Are you ready for what's next? The 2022 TPRM Preparedness Toolkit will take your program to the next level!

How to Meet HIPAA Third-Party Risk Requirements

Complying with HIPAA legislation requires a complete, internal view of third-party security and privacy controls; something that simply can't be addressed with an external scan.
Scott Lang
VP, Product Marketing
October 09, 2019
Blog Compliance Hipaa Oct 2019

The US Health Insurance Portability and Accountability Act (HIPAA) was established to ensure that sensitive protected health information (PHI) would not be disclosed without a patient’s consent. HIPAA includes a Security Rule that establishes safeguards for organizations holding electronically stored protected health information PHI (ePHI), as well as a Privacy Rule that sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

Although HIPAA regulations are most closely aligned with “covered entities” such as health plans, healthcare clearinghouses, and some healthcare providers, it also applies to “business associates” — third-party vendors that have access to PHI. This dramatically expands the number of organizations that must comply with HIPAA requirements – and the number of third parties that providers must assess.

How HIPAA Defines Protected Information: Privacy and Security

The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI). It states that the ePHI that an organization (known as a covered entity) creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.

How Is Third-Party Risk Related to HIPAA?

Organizations must be aware of risks to critical information both within their own entity and with third parties that have access to ePHI. HIPAA makes this a requirement, and extends the term “organization” to covered entities and business associates. Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

You can evaluate a vendor’s readiness to comply with your security expectations with a vendor risk assessment.

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read Now
Feature tprm compliance handbook 0821

HIPAA Requirements for Business Associates

Healthcare and related organizations must ensure that business associates and other third parties have the security and privacy controls in place to prevent unwanted access that impacts the confidentiality, integrity or available of ePHI. To achieve this, companies should conduct thorough vendor risks assessments. The below table summarizes key HIPAA requirements to assess.

HIPAA Requirements What It Means

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(A) Risk analysis (REQUIRED)

A covered entity or business associate must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

The first step in complying with HIPAA regulations is a comprehensive risk assessment – both internally and of third parties that may have access to PHI. While some organizations attempt this with spreadsheet-based questionnaires, that approach does not scale.

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(B) Risk management (REQUIRED)

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [HIPAA Security Standards].

Once risks are identified, organizations must implement controls to minimize risk.

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(D) Information system activity review (REQUIRED)

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Since a lot can change between annual assessments, organizations should perform continuous monitoring of risks, contract performance and service level agreements (SLAs).

Business Associate Contracts and Other Arrangements
(§ 164.308(b)(1))

A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

Business associate contracts are required, but smart compliance and security teams will require evidence of compliance and controls.

Security Management Process, Administrative Safeguards
§ 164.308(a)(6)

Implementation specification: Response and reporting (REQUIRED)

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

Some vendors may not know when they have been breached, or may not promptly report incidents which can delay Mean Time to Discovery (MTTD) and Mean Time to Resolution (MTTR), opening an organization up to potential exploits.

Security Management Process, Administrative Safeguards
§ 164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

All organizations experience personnel changes and periodically implement new policies and procedures. Covered entities must continuously monitor cyber, business, and financial intelligence for visibility into material changes to a vendor’s risk profile between annual internal control assessments.

Policies and procedures and documentation requirements
(§ 164.316(b)(1))

Standard: Documentation

  • (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
  • (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

In the event of an incident or audit, or in the course of a business relationship, organizations are required to produce evidence supporting policies, identified risks, and controls.

5 Steps to Healthcare Third-Party Risk Success

56% of healthcare provider organizations have experienced a breach through a vendor or third party. Read our best practices guide to discover the 5 steps you can take to avoid becoming part of this statistic!

Read Now
White paper 5 steps heatlhcare third party risk success

Next Steps for HIPAA Compliance

Complying with HIPAA requires a complete internal and external view of the controls in place for all business associates. Managing this process efficiently across hundreds of third parties with manual spreadsheets is impossible. At a basic level, organizations should:

  • Automate business associate vendor onboarding and offboarding to ensure consistent processes
  • Profile, tier and score inherent risk to guide full risk assessment decisions
  • Assess business associates against standardized content that simplifies regulatory and standards mapping
  • Centralize all business associate documentation, including contracts, reporting and evidence
  • Perform continuous monitoring of cybersecurity, business/reputational and financial information to correlate risks against assessment results
  • Report regularly against SLAs, performance and compliance using standardized, pre-built templates
  • Leverage best practices guidance to guide remediation decisions according to organizational risk appetite

For a complete listing of the HIPAA third-party risk management requirements and how Prevalent capabilities map directly into them, please download the white paper, The Third-Party Risk Management Risk Management Compliance Handbook or request a demo today.

Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo