HIPAA Audits to Also Focus on Vendor Management by Healthcare Organizations
The HHS Office for Civil Rights (OCR) is looking to expand its HIPAA privacy/security/breach notification audit program, particularly in light of increased cyber attacks on the healthcare industry and the rising threat that third-party vendors represent. The audit protocols cover Privacy Rule requirements for notice of privacy practices for Private Health Information (PHI), rights to request privacy protection for PHI, access of individuals to PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI, and accounting of disclosures. Also covered is the Security Rule requirements for administrative, physical, and technical safeguards; and requirements for the Breach Notification Rule.
As cyber threats continue to intensify, the OCR is also looking at the security posture of healthcare organizations’ business associates and subcontractors. Hackers know that many business associates are a weak link in the security chain. The OCR also knows this, as well as state attorneys general who are conducting their own HIPAA compliance enforcement activities.
In the past, “a healthcare organization could manage its vendors by contract—stipulating what security provisions a particular business associate is responsible for,” said Joseph Kirkpatrick, managing partner in the security compliance assessment services unit of accounting firm KirkpatrickPrice, at a recent conference. However, this won’t work anymore. “Providers and insurers need to take full custody by closely overseeing relationships with vendors, knowing where their data is, how it is secured and where it is going. The bottom line: Courts want to see proper oversight and it is the healthcare organizations’ responsibility to ensure its vendors and subcontractors are compliant not just on paper but in practice.”
What Are Auditors Looking for When It Comes to Vendor Management
A government or private auditor is looking to see that the healthcare organization is ensuring vendor security compliance and how these vendors are being monitored. Following are some of the questions auditors will ask healthcare providers and facilities during a HIPAA audit, along with requiring documentation to back up their answers:
- Does healthcare organization knows the name of all business associates and their subcontractors?
- Do they address the risks of subcontractors?
- Do their policies define permissible uses and disclosures of protected health information?
- Do their agreements require business associates to provide evidence of appropriate safeguards? How do they determine what is appropriate?
- Do they have a defined incident response procedure?
- Do they require the business associate to provide auditors with all necessary documentation in case of an audit?
- Does the business associate agreement have teeth, with termination an option in case of violations?
- Do health care organizations make clear that the vendor is responsible for telling them if there is a breach?
Healthcare organizations should ask all business associates for proof of Cyber Liability insurance. If an incident does occur, insurers will conduct an investigation and the healthcare facility can require business associates and subcontractors to share the findings. In addition, a healthcare facility should review their own Cyber Liability policy to assess that their coverage is adequate – especially because of the number of breaches and the extent of the breaches that occur in the industry. Caitlin Morgan can assist you in providing a strong Cyber Liability policy for your insureds. Give us a call at 877.226.1027.
Source: Health Management Data