HITRUST develops suite of tools to help in gauging third-party risk

HITRUST is offering new tools and a methodology intended to help organizations automate and improve the effectiveness of managing third-party risk.

HITRUST says the new products and services are aimed at ensuring confidentiality, integrity and availability of data being received or transmitted. Today, providers that comply with HIPAA requirements can be uncertain about what constitutes reasonable and appropriate data protections.

Executives for HITRUST—which certifies healthcare providers, vendors, insurers, suppliers and other stakeholders to determine whether they are handling healthcare data in a safe way—say the platform is being enhanced to help providers qualify business associates and other third parties for doing business with them based on the risk they pose, explains Bryan Cline, its chief research officer.

Cline-Bryan-CROP.jpg
Bryan Cline

“This includes identifying the type of information needed about the business associate’s information protection program required under HIPAA, as well as helping automate the process of obtaining this information,” he adds.

New tools from HITRUST include the Inherent risk questionnaire that asks questions about the nature of the business relationship between the provider and the business associate or other third party to evaluate how much risk they pose. The type of assessment needed depends on this risk, and, in general, more comprehensive assessments are required for business relationships that present more risk.

Another tool from HITRUST is rapid assessments, which asks about basic information protection “good hygiene” practices that are suitable for all types and sizes of providers, including small physician practices.

The third tool, readiness assessments, is a pre-project review to assess the organization’s overall ability to begin the project. This entails identifying areas needing more attention and making recommendations that significantly increase likelihood of success, according to Cline.

The fourth tool is a trust score. “This score simply compares how close a business associate’s self-assessment of its information program is to an independent assessment, such as one performed by someone other than the business associate,” Cline notes. “The trust score provides another data point in evaluation of the overall trustworthiness of a third-party and additional confidence in the assurances it provides. Knowing the vendor or third-party organization will be presented this information with every assessment submitted following the readiness assessment could have the benefit of encouraging third parties to be more circumspect when conducing self-assessments,” Cline concludes.

A new blog from HITRUST, “Understanding and Improving the Role of self-assessments in Third-Party Risk Management,” is available here.

For reprint and licensing requests for this article, click here.