Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero  Image  Solutions  Compliance  Hipaa

HIPAA Compliance

HIPAA and Third-Party Risk Management

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to ensure that sensitive protected health information (PHI) would not be disclosed without the patient’s consent. HIPAA includes a Security Rule that establishes safeguards for organizations holding electronically stored protected health information (ePHI), as well as a Privacy Rule that sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

Although HIPAA regulations are most closely aligned with “covered entities” such as health plans, healthcare clearinghouses, and some healthcare providers, it also applies to “business associates” — third-party vendors that have access to PHI. This dramatically expands the number of organizations that must comply with HIPAA requirements and the number of third parties that providers must assess.

Organizations must be aware of risks to critical information both internally and with third parties that have access to ePHI. HIPAA makes this a requirement and extends the term “organization” to covered entities and business associates. Section 164.308(a)(1)(ii)(A) states: "RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]."

Evaluating a vendor’s readiness to comply with the covered entity’s security expectations is achieved through a vendor risk assessment.

Relevant Requirements

  • The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

  • The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI).

The HIPAA Third-Party Compliance Checklist

Download this helpful checklist for prescriptive guidance on assessing business associate security controls per HIPAA requirements.

Read Now
Feature hipaa compliance checklist 1021

Meeting HIPAA Security Rule TPRM Requirements

Here's how Prevalent can help you address HIPAA third-party risk management requirements:

HIPAA Security Rule 45 CFR Parts 160, 162, and 164 - Health Insurance Reform: Security Standards; Final Rule How We Help

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(A) Risk analysis (REQUIRED)

A covered entity or business associate must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Prevalent offers security, privacy, and risk management professionals a platform to automate the third-party risk assessment, scoring, and remediation process and determine compliance with IT security, regulatory, and data privacy requirements. Prevalent provides a library of over 200 standardized assessment templates – including for HIPAA and the Health Information Sharing and Analysis Center (H-ISAC) – customization capabilities, and built-in workflow and remediation guidance.

In addition, the Prevalent Healthcare Vendor Network simplifies and accelerates the due diligence process, providing an on-demand library of thousands of completed healthcare vendor risk reports based on the H-ISAC questionnaire, which are continuously updated and backed by supporting evidence.

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(B) Risk management (REQUIRED)

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [HIPAA Security Standards].

Once assessments are collected and analyzed, the Prevalent TPRM Platform offers built-in remediation recommendations and guidance. With clear reporting and remediation guidance, the platform ensures that risks are identified, analyzed, and escalated to the proper channels so that your organization achieves a risk level appropriate to its risk appetite.

Security Management Process
Administrative Safeguards
(§ 164.308(a)(1))

(D) Information system activity review (REQUIRED)

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Prevalent delivers a continuous view of risks through Internet and Dark Web threat monitoring feeds, as well as business and financial risk analysis, to reveal developments that could impact risks.

The Prevalent Platform also enables comprehensive reviews with a dedicated and custom contract assessment questionnaire, plus continuously tracked performance metrics via centralized vendor dashboards.

Prevalent maintains a complete repository of all documentation collected and reviewed during the diligence process, with specific regulatory compliance and security framework reporting.

Business Associate Contracts and Other Arrangements
(§ 164.308(b)(1))

A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

Prevalent’s assessment capabilities simplify compliance and reduce risk with automated collection, analysis, and remediation of vendor responses using industry-standard or custom surveys – including those measuring information safeguards.

Although not required, Prevalent provides visibility into 4th and Nth parties (e.g., subcontractors) with detailed relationship mapping, providing audit trails of flows of information throughout a supplier ecosystem.

Security Management Process, Administrative Safeguards
§ 164.308(a)(6)

Implementation specification: Response and reporting (REQUIRED)

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

Prevalent Vendor Threat Monitor (VTM) monitors the Internet and Dark Web for cyber threats and vulnerabilities – as well as public and private sources of reputational, sanctions, and financial information – providing real-time visibility into risks and enabling risk management and security teams to act immediately.

The Prevalent Third-Party Incident Response Service enables organizations to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

Security Management Process, Administrative Safeguards
§ 164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

Prevalent Vendor Threat Monitor alerts organizations to adverse changes in third parties’ businesses and triggers targeted assessments to address interim immediate risks. Early alerts enable more time to respond to incidents and built-in remediation guidance helps organizations protect PHI and avoid OCR actions and reputational damage.

Some changes, like the COVID-19 pandemic, forced fundamental changes in how businesses operate. Prevalent’s assessment questionnaires include questions designed to reveal internal business continuity gaps and external supply chain weaknesses that could negatively impact an organization’s ability to maintain control over sensitive PHI or prompt one to consider alternate vendors.

Policies and procedures and documentation requirements
(§ 164.316(b)(1))

Standard: Documentation

  • (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
  • (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

The Prevalent TPRM Platform includes contract, document, evidence and certifications management with built-in version controls, task assignment, and auto-review cadences in centralized vendor profiles.
In addition, Prevalent captures and audits conversations and matches documentation or evidence against risks. Intuitive and straightforward dashboards provide a clear overview of tasks, schedules, risk activities, survey completion status, agreements, and associated documents.

Align Your TPRM Program with CCPA, GDPR, HIPAA and More

Download this guide to review specific requirements from 5 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook privacy
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo