Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.


The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.

Annual report shows Health IT dramatically improving quality of care

Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the health information technology (health IT) landscape has dramatically evolved, with hospitals and health care providers using health IT more than ever. In 2015, 96 percent of hospitals and 78 percent of physician offices used certified EHR technology. The Office of the National Coordinator for Health Information Technology (ONC) details the advancements made in the health IT landscape in its 2016 Report to Congress on Health IT Progress.

Reporting requirements

Section 13113(a) of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5), under the HITECH Act, requires HHS to submit to the appropriate committees of the House of Representatives and the Senate a report (1) describing the specific actions that have been taken by the federal government and private entities to facilitate the adoption of a nationwide system for the electronic use and exchange of health information; (2) describing barriers to the adoption of such a nationwide system; and (3) containing recommendations to achieve full implementation of such a nationwide system. This is the annual update to the previous submissions, which were released on January 17, 2012, June 21, 2013, October 9, 2014, and February 29, 2016.

HHS priorities

The progress of health IT allowed for a transition in focus for HHS to the seamless and secure flow of health information, or interoperability. The advancements set the foundation for delivery system reform, the Cancer Moonshot, combating the opioid epidemic, the Precision Medicine Initiative, clinical innovation, and protecting and advancing public health. HHS has focused on three priority areas:

  • promoting common standards to facilitate the seamless and secure exchange of data, including through the use of standardized, open application programming interfaces (APIs);
  • building the business case for interoperability, particularly through delivery system reform efforts that change the way CMS pays for care to reward quality over quantity of services; and
  • changing the culture around access to information through combating information blocking; ensuring that individuals know they have a right to access and transmit their health information and that health care providers know they must provide access to the individuals; and reminding health care providers that they are legally allowed to exchange information in the course of treatment or coordinating care.

Health IT changing the provision of care

The rapid adoption of health IT has facilitated increased use of functionalities that have real-world clinical impacts. These include clinical decision support, which can point health care providers to evidence-based clinical guidelines at the point of care, facilitate an enhanced diagnosis or treatment path, and alert providers to potentially harmful drug interactions. Hospitals and physicians have also gained the ability to exchange more electronic health information than ever, with 82 percent of non-federal acute care hospitals electronically exchanging laboratory reports, radiology reports, clinical summaries, or medication lists. Approximately 90 percent of hospitals reported that they routinely had clinical information needed from outside sources or health care providers available at the point of care. Notably, EHR systems have transformed the prescribing and dispensing of medications, with e-prescribing systems lowering costs, improving care, and saving lives by reducing medication errors and checking for drug interactions.

Increased access to health information

Digitizing the U.S. health system has empowered individuals to be more in control of their own health decisions. Those with electronic access to their health information can monitor chronic conditions, better adhere to treatment plans, find and fix errors in their records, and directly contribute their information to research. Today, 95 percent of hospitals have the capability to allow patients this type of access.

Siblings fired for sharing information of 91,000 Washington Medicaid recipients

The Washington Health Care Authority (HCA) is sending letters to 91,000 Apple Health (Medicaid) recipients to notify them of a breach of protected health information (PHI) following improper handling by an HCA employee. The employee sought technical help from her brother, an employee of the Department of Social and Health Services (DSHS), and in doing so, provided him with information, including clients’ Social Security numbers, dates of birth, addresses and phone numbers, Apple Health identification numbers, and medical procedure and diagnosis information. Although there is no evidence that the information was used improperly, the HCA could not verify that the information remained within the state system.

Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) covered entities (CEs)—health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain transactions—must notify patients when their PHI has been compromised, a process referred to as “breach notification” (sec. 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5)). CEs must notify patients of breaches unless they actually demonstrate a low probability that PHI was compromised (78 FR 5566).

In this instance, the HCA employee, a medical assistance specialist, exchanged emails containing PHI with her brother, an internet technician, from 2013 to 2015, while she asked him for technical assistance with spreadsheets containing PHI. The exchanges were uncovered during the course of a whistleblower investigation of misuse of state resources. Because of a viable possibility that PHI was leaked outside of the system, the HCA was required to notify affected individuals.

The HCA is offering one year of free credit monitoring to Apple Health clients affected by the breach. The HCA and the DSHS terminated both employees.