How to Manage Your Third-Party HIPAA Risk
If you’re a healthcare organization, you likely understand that third-party risk management (TPRM) remains a significant challenge.
After all, there’s plenty of proof—especially recently—given the high volume of third-party data breaches reported to the Department of Health and Human Services (HHS) in 2022. In fact, the majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors.
Such data signals a need for better TPRM practices in the healthcare industry, but where should you start? As HIPAA assessors, we have a unique perspective on what passes muster and what doesn’t, and in this article, we will detail why TPRM is a problem as well as five steps you can take to mitigate yours.
Don’t fall victim to what so many healthcare organizations have had to deal with due to poor TPRM—read on to strengthen your own.
Why is Third-Party Risk a Problem for Healthcare Organizations?
Vendors provide a myriad of essential functions in the healthcare sector—in fact, many of your partners likely qualify as business associates (BAs) under HIPAA, and not just because the HHS says so.
While business associates have their own mandates under the law, what you need to know is that it’s also your responsibility to ensure those you work with all comply with HIPAA rules, especially since—as we mentioned—data security and privacy breaches either caused or enabled by business associates have exploded in recent years:
- In 2022, 701 major breaches affected nearly 59 million individuals, according to HHS' HIPAA Breach Reporting Tool website.
- Of these, 249 reported breaches affecting a total of nearly 24.1 million people involved business associates.
- Overall, vendors were at the center of nearly 36% of the reported breaches and responsible for about 42% of those people affected.
To protect against similar potential breaches or security incidents caused by third-party vendors, every hospital and healthcare organization must define and enforce a strong TPRM program.
5 Steps to Mitigate Your Third-Party HIPAA Risk
In doing so, you should take the following five steps.
1. Identify and Inventory Third Parties.
You need to understand what you’re working with before you can properly manage it, so the first thing you need to do is create an accurate inventory of all your third parties—yes, all of them. Make sure to:
- Classify them by:
- The technologies and services provided
- The level of access to your organization’s data (i.e., the source of your risk)
- Capture data from:
- Multiple systems; and
- e.g., accounts payable, contract management, supply chain, etc.
- Sources
- e.g., legal, compliance, procurement, etc.
- Multiple systems; and
This should make for a comprehensive inventory of all vendors with whom you share information, making it more manageable for you to track who has access to sensitive data as well as how many of these parties are sharing this data with others.
This database should also be maintained and updated with up-to-date copies of contracts, service level agreements (SLAs), BA agreements, and follow-up assessments.
2. Vet Vendors.
Ideally, you should be performing a thorough risk assessment before signing a contract with any vendor, and that includes gaining an understanding of:
- Each vendor’s compliance with HIPAA regulations (e.g., request evidence of their HIPAA compliance and administrative capabilities)
- How your third-party vendor securely collects, stores, processes, and transfers protected health information (PHI).
- Each vendor’s security capabilities (how it prevents breaches and detects them)
Your team should work to gain as much transparency into your vendors’ security practices as possible before signing a contract and exposing your sensitive information to potential threats. Here are several key areas of security to address when vetting a vendor:
Area of Concern |
What to Do |
---|---|
Policies and Procedures |
You don’t need to do a detailed compliance analysis of the documents—which any organization with a mature security posture would have available—just get a sense of how seriously the vendor takes their defenses. |
Proof of Controls |
(If your team has limited resources and expertise, you may want to consider outsourcing control assessments to industry experts, which can also help ensure that the proof of controls is verified and accurate.) |
Remote Access to Network |
For third parties with remote access, the proper controls need to be implemented to ensure security, which can include VPNs, multifactor authentication tools, Virtual Desktop Infrastructure (VDI), or a zero-trust model. |
User Access |
Any vendor you use should be in the practice of carefully weighing any different levels of access to the system, including roles and user IDs. |
Data Handling |
|
|
|
Security Training and Awareness |
|
Backup and Recovery |
Backup:
Recovery:
|
It’s not enough for a vendor to merely tell you they’re HIPAA compliant—not only should you perform such thorough vetting for any new vendors you involve, but you should also assess your longstanding, existing relationships as well—especially if you haven’t placed them under this level of necessary scrutiny before.
3. Adopt a Risk-Tiering Approach.
Once you’ve identified and vetted them, develop a risk profile for each of your third parties using a formal risk-tiering process that quantifies the level to which each third party may expose your organization to risk:
- Prioritize the vendors based on the level of access they have and the amount and type of data they require access to.
- Assign a security risk rating for each vendor based on the types and levels of access—the higher the risk tier, the more effort it may take to conduct risk assessments and obtain security assurances.
- Develop metrics to relay these risks to your executive team.
4. Ensure a Business Associate Agreement (BAA) is In Place.
Before granting access to any level of PHI, you and each of your third-party vendors must enter into a BAA that details commitments to HIPAA compliance and provides assurances relating to the safeguarding of PHI—hospitals and other health-related facilities should never disclose PHI unless a signed BAA exists between the parties.
However, if your vendor isn’t willing, you’ll need to move on to another vendor. Why? Because you—a HIPAA-covered entity—will be held accountable for that lack of agreement, especially if you’re ever audited by the Office of Civil Rights (OCR), or if you fall victim to a breach.
In a review of the BAA with each provider, make sure they understand the provisions regarding:
- How they will identify a data breach (which should be defined)
- How long they have to notify you (include exact timeframes in hours or days)
- How data should be stored and disposed
- The vendor’s privacy and security programs,
- Right-to-audit clauses
- Protocols for disclosing when deficiencies in security systems have been identified
If your vendor will need to disclose your PHI to a subcontractor, make sure your BAA requires them to obtain a BAA from their vendors that includes the same security and privacy requirements as exist in the original BAA—HIPAA obligations need to trickle down from health facility to vendor to subcontractor to sub-subcontractor, and on and on, to ensure true compliance.
5. Reassess, Monitor, and Conduct Periodic Audits.
The final step to strong TPRM is ongoing—you need to consistently re-assess your vendors through regular audits that ensure that it:
- Follows all HIPAA guidelines
- Actively monitors its activities
- Compares them against established policies and procedures.
Repeating this process annually or upon major changes in the vendor’s infrastructure—such as moving from a hosted model to a cloud provider service—will help you stay abreast of any changes to your vendor’s risk profile, any breaches they may not have told you about, or any vulnerabilities of which you weren’t previously aware.
Next Steps Regarding Compliance for Your Vendors
By taking these steps to strengthen your TPRM and thereby helping your vendors meet HIPAA compliance requirements, you can better protect yourself from a potential partnership that will increase your risk of confidential data breaches.
However, you don’t have to leave it at that—you can also ask your vendors to undergo an assessment against a relevant framework to prove their security and privacy practices. For instance, a growing number of healthcare organizations are requiring their business associates to obtain HITRUST certification as a means of demonstrating effective security and privacy practices aligned with the requirements of the health industry.
And if that’s not a good fit for you or your vendors, you might instead ask them to engage with us for a HIPAA Express evaluation, which is a service we created to help healthcare organizations manage risk and compliance. If you’re interested in learning more about how we can help, please contact us today. Otherwise, read our other HIPAA content that can simplify other aspects of your journey.
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.