HIPAA and Third-Party Risk Management
HIPAA states that the electronically stored Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.
The assessment, analysis, and management of risk - including risk posed by third parties - provides the foundation of HIPAA Security Rule compliance efforts. HIPAA requires vendor contracts to include privacy and security assurances. Conducting risk assessments and continuous monitoring enables your organization to evaluate vendor readiness to comply with these security expectations and protect patient ePHI.