Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.

Trump Administration appoints controversial figure to HHS’ anti-discrimination office

The Trump Administration appointed Roger Severino as Director of the HHS Office for Civil Rights (OCR). Previously, Severino worked for the Heritage Foundation as the director of the DeVos Center for Religion and Civil Society in the Institute for Family, Community, and Opportunity. Prior to his work with the Heritage foundation, he was a trial attorney in the Department of Justice’s Civil Rights Division. Severino was also the Chief Operations Officer and Legal Counsel for the Becket Fund for Religious Liberty.

OCR 

The OCR enforces federal laws designed to prohibit discriminatory practices in health care by providers who receive HHS funds. The OCR also protects the privacy and security of health information through its investigatory and enforcement actions related to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

Opposition

Senator Patty Murray (D-Wash) spoke out in opposition to the Trump Administration’s appointment, calling it an “appalling hire.” Murray criticized Severino’s work with the Heritage foundation and the Becket Fund, where he “fought against transgender equality in health care, against the separation of church and state, and in support of defunding Planned Parenthood.” Severino has previously worked to oppose the OCR’s implementation of Section 1557 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148)—a law which prohibits discrimination in health care on the basis of race, color, national origin, sex, age, or disability.

Free Webinar! Personal Health Information: Hospitals, Health Plans, and Human Resources

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This webinar will provide employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and will cover GINA, the FMLA, and the ADA.

Join this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?

REGISTER NOW

Thursday, October 13, 2016
2:00-3:00 p.m. EDT
1:00-2:00 p.m. CDT
12:00-1:00 p.m. MDT
11:00-12:00 p.m. PDT

Registration is open to the first 1,000 approved registrants and requires a complete name, title, organization, and valid business email address.

Kusserow on Compliance: Enforcement update from OCR

The HHS Office for Civil Rights (OCR) reports that HIPAA Privacy and Security breaches of Protected Health Information (PHI) continue to increase. From OCR published data, it is estimated  that more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. However, the true number is much greater because most breaches involve less than 500 and therefore are not subject to public disclosure.   Since the compliance date of the Privacy Rule in April 2003, the OCR reported receiving over 137,770 HIPAA complaints that resulted in nearly 1,000 compliance reviews. The following summarizes the results of review and investigation:

  • 70 percent were determined to be (a) not warranting enforcement as untimely or withdrawn by complainant; (b) entities not covered by HIPAA; and (d) absence of a violation.
  • 17 percent led to requirements for changes in privacy practices and corrective actions
  • 10 percent involved early intervention with only the need to provide technical assistance
  • 37 cases involved financial settlements of $39,989,200.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance in order of numbers of occurrence were Private Practices, Hospitals, Outpatient Facilities, Pharmacies, and Health Plans. To date, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Use or disclosure of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.