How Important Is Protecting Patient PHI to Your Vendors?

As healthcare providers continue to search for ways to cut costs and increase efficiency, many are outsourcing services. One report found that 98% of the hospitals surveyed were either actively considering outsourcing or had already done so. Outsourcing is expanding beyond non-core functions to clinical areas as healthcare providers look for ways to decrease costs and increase quality. While outsourcing can be a cost-effective move, failure to properly assess and manage risks related to protected health information (PHI) can create legal and reputational issues for the health system.

However, outsourcing and relying on vendors to perform activities that involve access to PHI increases the risk to a covered entity. Over the past three years, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) has issued approximately $6 million in financial penalties where failure to obtain a signed HIPAA-compliant business associate agreement (BAA) from at least one vendor was either the sole reason for the financial penalty or contributed the severity of the penalty.

The 2019 HIMSS Cybersecurity Report noted that 30% of the healthcare vendor respondents had not experienced a significant security incident in the prior 12 months. This means that 70% had experienced a significant security incident.

HIPAA requires that covered entities have a BAA with vendors that have access to PHI to perform duties on behalf of the covered entity or if electronic PHI (ePHI) passes through their systems. The HITECH Omnibus rules require business associates to comply with the Security Rule with regard to ePHI, report breaches of unsecured PHI to the covered entity, comply with applicable requirements of the privacy rule and ensure their subcontractors agree to the same regulations.

While a BAA does provide a covered entity with some legal assurances, a BAA does not necessarily indemnify a covered entity against financial penalties for a breach if the covered entity failed to obtain “satisfactory assurances” of the vendor’s security. Nor will a BAA protect the entity’s reputation. Quest Diagnostics recently experienced a breach by one of their vendors of financial data for approximately 11.9 million patients. While the breach was the fault of the vendor, the media focus and public attention is on Quest Diagnostics.

It’s important to consider if the data an organization is entrusting to a vendor are protected. What is the organization doing to ensure vendors who access ePHI understand their obligations and expectations?

The steps below should be performed at least annually to help organizations ensure that their vendors are securing their data. Covered entities may do this internally or enlist the services of an independent agency to do the review.

Verify the Organization Has Required BAAs

Healthcare providers must compare their vendor master file against their BAA file. Many organizations know they set up processes to obtain BAAs when the HIPAA-HITECH Act’s regulations related to business associates were released in 2013. In most cases, accounts payable has been trained not to process a check without a BAA.

However, experience shows that if there is a way around those controls, someone will have figured it out. Vendors can get established without a BAA when a hospital merges with or acquires another provider. It might also occur when an emergency purchase is necessary. Vendors can change ownership without providing notice that it’s time to update the BAA.

Reviewing the vendor master file should begin with the elimination of vendors that the organization knows do not need BAAs, such as utilities, employee expense reimbursement, contracted physicians and so ob. The organization should then look at all remaining vendors and determine their use and access to PHI. The process can be time-consuming and painful, but if this basic first step is never done, an organization will never know if they have identified the vendors that put the organization at risk. At the end of this process, the organization will have two lists: vendors with BAAs and those without BAAs.

Evaluation of Vendors & PHI

Once the organization has a list of vendors that access their PHI, employees need to determine what these vendors are doing to protect patient PHI. Some questions that organizations should ask:

• Do we do any periodic reviews of vendor security?
• Did we evaluate security before we started working with the vendor?
• Do our vendors have certifications they can provide to us?
• If they advertise HITRUST certification, have they sent us a current report?
• What do we know about what they are doing with our data?
• Are they sending our data offshore?
• Do they have security standards that at least meet HIPAA standards?

Evaluation can be done in a number of ways. If a vendor is audited annually to maintain its HITRUST certification, or it has an SOC II or other audit done to validate security controls, ask for the reports. Furthermore, they should be reviewed to make sure that PHI security controls are functioning. If the vendor doesn’t have an independent review, the organization might need to do its own review. Reach out to the vendor and discuss its security. Covered entities might find it helpful to survey their vendors on security.

If a vendor doesn’t want to provide information or can’t provide good data, the organization needs to perform a risk assessment to determine whether they are willing to accept the risk presented from the lack of information.

Update Organization BAAs

After doing the two steps above, organizations should have lists of their vendors and BAAs. For vendors with BAAs, review those BAAs. Have the agreements been updated to reflect the HITECH Omnibus requirements? Are the agreements complete, with the names of both parties and the appropriate signatures? Is the contact information correct?

If the vendor doesn’t have a BAA, it’s past time to get a BAA. If the vendor with access to PHI refuses to sign a BAA, it’s time to terminate that relationship.

Monitoring vendors for PHI security is not a one-time review. A vendor with a great security person can suffer a financial setback and replace the experienced security director to save money. A vendor who assured an organization that its data was stored and processed in the U.S. can suddenly outsource to an offshore location for processing of the account. While this monitoring can take time and resources, as many have learned in healthcare, a little prevention can often head off a major issue.

Carol Amick is the manager of healthcare services at CompliancePoint. She has led numerous investigations into PHI breaches and responded to outside investigations by the OCR, OIG and other regulatory agencies.

Get the best insights in digital health directly to your inbox.

Related

Health Execs Say Vendors Are the Worst Cyberthreat. But Most Don’t Vet Partner Security

The Woman Behind the Facebook Health Data Breach Complaint

Why Healthcare Is So Vulnerable to Ransomware and What We Can Do About It