New technologies, such as phone apps, online services, and personal smart devices, are being used by schools in ways that allow new data to be generated constantly about individual students and groups. This data can include anything from sports physicals to treatment notes for when they visit the nurse. Communications between schools, students, and parents are often facilitated, collected, and often stored by a third-party vendor, that is a company providing an outside service. Schools across the country are now seeking the services of third-parties to provide secure online platforms to manage student health information.
What is one of the biggest things that schools care about? Security! With such a large portion of our lives now stored online, protecting personal data has become a top priority. For schools, the sensitive data consists of student medical records, prescriptions, health histories, and allergy action plans to name a few. This information must be stored securely at all times, and be protected by the standards set forth by HIPAA and FERPA. The question is, how do you verify a vendor is really as safe as they say they are?
This is where vendor accreditation comes into play. Vendor accreditation is the process of verifying that vendors have the necessary safeguards in place to keep your student health information secure. Typically, this process of due diligence comes in the form of a Request for Proposal (RFP). The responses to these requests allow vendors to really go into detail describing the steps they've taken to protect the privacy and security of the data they collect, and to outline what industry standards they meet. The RFP method is used when you are vetting a number of companies at the same time to narrow down to your best option. These requests can be anywhere from 8 to 30 pages long depending on how much detail you’re interested in collecting from your potential vendors.
School Administrators and IT Directors are being asked more often to do their due diligence and to research different vendors prior to launching a new product to the school users. Your school might have asked you to engage in this process right now! You may be telling yourself that you have absolutely no idea how to go about doing this type of research and may be feeling overwhelmed... Well, luckily you're reading this super handy blog, because it will tell you the key questions to ask when researching new health software vendors.1. What type of liabilities am I exposed to and how can a third-party vendor help mitigate those risks?
Liabilities can include the mismanagement of private communications, HIPAA and FERPA violations, negligence, and security breaches. Another important factor to keep in mind is that privacy laws differ from state to state, and some SaaS companies are not proactively accommodating legislation changes. When looking for a new SaaS vendor, try to find one that presents itself as a thought-leader, one that not only monitors legislation changes, but also reacts to those changes as well. Monitoring is helpful to a certain extent, but if the company is not actually physically doing anything to adapt, then it won't be much help to your school in the long run.They must be custodians of your data in a secure manner.
2. Does this third-party vendor have a dedicated Privacy and Security Committee?
A Privacy and Security Committee is one of the first lines of defense for any business handling private health information. While schools are required to collect health information, it only takes one mistake to expose a school to a liability risk. The administration has to constantly identify problem areas and to make the necessary changes. Without a privacy committee composed of people educated in combating liability risks, a school increases its likelihood of a breach of privacy.
3. Does this third-party vendor have a disaster recovery policy?
One of the key questions to ask your third-party vendor is: what do they have in place to protect their client privacy in the event of a disaster. Vendors should always be prepared for an emergency situation and make sure that their customers feel as little of an impact as possible. Do they have the right protocols in place? Do they understand the effects a system failure will have on their clients? If there is a system failure, how do they protect sensitive information? In order to reduce liability and security risks, a company should be constantly revising and improving their system. If you find a vendor that hasn't updated their processes in the last decade, it would be in your best interest to move on and keep searching.
The best way to make your student information as secure as possible, is to use a Student Medical Record (SMR) system. This type of solution facilitates the storage and protection of private information, and reduces the school's risk and liability associated with sensitive data not being maintained securely. More and more states are beginning to require that schools use an online SMR system for student health record management.
With so much of our personal data living online, why wouldn't you do everything you can to make sure that your information is protected? By taking the time and doing your due diligence, you can feel confident that you have done everything in your power to make sure that your student information is protected.