Yes, based on HIPAA regulations, hospitals that use external companies like Green Release Company to handle or access protected patient health information should verify that those companies have systems and processes in place to properly safeguard the information. Some key things hospitals should check include:
• That the external company has HIPAA compliance policies and procedures documented and implemented. This includes things like security risk analysis, information access controls, data encryption, etc.
• That the company conducts HIPAA compliance training for all employees and can provide records of that training.
• That there are Business Associate Agreements in place between the hospital and the external company before any patient information is shared. These agreements legally establish how the information can and cannot be used and disclosed.
• That the company conducts regular audits and risk assessments of their systems to monitor for compliance and security issues. And that they have a process for promptly addressing any issues found.
• That there are safeguards in place such as multi-factor authentication, access controls, encryption, auditing logs, etc. for accessing and transmitting patient data.
• That the company has a documented breach response plan in the event of a security incident involving patient information.
• That the company allows for audits by the hospital to evaluate compliance and monitoring procedures.
So yes, hospitals have a responsibility under HIPAA to verify the external companies they work with meet the law's privacy and security standards before sharing protected patient information with them. Regular audits and monitoring are also needed to ensure ongoing compliance.