Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.