Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements related to third parties. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
The US Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, but over the past two decades its scope has grown considerably in the form of legislative updates and enforcement actions. In its broadest terms, the purpose of HIPAA is to:
The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI). It states that the ePHI that an organization (known as a covered entity) creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.
In its most basic form, the assessment, analysis, and management of risk provides the foundation of a covered entity’s HIPAA Security Rule compliance efforts. This includes a heightened awareness to the risk posed by vendors.
The relationship and responsibilities between covered entities and their vendors is critically important. A covered entity contemplating a relationship with a vendor must create a contract, or Business Associate Agreement, that speaks to privacy and security assurances. Evaluating a vendor’s readiness to comply with the covered entity’s security expectations is achieved through a vendor risk assessment. The results of the assessment enable covered entities to identify appropriate security controls for reducing risk to the organization and its data and information systems.
With the enforcement of the HIPAA Omnibus Rule, business associates of covered entities are directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules.
Prevalent can help address the third-party business associate requirements in HIPAA. For the purposes of this blog, however, we have summarized select HIPAA requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the HIPAA requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.
To address HIPAA requirements, Prevalent:
HIPAA requirements make it clear that risk assessments should be completed for covered entities and business associates to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all PHI that an organization creates, receives, maintains or transmits.
Prevalent’s Third-Party Risk Management solution provides a complete framework for implementing management, auditing, and reporting related to third-party supplier and business associate risk. Contact us today for a demo to explain how or register to watch a recorded demo of these capabilities.
Next week’s blog examines the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook.
The third-party service provider security policy requirements set forth in NYDFS Part 500 go a long...
NIST has two industry standards that deal with identifying, assessing & managing supply chain risk. Here's...