HIPAA Review of Technology Vendors

Ray Barrett interviewed Kelly Koch from Compliancy Group. In this informative conversation, Ray and Kelly delve into the steps required by healthcare providers to remain compliant with HIPAA law when working with third-party vendors. Kelly was able to help dispel much of the confusion surrounding this important topic and layout some clear “does and don’ts” when it comes to HIPAA and working with other organizations.

Kelly has over 25 years of customer service experience, including a background in retail banking and accounting. She is currently an Account Manager for Compliancy Group, where she advises health care decision-makers and medical vendors on HIPAA compliance. She effectively communicates the government regulation and necessary standards of HIPAA and how Compliancy Group can help simplify the process. In her spare time, Kelly is actively involved in the non-profit organization Pull-Thru Network (PTN), which raises awareness and education for children and families affected by ARM, IA, VACTERL syndrome, and other birth defects.

In the interview Kelly discusses with Ray, if you are a HIPAA-covered healthcare provider, you must ensure that all vendors that touch your patient/client protected health information (PHI) are able to furnish a HIPAA business associate agreement or BAA, and that vendors have a BAA with any subcontractor that also has access to PHI. This is a required step when dealing with vendors and the subcontractors that work for vendors and handle your clients’ PHI. Kelly and Ray discuss how to evaluate the quality of a BAA and how to determine what is covered under that agreement and what is not covered. HIPAA covered entities must also obtain satisfactory assurances that the vendor will appropriately safeguard all PHI. See the references below. 

Regarding the privacy of your client, it is important to know who has access to their personal information. What steps are you, the provider, and your vendors taking to ensure confidentiality? Is there encryption being used, both at rest and in motion? Do you and your vendors have on-site office security to prevent the theft of hardware? Kelly mentions that with the rise in employee-related security incidents, there is a major need for staff training. This is true for the provider as well as vendors and subcontractors. They discuss the importance of strong passwords and multi-factor authentication as well as what a staff plan would look like if a breach were to ever occur. 

Vendors ought to have contingency plans and test those plans to reduce the risk of providers losing access to clients’ data during technology failures.  They should also have a convenient easy way for covered entities to audit access logs which shows when the technology was accessed, what data was accessed, and where it was accessed from.  Providers should seek vendors who provide a convenient way to securely export their data.  

Covered entities are required to conduct a risk analysis of using technology, and to create a risk management plan to mitigate the identified risks.  Ray explains that in analyzing technology he has identified risks, associated with each technology choice, which the provider must work to lessen or eliminate.  He shares that some technology providers will offer products to their customers that sacrifice security for the benefit of convenience. Identifying and mitigating these risks is vital to complying with HIPAA law and professional codes of ethics.  

When a clinician is working for an organization they must determine who is the covered entity in relation to the patient’s protected health information (PHI).  The covered entity is the owner of the records and must ensure the Confidentiality, Availability, and Integrity of all PHI. When the clinician is an employee of an organization the employer is normally the covered entity.  However, when a clinician is working as an independent contractor they must carefully review their contract to ensure that it clarifies who is the covered entity. Ray and Kelly discuss bring-your-own-device (BYOD) policies and bring-your-own-service (BYOS) decisions.  They also discuss the importance of retaining all e-PHI and determining where e-PHI is stored when clinicians communicate with clients via electronic media.  

HIPAA compliance is not an easy task for a provider and could turn into a full-time job in itself. This is why utilizing consultants is so important. Telehealth Certification Institute can help a provider by assisting with selecting technology, providing risk analysis, and helping the provider create a risk management plan. This takes the guesswork out of selecting and utilizing a technology vendor. Compliancy Group assists providers with the process of HIPAA compliance by using their web-based compliance solution, The Guard, along with guided, ongoing support. Because of the benefits Compliancy Group can bring to clinical practices and IT providers, Telehealth Certification Institute has an affiliation agreement with them. Use our affiliate link to receive the first three months of using The Guard for free.

In summary, HIPAA covered entities are required to not only acquire a HIPAA BAA from HIPAA business associates but to vet them out for privacy and security measures.  Providers should choose vendors that are sustainable, reliable, and trustworthy. 


The following are references from HIPAA law. 


The BAA requirement: 

  • § 164.308 Administrative safeguards. 

(b)(3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that  meets the applicable requirements of § 164.314(a).

The requirement to Vet out vendors:

  • § 164.308 Administrative safeguards. 

(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. 

  • § 164.502 Uses and disclosures of protected health information: General rules. 

(e)(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. 

The requirements of a BA in regards to subcontractors:

  • § 164.308 Administrative safeguards. 

(b)(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information. 

  • § 164.502 Uses and disclosures of protected health information: General rules.  

(e)(1)(ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information. 

(2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e). 

The requirement to conduct a risk analysis and create a risk management plan:

  • § 164.308 Administrative safeguards. 

(a)(1)(ii)(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Course was very informative!
David Hopkins
MS, LPC / Thriveworks Woodstock
Informative and brief
Tracy Gilbert
Well designed. informative, comprehensive program broken down into manageable segments.
Dawn M. Miskus
Licensed Clinical Professional Counselor (LCPC) / Conscious Counseling & Coaching, Ltd.
This course offered a great overview of TeleMental Health and the important considerations that should be addressed when establishing an online practice.
Helen Geris
Registered Psychotherapist
Wonderful and approachable presenter, great information!
Sabrina Eads
I have completed the course requirements. Thank you a great program of videos and information.
Linda Lovisi-Dwyer
LCSW-R / Linda Lovisi-Dwyer, LCSW-R
Good introduction
Sylvia D. Jessup, MBA, MA
Owner / Sylvia Jessup Counseling Services PLLC
Very clear emergency planning laid out in this course, Helpful for many situation and settings.
Jane Schindler
The course was detailed.
Kelly Villarreal
MFT / Alan Behrman & Associates
Really chuck full of information and very helpful
Carolyn Spencer
social work
Great course!
Lashonda Jones
Ray's program is engaging and informative. I'm excited to extend my professional reach online.
Pamela Madsen
LAPC / Empower Counseling Center, LLC

Very informative session.

Valrey Richards-Lucas

Video was good, a little slow

Jessica Walraven

This is great material!

Erika T Johnson

Very Informative!!!!


Really good training so far!

Erika T Johnson

Excellent information, extremely generous resources and so well paced. I am really grateful.

Carolyn Spencer
LCSW / Carolyn Spencer

Very thorough and informative


This program is very informative and easy to use.

Gania Bruno Harrold

Love the convenience and easy-to-understand information in this course.

Natalia Gourlay-Fernandez
LAMFT / Rock Springs Positive Coaching, Caring, and Counseling

Very informative. Help give an overview of tele therapy and starting an online practice.

Meg Maginn
L.C.S.W Private Practice / Eating Disorder Associates

The course was easy to follow and provided a lot of valuable insight into the benefits and limitations to teletherapy.

Katie-Ann Magnuson
Mental Heath Therapist / Kwenyan Professional Health Services

Wonderfully compact and rich in information, many areas i had not even considered!

therapist / private practice
Very informative and guiding in educating all that you need to grasp to be properly compliant and aware.
Dena Damaskinos
A great overview for telehealth, including state to state
Susan Cortilet Jones
Integrative Lifeskills Coach

Great presentation!

Cristina Lazaro-Garcia
Mental Health Clinician, APC / CETPA, View Point Health
Oustanding presentation!!!
Michelle Collins

Helpful and inviting information to get started. Feel empowered to get this going and eager to start!

Dena Damaskinos

Well presented, easy to access and understand.

Sedonia Perrier
CEO / Steelhead LLC

This was very informative.

Wendy Pazdur
Substance Abuse Counselor / Transformation therapy
This course was full of detailed information, that I will utilize in my practice. I highly recommend this training to all interested in adding to their existing practice or transitioning to Telehealth Services.
Utopia Session
Class was informative.
Kimberly Horrell
This course was short yet informative.
Annette Cornish
Therapist / Dust 2 Destiny Counseling & Wellness
Great training!
Jacqueline Hayes, M.Ed., LPC, LMHP
Professional Counselor 4 / State of LA
Ray was a wonderful, interactive instructor who really captured the heart of counseling in the world of Telehealth. The course was thorough and beneficial. Two thumbs up!
Rachel Morales
Licensed Professional Counselor
Ray does a spectacular job presenting the ethics in technology! Thank you!
Elaine Marie Barclay
Licensed Professional Counselor/ Assistant Professor / Shorter University/ Capella University
Very beneficial and useful to the direction i am moving of providing therapy
Linda Marie Margosian, MS, NCC, LMHC
I thought the video was very informative and gave me a good back ground on Telehealth , hippa laws and things I needed to know to run an ethical and hippa complent practice .
Meg Maginn
Director /private practitioner / Eating Disorder Associates

I believe this is a good course to take because this is the new wave of society. As a therapist I would like to be able to offer clients the best tools available.

Wihletta Michelle Davis MA, LPC
Therapist / Find the Miracle Within...

Thank you for the introduction to telemental health.

Michele Frances Purvin
Psychotherapist / Michele Frances Purvin, LCSW, LCDC

Very good.

Franklin Castillo

Really excellent training full of valuable information and resources - surpassed my expectations!

Dori Ryherd
Therapist / The Cognitive Refinery

Great information with step by step instructions

Donna Tucker
Addiction Counselor / Spectrum Health

What a superb introduction to telemental health, well organized and packed with useful tips. I so appreciate this. Thank you.

Ann P Cahouet
Owner - Clinician / Equine Assisted Solutions LLC

Awesome job! This is a very insightful presentation.

Licensed Therapist, LPC / Seasons of Change Behavioral Health Services, Inc
Ray is down-to-earth, warm, pragmatic and exceptionally well-informed.
G. Reid Doster, LPC, LMFT
Director of Behavioral Health, EXCELth Inc.Primary Health Network & Private Practice Psychotherapist / www.excelth.com

An excellent course, but needs more legal information regarding where the patient needs to reside.

Barry Barmann
Clinical Psychologist / Behavior Therapy & Family Counseling Clinic
This legal course was phenomenal saturated with much detail and clarity!
Elaine Marie Barclay
Licensed Professional Counselor, Assistant Professor / Capella University and Shorter University
Great and very informative! Will help me take my skills to a new level. Gave me a great idea of how the session should go.
Jessica Latin
LPC / JL Counseling

Course provided several case scenarios regarding Interstate counseling and resource websites for further research.

Cowenda Jefferson
Clinical Director / Wise Life Choices LLC
Course provided additional information regarding the legal aspects of TeleMental Health.
Cowenda Jefferson
Clinical Director / Wise LIfe Choices LLC
I have completed prior training by Raymond and greatly appreciate his detailed and thorough trainings.
Dr Lynn Duffy, PsyD, LCPC, NCC, CCMHC, BCPCC, BC-TMH, Diplomate/CMH in Trauma
Director/Counselor/Mediator / Lighthouse Counseling & Consulting Services
This course was most helpful in helping me make my practice more compliant for me and my clients.
Marlene Small
Private Psychotherapist
This is the 4th TMH course I have taken with Ray and it is BY FAR the best TMH training out there. I've learned so much that I can use every day in my practice.
Dawn Ferrara

Very Informative

Naomie Pierre
community clinician / nps
I loved this course. It was very informative and provide a great deal of information about ethics.
Tracey Marshall
Easy to learn and easy to follow. User friendly on-line course.
Kelly Johnson
Licensed Mental Health Therapist


Melissa J Davis
LAPC- counselor
This was a phenomenal training and necessary for the continued growth of all helping professionals. This will certainly improve the manner in which I conduct counseling.
Elaine Marie Barclay
This training was extremely informative and supportive for professionals looking to gain further knowledge in Telemental health.
Marcy Abramsky
LCSW / Marcy Abramsky LCSW, InspireAmind TM Counseling and Consulting
I found this video to be very informative and helpful.
Michelle Parker
Contract Therapist

Great course, very informative!

Ashley Simmons
BCBA / Northstar Psychological Services

Love the course, worth every penny!!! Definitely helped jump start my Tele-mental health services!

Nakia Clark
Owner/ Therapist / Insightfullly You, LLC

This gave me and my staff some important insights and information regarding telehealth..

Larry Cowan
Executive Director / Samaritan Counseling and Growth

This course was easy and user friendly

Vanessa Reiser
Social Worker / JBFCS

I learned a great deal from this program and look forward to implementing telemental health in my therapy practice.

Michelle Hitchcock

It was fantastic! Just the forms he provides are worth the cost of the course!

Mark Wagemaker, LPC, NCC, DCC, CPCS
Counselor, Clinical Supervisor / Transitions Counseling

This was an excellent class and worth my time.  Ray provided great information and is clearly an expert in TMH!

Jennifer Stuckert
Director / Restoration Counselor of Atlanta, LLC

I found these courses informative and helpful. They make establishing best practices policies and procedures for telemental health services and supervising those who provide them. so much easier. I highly recommend his courses.

Nena Rybarczyk, MA, EMBA, LPC, NCC, CPCS
Counselor / Strategies for Life Counseling, LLC

Ray's workshop was one of the most informative I have taken in years. He brought clarity to took a topic which has been intimidating and I left feeling empowered!

Clinical Supervisor and Play Therapist / Georgia Association for Play Therapy