How to Meet HIPAA Third-Party Risk Requirements

Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements related to third parties. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.

The US Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, but over the past two decades its scope has grown considerably in the form of legislative updates and enforcement actions. In its broadest terms, the purpose of HIPAA is to:

• Improve efficiency in the healthcare industry
• Improve the portability of health insurance
• Protect the privacy of patients and health plan members
• Ensure health information is kept secure and patients are notified of breaches of their health data

Privacy and Security: How HIPAA Defines Protected Information

The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI). It states that the ePHI that an organization (known as a covered entity) creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.

How Is Third-Party Risk Related to HIPAA?

In its most basic form, the assessment, analysis, and management of risk provides the foundation of a covered entity’s HIPAA Security Rule compliance efforts. This includes a heightened awareness to the risk posed by vendors.

The relationship and responsibilities between covered entities and their vendors is critically important. A covered entity contemplating a relationship with a vendor must create a contract, or Business Associate Agreement, that speaks to privacy and security assurances. Evaluating a vendor’s readiness to comply with the covered entity’s security expectations is achieved through a vendor risk assessment. The results of the assessment enable covered entities to identify appropriate security controls for reducing risk to the organization and its data and information systems.

With the enforcement of the HIPAA Omnibus Rule, business associates of covered entities are directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules.

HIPAA Security Rule Requirements for Business Associates

Prevalent can help address the third-party business associate requirements in HIPAA. For the purposes of this blog, however, we have summarized select HIPAA requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the HIPAA requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.

To address HIPAA requirements, Prevalent:

• Delivers an automated platform to manage third-party risk assessments to address HIPAA Security Rule 45 CFR Parts 160, 162, and 164 – Health Insurance Reform: Security Standards; Final Rule, Security Management Process, Administrative Safeguards, (§ 164.308(a)(1)) (A) Risk Analysis to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
• Unifies internal control-based assessments (based on industry standard framework questionnaires or on custom questionnaires) with continuous vendor threat monitoring to address HIPAA Security Rule 45 CFR Parts 160, 162, and 164 – Health Insurance Reform: Security Standards; Final Rule, Security Management Process, Administrative Safeguards, (§ 164.308(a)(1)) (B) Risk Management to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
• Includes reporting to satisfy audit and compliance requirements, as well as to present findings to the board and senior management to address HIPAA Security Rule 45 CFR Parts 160, 162, and 164 – Health Insurance Reform: Security Standards; Final Rule, Security Management Process, Administrative Safeguards, (§ 164.308(a)(1)) (D) Information system activity review to review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
• Automates collection, analysis, and risk identification from vendor surveys to address HIPAA Security Rule 45 CFR Parts 160, 162, and 164 – Health Insurance Reform: Security Standards; Final Rule, Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)), to ensure the subcontractor has satisfactory processes for protecting data.
• Captures and audits conversations and matches documentation or evidence against risks to address HIPAA Security Rule 45 CFR Parts 160, 162, and 164 – Health Insurance Reform: Security Standards; Final Rule, Policies and procedures and documentation requirements (§ 164.316(b)(1)), to maintain a record of assessments.

Next Steps

HIPAA requirements make it clear that risk assessments should be completed for covered entities and business associates to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all PHI that an organization creates, receives, maintains or transmits.

Prevalent’s Third-Party Risk Management solution provides a complete framework for implementing management, auditing, and reporting related to third-party supplier and business associate risk. Contact us today for a demo to explain how or register to watch a recorded demo of these capabilities.

Our Series Continues …

Next week’s blog examines the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook.