIPAA compliance.
'Under HIPAA, MRO is considered to be a Business Associate as defined at 45 CFR 160.103, and as such must comply with HIPAA and the HIPAA implementing regulations, in accordance with the requirements at 45 CFR § 160.101 through 160.550, 164.102 through 164.534, the HITECH Act, and the Final Rule. Compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties.'Source: MRO's Business Associate Agreement (BAA)
✅ They publicly outline various of the privacy & security safeguards they have in place, but these can be very broad statements and you need to check the low level details here.
'When you submit sensitive information via the website, we take the highest precautions, using internal and third-party safeguards to ensure we protect your personal information. 'Source: MRO Security Statement
There is no one-size-fits-all set of requirements when selecting a 3rd party vendor as one of your HIPAA-compliant Business Associates, but here are some general guidelines:
First, you need to determine on which plans they offer HIPAA compliance and whether pricing makes sense for you:
You need to contact the vendor directly about which plans are eligible for HIPAA compliance.Source: MRO SignUp Page
Then, you need to carefully review & sign their legal contracts, especially their Business Associate Agreement and Terms of Service (ask them for the latest versions - in some cases, you might need to sign an NDA):
MRO Corp’s Business Associate Agreement
MRO Corp's Terms of Service
MRO Corp's Privacy Policy
Finally, at least once a year, reassess whether or not the vendor is still in compliance with HIPAA.
Source 1: U.S. Department of Health & Human Services HIPAA Privacy Rule Guidance Material
Source 2: U.S. Department of Health & Human Services HIPAA Security Rule Guidance Material
HIPAA compliance has no one-size-fits-all vendor assessment methodology but we have covered here various best practices on how to thoroughly evaluate MRO Corp for HIPAA compliance, so that they can be eventually trusted to process or store your sensitive patient data.
Regardless of the above, for all your 3rd party vendors, you need to follow the fundamental HIPAA principle and always disclose to them the 'minimum necessary' information, which means only disclosing the amount of PHI you absolutely have to.
If you follow the 'minimum necessary' principle and you regularly evaluate your 3rd party vendors for their commitment to the HIPAA standards while having solid Business Associate Agreements with them in place, then you can minimize the risk of a potential HIPAA violation and decrease the probability of a damaging data breach happening in the first place.
DISCLAIMER:
The above is provided for informational purposes only and in order to help encourage adoption of security & privacy best practices for handling sensitive patient data. It does NOT constitute legal or healthcare advice in any way. The information presented here has been collected either from publicly available information or through direct email communication with the company, and everyone needs to perform their own independent HIPAA compliance audit before selecting any 3rd party vendor as their Business Associate that will process any type of their Protected Health Information (PHI). Keragon Inc is not liable for any damage or liabilities arising out of or connected in any manner with information found on this page.