The US Health Insurance Portability and Accountability Act (HIPAA) was established to ensure that sensitive protected health information (PHI) would not be disclosed without a patient’s consent. HIPAA includes a Security Rule that establishes safeguards for organizations holding electronically stored protected health information PHI (ePHI), as well as a Privacy Rule that sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Although HIPAA regulations are most closely aligned with “covered entities” such as health plans, healthcare clearinghouses, and some healthcare providers, it also applies to “business associates” — third-party vendors that have access to PHI. This dramatically expands the number of organizations that must comply with HIPAA requirements – and the number of third parties that providers must assess.
The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI). It states that the ePHI that an organization (known as a covered entity) creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.
Organizations must be aware of risks to critical information both within their own entity and with third parties that have access to ePHI. HIPAA makes this a requirement, and extends the term “organization” to covered entities and business associates. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
You can evaluate a vendor’s readiness to comply with your security expectations with a vendor risk assessment.
The HIPAA Third-Party Compliance Checklist
Download this helpful checklist for prescriptive guidance on assessing business associate security controls per HIPAA requirements.
Healthcare and related organizations must ensure that business associates and other third parties have the security and privacy controls in place to prevent unwanted access that impacts the confidentiality, integrity or available of ePHI. To achieve this, companies should conduct thorough vendor risks assessments. The below table summarizes key HIPAA requirements to assess.
HIPAA Requirements | What It Means |
---|---|
Security Management Process (A) Risk analysis (REQUIRED) A covered entity or business associate must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. |
The first step in complying with HIPAA regulations is a comprehensive risk assessment – both internally and of third parties that may have access to PHI. While some organizations attempt this with spreadsheet-based questionnaires, that approach does not scale. |
Security Management Process (B) Risk management (REQUIRED) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [HIPAA Security Standards]. |
Once risks are identified, organizations must implement controls to minimize risk. |
Security Management Process (D) Information system activity review (REQUIRED) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. |
Since a lot can change between annual assessments, organizations should perform continuous monitoring of risks, contract performance and service level agreements (SLAs). |
Business Associate Contracts and Other Arrangements A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. |
Business associate contracts are required, but smart compliance and security teams will require evidence of compliance and controls. |
Security Management Process, Administrative Safeguards Implementation specification: Response and reporting (REQUIRED) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. |
Some vendors may not know when they have been breached, or may not promptly report incidents which can delay Mean Time to Discovery (MTTD) and Mean Time to Resolution (MTTR), opening an organization up to potential exploits. |
Security Management Process, Administrative Safeguards Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. |
All organizations experience personnel changes and periodically implement new policies and procedures. Covered entities must continuously monitor cyber, business, and financial intelligence for visibility into material changes to a vendor’s risk profile between annual internal control assessments. |
Policies and procedures and documentation requirements Standard: Documentation
|
In the event of an incident or audit, or in the course of a business relationship, organizations are required to produce evidence supporting policies, identified risks, and controls. |
Complying with HIPAA requires a complete internal and external view of the controls in place for all business associates. Managing this process efficiently across hundreds of third parties with manual spreadsheets is impossible. At a basic level, organizations should:
For a complete listing of the HIPAA third-party risk management requirements and how Prevalent capabilities map, read The HIPAA Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.
Consider these best practices to ensure third-party service providers adequately protect your customer NPI data.
09/04/2024
With compliance mandated by January 2025, now is the time for organizations to examine their third-party...
09/03/2024
No single approach is ideal for every organization, but some commonly used frameworks serve as a...
08/19/2024