Last month, Boston Medical Center fired a transcription service after discovering about 15,000 patient records were posted without password protection on the vendor’s Web site.
Is this an example of an isolated event or an indicator of a systemic issue with business partners?
After working closely with service companies of varying sizes over the past few years, I’ve concluded that they are fully aware of their HIPAA compliance obligations but often lack the funding, staffing or security expertise to adequately address them. Most recently, as we know, vendors have not had as much time as health plans and providers to prepare for and meet their compliance obligations under the tighter HIPPA privacy and security measures put in place in January 2013. As a result, many are woefully behind in meeting fundamental security requirements.
In addition, health plans and providers often struggle to identify or reduce partner risk, the primary reason being the sheer volume and diversity of the service companies used by any healthcare organization. And every vendor poses some form or level of risk when granted physical or logical access to patient health information.
Consequently, business associate risk is higher than most realize because a majority of this risk is not identified or reported. Therefore, potentially serious or costly security and compliance issues fly under the radar of senior leadership.
So, how can providers reduce their risks?
Consider taking a tiered approach to assessing and managing partner risk, which enables you to allocate your limited resources to the highest exposure areas. Most providers take a one-size-fits-all approach to managing business partners and let the business agreement do all the work. By employing a tiered-risk management model, you can direct the most intensive resources to areas of greatest exposure. This allows for broader coverage without substantially increasing the overall resource investment in risk management.
Here’s where to start:
When business associates handle patient data, it’s imperative that some form of written contract or agreement specifies what is expected beyond just stating that “all HIPAA compliance requirements will be met.” Contracts and agreements alone are weak controls unless security and compliance can be verified. Spell out specifics and build in a verification process that allows you to confirm how your data is actually being protected.
Then, expose the highest-risk relationships by implementing more granular risk assessments. Does your business associate process, store, transmit or maintain patient data? If yes, then employ an information security questionnaire. The questionnaire should be broad in scope and address all applicable disciplines of security, providing a fundamental understanding of the vendor’s level of security posture and maturity. The questionnaire results provide evidence of proper data handling, risk management and compliance activities and allows for better prioritization of high-risk relationships according to exposure.
For the highest-risk relationships, consider deploying security staff to the business partner’s site and comprehensively assessing and verifying their exposed areas of concern. Think hosted application vendors and cloud computing vendors with data centers in multiple states or countries. An onsite assessment should include staff interviews, physical inspection of the facilities and document reviews as well as technical vulnerability testing. This approach provides much greater assurance of contract, policy and regulatory compliance and gives insight into how data is actually being protected.
Interviews should be based on the business associates’ response to the questionnaire. The interviews’ purpose is to validate the responses provided on the questionnaire and spot-checking specific controls. Physical inspections are important because business associate users may be located in uncontrolled facilities. Technical testing should consist of evaluating Internet-facing systems and applications as well as testing internal security configurations and patch management levels.
Individual risk assessments do not scale well. It becomes less practical to conduct an exercise of assessing risk the greater the number of sites and business associates involved. So, conducting onsite risk assessments can become impractical whenever any organization has more than a few high risk business associate relationships. Consider using a trusted third-party vendor that can conduct risk assessments on your behalf. They can offer a reliable and scalable risk assessment approach.
Also, rather than bolt on security and compliance considerations into your sourcing program, integrate it seamlessly into the way you conduct your day-to-day activities. You want your sourcing to be sustainable over the long term. So, it’s in your best interests to work with business associates and ensure their processes and activities meet your expectations. Require business associates to acknowledge receipt and adherence to your specified policies, procedures, standards and minimum security requirements before moving forward with any sourcing activity. Not only should due diligence be performed prior to selecting a business associate, but it should also be performed periodically during the course of the relationship, especially when considering a renewal of a contract.
The scope and depth of due diligence is directly related to the importance and magnitude of your organization’s business associate relationships. For example, large-scale, highly visible programs or programs dealing with patient health records integral to your organization’s success warrant an in-depth due diligence. Conversely, the due diligence process for isolated low-risk business associate activities would be much less comprehensive.
Once a business associate is accessing patient data, continuous review processes should be in place to ensure that expectations are consistently being met.
The high volume of business associate relationships is not expected to diminish. Therefore, covered entities need to have plans in place for analyzing, controlling and managing this area of information and compliance risk. The most effective way to reduce the rate of security vulnerabilities and failures with your business associates is to combine the use of risk assessments, contracts/agreements, sourcing due diligence and careful oversight monitoring.
These steps may be new and seem overwhelming to implement. But this is the world we live in today. The healthcare industry must accept the fact that the environment has changed and recognize that there is a new paradigm that demands more effort and accountability with respect to information security. This includes business associate relationships.
Originally published by Health Data Management.