If my company is not a healthcare provider, what do we need to do to demonstrate proper vendor due diligence required by HIPAA/HITECH?
Many times, this question is posed to audit firms and consulting firms when a client receives a security questionnaire from a potential or existing healthcare customer they provide services. This article will explain a high-level and straightforward overview of the key areas of consideration when evaluating third party risk management (TPRM) requirements of HIPAA for business associates.
Why the Increased Regulation?
Depending on the study, today, roughly 30 to 50 percent of all payer/provider data breaches are attributed to business associates and vendors. Additionally, the healthcare industry remains a primary target of hackers, and their attacks continue to increase in frequency and sophistication.
Hospitals and insurers have a responsibility to understand their vendor’s security posture and compliance with HIPAA; as well as a vendors current status across multiple exclusion and sanctions lists.
This increased risk has resulted in payers and providers adjusting their security posture to defend against internal risks and offensive threats. However, Vendor Risk Management and assuring the security of vendor IT environments has been a blind spot for many healthcare organizations.
This has led to increased scrutiny from many payers and providers of their vendors and subcontractors. This scrutiny can result in increased anxiety for smaller organizations who have traditionally not viewed themselves as “healthcare” companies.
The good news is despite what may feel a one size fits all approach, there is often flexibility in meeting increased compliance requirements. At L&C, what we often see is that organizations need help navigating the regulatory and audit landscape to determine what is the right path.
Covered entities (e.g. payers and providers) will typically base the level of monitoring and compliance activities of their vendor/subcontractors on the level of risk presented, which can be applied to determine the level of rigor of compliance. It often boils down to are you a vendor who actually touches and works with PHI, or is your organization an IT service provider (i.e. datacenter, cloud infrastructure, etc.)? Organizations who provide services which touch and work with PHI (i.e. claims intermediaries, third party software which integrate with EHRs, etc.) will often have more to demonstrate for a security standpoint.
What the 2013 HIPAA Omnibus Rule Requires?
Health systems, payers, and care intermediaries rely on hundreds of vendors every day to ensure they provide reliable services. These range from clinical care partners to printing vendors.
The use of vendors is critical to the operation of the modern healthcare system, however, this increase reliance on vendors also creates increased risk. This risk has continued to grow since the passage of the HITECT act in 2009.
The HITECH Act expanded the obligations of covered entities (CEs) and business associates (BAs) to protect the confidentiality and security of Protected Health Information (PHI). Before HITECH business associates had contractual obligations under their business associate agreements (BAAs) to maintain the privacy and security of PHI, but were not subject to sanctions for failure to comply with the HIPAA rules.
However, the HITECH Act greatly expanded business associate HIPAA responsibilities in multiple key areas, including but not limited to:
- Business associates are now directly responsible for all the HIPAA Security standards, implementation specifications, and requirements.
- Business associates will now need to do a risk analysis by conducting a thorough assessment of the potential risks and vulnerabilities.
- Business associates are now directly responsible in the HIPAA Privacy requirements, in § 164.502, Uses and disclosures of protected health information: General rules, including Minimum Necessary, and § 164.504, Uses and disclosures: Organizational requirements.
- Subcontractors are now considered business associates (based on meeting defined criteria), and BAs now face direct enforcement from the OIG.
What Can Small Businesses Do? Vendor Risk Management Policy
For organizations which are entering into the healthcare space for the first time these requirements can seem daunting. However, Linford has seen many organizations bolster vendor due diligence and risk monitoring requirements by modifying and latching on to existing processes.
Putting in place a long term strategy and having the support of senior leadership is key to success. Have a “keep it simple” mentality, and think about developing processes over time through the lens of a maturity model. Year one of the maturity model might be based shared calendars, alerts, and spreadsheets, and this is a solution which may work long term for some organizations.
One of the most important things an organization can do is collaboratively develop and implement a Vendor Risk Management Policy.
Vendor Risk Due Diligence & Risk Assessments
Prior to engaging with a new vendor who will touch, transmit, or store PHI, business associates need to conduct proper due diligence on the organization. This includes documenting due diligence in a consistent way for all vendors. Vendor risk assessments are one of the primary mechanisms organizations use to evaluate the vendor/subcontractor security maturity.
Risk assessments come in a variety of names, shapes, and sizes, but they all work:
- Vendor security questionnaire,
- Vendor risk management questionnaire,
- Third party risk assessment, and
- HIPAA security questionnaire.
Security factors organizations should in the vendor due diligence and selection process should include the level of access to PHI, performance specifications and the duration of the contract.
Linford has a vendor risk management checklist that organizations can leverage, which covers key HIPAA compliance objectives. This can also be leveraged for any organization dealing with sensitive information.
It is also critical for organizations to ensure vendors have cyber insurance to protect liability. Vendors determined to pose a greater risk will often be required to undergo a third party risk assessment addressing the HIPAA Security Rule, Breach Notification, and limited components of the Privacy Rule.
To operationalize the required process, keep it simple.
- Integrate with existing procurement processes to implement a vendor security gate check, which ensures the vendor security risk checklist has been completed and determined acceptable.
- Implement the process on a go-forward basis, and develop a strategy for legacy vendor contracts.
- For legacy vendor contracts, first prioritize high risk vendors.
- If your organization is facing contractual requirements from a covered entity (CE) which may preclude you from working with an existing vendor it is recommended to communicate directly with CE to work out a viable path forward. Many times large payer and provider will allow extensions or waivers.
- For smaller organizations with a limited number of “business associate” vendors, implementing vendor risk management software or a VRM solution is likely not required.
- Medium sized organizations should consider implementing a Third Party Risk Management (TPRM) committee bringing together operational leaders, IT, procurement, compliance, accounting, and legal to review new contracts and ensure vendors are meeting established criteria. Many organizations formally adopt Third Party Risk Management Frameworks such NIST.
Business Associate Agreements (BAAs): Delegation & Responsibilities
The 2013 Omnibus rule requires business associates to enter into a business associate agreement with any vendors/subcontractors the BA delegates any business function which involves creating, transmitting, or storing PHI. This means a vendor who is engaged in claims processing, and a vendor hired to sanitize and dispose of sensitive media for a covered entity, would both be considered business associates. HIPAA/HITECH Act expands business associate HIPAA responsibilities in multiple areas, and should be evaluated with the guidance of legal counsel. These include, but are not limited to:
Key Business Associate Responsibilities
- Business associates and subcontractors need evaluate their business relationships with vendors to determine where BAAs are required. If a vendors/subcontractors creates, receives, maintains, or transmits PHI, they will likely require a BAA.
- Be prepare and negotiate the terms of the BAA.
- All parties must fully understand their responsibilities under HIPAA and their BAA.
- Due diligence must be performed to verify the systems and processes are operating to comply with their responsibilities.
- Liability and indemnification: A key provision of a BAA is the limitation of liability. Meaning in the event of a breach, associate fines can be enforced on the liable party (including vendors). The costs of a PHI related breach can quickly spiral (fines, breach notifications, risk assessments, credit monitoring, etc.). As such, a liability limitation can be very costly in the long run, and attempts to limit liability or an unwillingness to indemnify could be red flags.
Vendor Monitoring & Compliance
Once contracts are signed, BAAs are in place, and services are being performed, business associates are also responsible for monitoring their vendor/contractor compliance with their contractual requirements.
At a minimum this must include obtaining subsequent assurance that right security controls are in place to meet HIPAA requirements, and should also be expanded to evaluate compliance with any contract specific service level agreements outside of the business associate agreement. Failure to accurately monitor vendors against the hundreds of state and federal OIG exclusion list databases could mean thousands of dollars in fines for a single transaction with an excluded vendor.
Keys to success often include:
- Categorizing vendors: Many business associates that deal with multiple types of vendors develop a risk ranking system to categorize their vendors. For example, a print vendor who is only responsible for sending out provider directories many only be required to complete a HIPAA self-assessment every two years. Where a vendor who is directly touching and manipulation ePHI may be required to have an annual third-party HIPAA risk assessment. The far end of this scale could require a vendor to obtain HITRUST CSF certification, which directly assess the HIPAA security rule in addition to other control, including vendor risk management.
- Latch on to existing processes: As noted, the bolstering of existing processes can often expedite compliance, versus creating from the ground up. For example, if there is a contract management software currently in use, many organizations have set annual reminders to kick routine monitoring processes. Additionally, for small organizations (> 50 FTEs) with a small number of vendors, recurring annual (or bi-annual) meetings on a shared calendar has been keep is simple solution which has been highly effective.
- OIG exclusion screening: Organization must also verify that their vendors are screening their employees (and downstream entities) against the OIG exclusion list upon hire monthly and monthly thereafter. For vendors that have a relatively small number of employees dealing with PHI and healthcare transactions, many organizations have rolled the screening of their vendors into their own internal processes to ensure it is occurring and documented consistently.
Developing a well-functioning Third Party Risk Management is fundamental to operating in today’s healthcare landscape. External and internal security threats continue to grow in complexity and sophistication, and it is important to protect your brand and reputation from your vendors information security risks. Seek the help of experienced audit and legal professionals to navigate the world of HIPAA compliance and stay off the OIGs radar.
Linford and Company has extensive experience working with organizations to define their control environment. Please contact us if you would like to learn more about how we can help you.
Nick has over ten years of professional experience in public accounting and risk consulting, with an extensive background in healthcare payer/provider audit and compliance. Prior to Linford & Co. Nick worked in multiple healthcare audit, compliance, and consulting roles, including six years at PwC. He completed a Bachelor of Arts from Colorado State University in 2005, and later a Master in Accountancy. Nick has experience leading SOC 1, SOC 2, HITRUST and HIPAA Security audits. He takes pride in his ability to work with small start-ups and to lead multi-year projects with numerous large health systems and payers.