Third Party Risk Governance: Thought Leadership on Risk Management

By Brad Keller, JD, CTPRP,
Sr. Director of 3rd Party Strategy

Regulators for both the Healthcare and Financial industry have taken the same approach to requiring that companies to include provisions in their contracts requiring vendors to have adequate security and data privacy controls in place, they are required to take action to determine whether:

  • The vendor can meet those requirements
  • Take action to determine if the vendor is in compliance with those requirements (i.e. do an assessment).
  • Take “reasonable steps” to correct the lack of vendor compliance (i.e. remediation efforts)
  • If such action is unsuccessful:
    • Terminate the contract, or
    • If termination is not feasible, report the situation to the Secretary [OCR]

As it relates to Covered Entities and BA Agreements, not only do the contracts need to be right, Covered Entities have to assess vendors for compliance; attempt to remediate a lack of controls; and, if unsuccessful terminate the relationship or report the issue.  While the Covered Entity has to report the situation, OCR does not have the ability to require the vendor to take corrective action.  Within the context of the regulation(s), the reporting would seem to be a protective measure for the Covered Entity should a problem arise.  It is also fair to assume that any report to the Secretary of such a situation would have to be supported with substantial documentation of the Covered Entity’s assessment due diligence and remediation efforts.

A significant number of Covered Entities recently responded to a poll Brad Keller did during one of his webinars indicating that they solely relied on the contract provisions in the BA Agreement and did not otherwise assess vendors for compliance.  This approach would seem to be a direct violation of regulatory requirements.

Here is a high level run-down of the regulations themselves:

  • Pursuant to 45 CFR 164.504 Uses and Disclosures: organizational requirements – Covered Entities can only share protected healthcare information (except for some limited exceptions not relevant here) if they have a valid Business Associate Agreement (BAA) in place.
  • For Healthcare; HIPAA, section 164.314, establishes the requirements for the BA and enforcing provisions related to the protection of Protected health Data. See also Sections 164.308 and 502.