A HIPAA Compliance Checklist for Third-Party Risk Management

Complying with HIPAA legislation requires gaining complete, internal view of third-party security and privacy controls. Learn what you need to do with this compliance checklist.
Scott Lang
VP, Product Marketing
October 28, 2021
Blog Compliance Hipaa Oct 2019

The US Health Insurance Portability and Accountability Act (HIPAA) was established to ensure that sensitive protected health information (PHI) would not be disclosed without a patient’s consent. HIPAA includes a Security Rule that establishes safeguards for organizations holding electronically stored protected health information PHI (ePHI), as well as a Privacy Rule that sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

Although HIPAA regulations are most closely aligned with “covered entities” such as health plans, healthcare clearinghouses, and some healthcare providers, it also applies to “business associates” — third-party vendors that have access to PHI. This dramatically expands the number of organizations that must comply with HIPAA requirements – and the number of third parties that providers must assess.

How HIPAA Defines Protected Information: Privacy and Security

The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI). It states that the ePHI that an organization (known as a covered entity) creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.

How Is Third-Party Risk Related to HIPAA?

Organizations must be aware of risks to critical information both within their own entity and with third parties that have access to ePHI. HIPAA makes this a requirement, and extends the term “organization” to covered entities and business associates. Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

You can evaluate a vendor’s readiness to comply with your security expectations with a vendor risk assessment.

The HIPAA Third-Party Compliance Checklist

Download this helpful checklist for prescriptive guidance on assessing business associate security controls per HIPAA requirements.

Read Now
Feature hipaa compliance checklist 1021

Checklist: HIPAA Requirements for Business Associates

Healthcare and related organizations must ensure that business associates and other third parties have the security and privacy controls in place to prevent unwanted access that impacts the confidentiality, integrity or available of ePHI. To achieve this, companies should conduct thorough vendor risks assessments. The below table summarizes key HIPAA requirements to assess.

HIPAA Requirements What It Means

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(A) Risk analysis (REQUIRED)

A covered entity or business associate must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

The first step in complying with HIPAA regulations is a comprehensive risk assessment – both internally and of third parties that may have access to PHI. While some organizations attempt this with spreadsheet-based questionnaires, that approach does not scale.

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(B) Risk management (REQUIRED)

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [HIPAA Security Standards].

Once risks are identified, organizations must implement controls to minimize risk.

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(D) Information system activity review (REQUIRED)

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Since a lot can change between annual assessments, organizations should perform continuous monitoring of risks, contract performance and service level agreements (SLAs).

Business Associate Contracts and Other Arrangements
(§ 164.308(b)(1))

A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

Business associate contracts are required, but smart compliance and security teams will require evidence of compliance and controls.

Security Management Process, Administrative Safeguards
§ 164.308(a)(6)

Implementation specification: Response and reporting (REQUIRED)

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

Some vendors may not know when they have been breached, or may not promptly report incidents which can delay Mean Time to Discovery (MTTD) and Mean Time to Resolution (MTTR), opening an organization up to potential exploits.

Security Management Process, Administrative Safeguards
§ 164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

All organizations experience personnel changes and periodically implement new policies and procedures. Covered entities must continuously monitor cyber, business, and financial intelligence for visibility into material changes to a vendor’s risk profile between annual internal control assessments.

Policies and procedures and documentation requirements
(§ 164.316(b)(1))

Standard: Documentation

  • (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
  • (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

In the event of an incident or audit, or in the course of a business relationship, organizations are required to produce evidence supporting policies, identified risks, and controls.

Next Steps for HIPAA Compliance

Complying with HIPAA requires a complete internal and external view of the controls in place for all business associates. Managing this process efficiently across hundreds of third parties with manual spreadsheets is impossible. At a basic level, organizations should:

  • Automate business associate vendor onboarding and offboarding to ensure consistent processes
  • Profile, tier and score inherent risk to guide full risk assessment decisions
  • Assess business associates against standardized content that simplifies regulatory and standards mapping
  • Centralize all business associate documentation, including contracts, reporting and evidence
  • Perform continuous monitoring of cybersecurity, business/reputational and financial information to correlate risks against assessment results
  • Report regularly against SLAs, performance and compliance using standardized, pre-built templates
  • Leverage best practices guidance to guide remediation decisions according to organizational risk appetite

For a complete listing of the HIPAA third-party risk management requirements and how Prevalent capabilities map, read The HIPAA Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo