Does your organization update its HIPAA business associate agreements to reflect recent changes? Does it conduct comprehensive risk assessments of vendors?

If not, how do you know if a vendor holding your data is updating its privacy practices, or is giving patients electronic copies of their medical records when requested, or understands how to handle requests to segregate sensitive treatment that was paid for out-of pocket? And how do you know if a vendor has appropriate access control and is encrypting your data?

The reality is that you don’t know unless your organization has a robust vendor risk management program. Ken Peterson, CEO at Churchill & Harriman, which has done 1,500 comprehensive risk assessments for large healthcare and financial institutions since 1998, says providers of all sizes can improve their oversight of vendor compliance with HIPAA privacy, security and breach notification rules.

In fact, improvement is imperative, Peterson contends. “The threat landscape has changed so dramatically with threat nations and cybercriminals. We’re beyond HIPAA compliance and now in formal elements of risk management to try to get ahead of the curve.”

The rise in very sophisticated hacking of data is raising security awareness, risking not just patients but entire organizations, but many leaders still are not adequately funding security improvements, he adds. And hackers looking for health data are looking at vendors just as much as the health organizations, because vendors are holding data and may have lax security. The information most at risk includes health records, financial data and geographical data (personally identifiable).

To start a vendor assessment program, Peterson recommends joining Shared Assessments, a professional association that major financial institutions, accounting firms and vendors created in 2005 to develop a standard and objective methodology for assessing risk management.

The program has a number of tools, refined at least annually by members to help members. “Using industry established best practices, Shared Assessments follows a ‘trust but verify’ approach to conducting third party assessments which allows you to fine tune your third party risk management program to your company’s strategy for managing risk,” according to the organization’s Web site.

For instance, the Standard Information Gathering Questionnaire aids in tailoring questions to determine a vendor’s level of risk and level of service. The answers then help an organization decide the degree to which it trusts a vendor and whether it needs to conduct an onsite assessment. The Agreed Upon Procedures Tool helps an organization verify answers, determine areas to be studied in an on-site assessment, and set the procedures to be followed in the assessment, according to the association. It also helps establish a set of controls on testing vendor compliance, with results placed in a standardized template.

But there remains work for an organization to do itself. When considering outsourcing, ensure that for all potential functions that may be outsourced, knowledgeable in-house staff are represented at the table, Peterson advises. This will make sure that all criteria a vendor is being assessed on are adequately addressed and that another group does not come to the table after decisions have been made.

Churchill & Harriman has a formal process for bringing together appropriate stakeholders, categorizing vendors, and ensuring the proper people from a vendor organization also are at the table.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access