Giving Away the Keys to the Kingdom: Vendors and Your Website

I live with two teenage boys. This means I am frequently presented with ideas that upon minimal analysis fall somewhere between inappropriate and dangerous. “Dad, can I try motocross?” “Dad, the carnival starts tomorrow. They are looking for guys to help assemble the rides. It is $10.00 an hour cash. Can I work?” This experience might cause you to think I am desensitized to reckless behavior; I am not.

“So, our new vendor is great! The vendor will even go on our website and add its link and information.” The Midwestern aesthetic practice manager seemed giddy with the new vendor. Sadly, she had been smooth talked into providing her practices’ website password to the new vendor. For reasons set forth in this article, this action was wildly reckless.

HIPAA

Your practice’s website can be a source of HIPAA liability. A physical therapy practice in California learned this firsthand in February 2016.(1) The practice’s website had impermissibly disclosed protected health information (PHI) on its websites in the form of patient testimonials. When the Office for Civil Rights (OCR) asked for HIPAA-compliant authorizations for patients appearing on the website, the practice could not produce them.

This might seem like a minor sin to you. It was not viewed that way by the OCR. Ultimately, the practice had to pay a $25,000 penalty and enter into a three-year corrective action plan with the OCR. Additionally, the practice was required to admit civil liability for violating the Privacy Rule. This admission would seem to clear the way for plaintiff attorneys and initiated a new cycle of litigation.

The likelihood of being hacked increases every time your website’s password is shared.

You can certainly understand why a vendor would want testimonials or other promotion information about its products and services on a practice’s website. However, if the vendor crosses the line and violates some aspect of patient privacy, your practice is on the hook. If you provide the password to your website to a vendor, you may have just opened the door to some of your patients’ protected health information. This means, at a minimum, your practice will need to sign a business associate agreement with the vendor. The scope of the agreement must be broad because it will have to encompass not only the main services of the vendor but also website maintenance and support.

The likelihood of being hacked increases every time your website’s password is shared. Through malfeasance or misfeasance, your patients are at risk. Remember the story of the Harley Group’s website?(2) This aesthetic practice’s website was hacked via the “Contact Us” page on that website. Thousands of patients’ information was stolen. It was a very expensive and embarrassing experience for the practice.

Insurance Issues

Handing out the password to your practice’s website could interrupt cyber insurance coverage. Some policies exclude breaches that arise from distribution of a password to a third-party vendor. Having gone to the effort and expense to secure cyber coverage, you might be undoing your good work by having the vendor “tweak” the website for you.

I recently spoke with Peter Reilly, Area Executive Vice President of Healthcare of Arthur J. Gallagher & Co. Reilly, an expert on healthcare cyber insurance coverage. He states, “You certainly invite coverage concerns or claim payment problems when you have not taken the necessary precautions to protect your data and access to your website.” This means that distributing the password to your practice’s website to third parties may have cyber insurance coverage implications. As Reilly explains, “You do make warrant to the insurance company that you are taking certain steps to protect that information, so if you are willing to give away your password or other security measures to a third party vendor, you put your coverage at risk because you are therefore willingly and intentionally opening the door to a potential claim.” Reilly goes on to say that practices may put themselves at risk by not knowing a third-party vendor’s IT security and cyber hygiene when handing over access to their website. Reilly recommends that in most instances practices should not provide third-party vendors access to their website.

Federation of State Medical Boards

The Federation of State Medical Boards has issued “Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice” for practices’ use of the worldwide web and social media.(3) Over the past several years, a number of the members of the Federation of State Medical Boards have disciplined physicians for inappropriate online behavior. This is an important fact to keep in mind when allowing a third-party vendor to post or alter information on your practice’s website.

Section Four of the Model Policy Guidelines specifically addresses posting content:

When posting content online, they (physicians) should always remember that they are representing the medical community. Physicians should always act professionally and take caution not to post information that is ambiguous or could be misconstrued or taken out of context. Physician employees of healthcare institutions should be aware that employers reserve the right to edit, modify, delete, or review internet communications. A physician’s writers assume all risk related to security, privacy and confidentiality of their post.

The Federation of State Medical Boards is making sure that you know that you are on the hook for what is being posted under your name.

It is risky to have a third-party vendor’s actions potentially impact your professional reputation.

The Model Policy Guidelines also specifically address privacy and confidentiality, stating that “These sites have the potential to be viewed by many people and any breach in confidentiality could be harmful to the patient and in violation of Federal Privacy Laws, such as HIPAA.” This part of the Model rules implies that a privacy breach from resulting from a practice’s website could result in licensing issues as well as trouble with the Office of Civil Rights. The Board is making clear what physicians ethical duties are when posting content on line. Clearly this applies to a practice’s website. Allowing a vendor to post on behalf of a practice could end badly. The vendor’s agenda may not align with physician’s ethical duties or current medical science. It is risky to have a third-party vendor’s actions potentially impact your professional reputation. Who wants to throw those dice?

Malware and Viruses

As in other areas of life, your IT system and website are only as secure as their weakest link. Does your vendor practice safe cyber hygiene? Whatever malware, viruses, and other potentially harmful software are on your vendor’s computer could end up infecting your systems. The vendor accessing your website maybe as sterile as a surgeon in the operating room, or they may be Typhoid Mary. You simply do not know.

Cybercriminals are targeting healthcare entities with ever greater frequency. Many of these attacks are facilitated by malware being downloaded onto the practice’s IT system. This is the entire game behind “phishing.” Phishing involves e-mails sent out in hopes that someone will click on a link that enables the sender to access your system behind its firewall. A vendor with access to your website will be operating behind the firewall. The insidious nature of malware is that it can be downloaded onto your system without you or the entity responsible for the downloading even knowing it. This means your vendor may have all the best intentions, but still corrupt your system.

“Okay, But I Still Need Help”

I understand that website construction and maintenance can be difficult. It is not a traditional skill of practice administrators. I also understand that practice administrators already have a full plate. The idea of picking up a copy of Websites for Dummies and trying to knock it out yourself is wildly unrealistic. I get it. So if your practice needs website assistance, here are six tips to keep your practice safe:

• Pick the right person. Although this may seem obvious, you would be surprised how many practices select the first warm body to assist them with their website. The right person is not your next-door neighbor’s cousin’s kid. The right person is certainly not a vendor that wants to sell goods or services via your practice. The right person has experience with medical practice websites. The right person has basic knowledge of HIPAA/patient privacy and has an appreciation for cyber security. You are handing over your online reputation to this person. Take the time to choose wisely.

• Get a signed business associates agreement. The person or entity assisting with your website will most likely have access and need to work with your patients’ protected health information. This makes the person or entity a business associate. You are legally obligated to have a signed business associates agreement (BAA) with the vendor. If you don’t have this agreement in place, you could face significant fines and penalties. In April of this year, the OCR announced a North Carolina practice will be paying $750,000 for not having a BAA in place. “HIPAA’s obligation on covered entities to obtain business associates agreements is more than mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the OCR.(4)

• Make sure there is insurance coverage. Make sure that the person or entity assisting with your website has appropriate insurance coverage in place. As discussed above, your practice’s cyber insurance policy most likely will not cover the acts of a third party. Make sure if a breach of your website occurs there is sufficient coverage available to handle the fallout.

• Get it in writing. To avoid future disappointment or dispute, you should have a written agreement as to the nature, scope, and frequency of the services to be provided. The agreement should also address fees to be paid by your practices for these services.

• Trust but verify. Periodically check the work of your website assistant. Are the quality and quantity of the services being performed what you bargained for? Don’t fall into the “out of sight, out of mind” trap. Check your website.

• Maintain control. Keep control of the password to your website. If things do not work out with the person or entity you selected to assist with your practice’s website, you need the ability to change the password. The practice administer should retain the ability to control access to the “backend” of the practice’s website at all times.

Conclusion

“Nothing takes longer to build and is quicker to lose,” said Benjamin Franklin of a reputation. Your website is the virtual embodiment of your reputation. Protect it carefully. Handing out passwords to vendors may seem convenient, but it is simply reckless. A list of nasty situations could follow from distributing your practices’ website password. If your practice needs assistance maintaining its website, be cautious in selecting a person or entity to help. Remember to stay HIPAA compliant and to have appropriate insurance coverage in place. With a little planning and care, your practice’s website will be an asset and not a liability.

References

1. Physical therapy provider settles violations that it impermissibly disclosed patient information. HHS.gov . www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/complete-pt/index.html . Accessed June 29, 2016.

2. Steere T. Cosmetic surgery files hacked: Details of 500,000 people stolen and used in blackmail attempt. Daily Mail UK. www.dailymail.co.uk/news/article-2604805/Cosmetic-surgeons-targeted-hackers-personal-details-500-000-people-enquiries-clinic-stolen.html . Accessed June 29, 2016.

3. Federation of State Medical Boards. Model policy guidelines for the appropriate use of social media and social networking in medical practice. www.fsmb.org/Media/Default/PDF/FSMB/Advocacy/pub-social-media-guidelines.pdf.

4. U.S. Department of Health & Human Services. HHS.gov . www.huntonprivacyblog.com/files/2016/04/Raleigh-Orthopaedic-and-NY-Medl-Press-Releases.pdf . Accessed April 30, 2016.