By Greg Freeman
Third-party vendors pose a significant risk to a healthcare organization’s HIPAA compliance program, but those risks can be mitigated by diligently following best practices. Properly executing a business associate agreement (BAA) is crucial to managing third-party vendor relationships, says Milada Goturi, JD, partner with the Thompson Coburn law firm in Washington, DC. Make sure the arrangement is structured appropriately, making clear that the covered entity is not controlling day-to-day operations of the vendor, she says.
“If you have that structured correctly, then, by law, the covered entities aren’t really responsible for violations of businesses associated who are the independent contractor,” Goturi says. “If the covered entity is aware of a violation by their business associate, then they need to investigate. They need to take steps to make sure that noncompliance is cured, and if you know it’s not curable, then the agreement would need to be terminated.”
Concern over supply chain risk has increased exponentially over the last few years, particularly with regard to breach liability — especially concerning a variety of artificial intelligence tools and other similar technologies, says Iliana L. Peters, JD, shareholder with the Polsinelli law firm in Washington, DC. Peters previously was acting deputy director for Health and Human Services (HHS) and enforced HIPAA regulations.
Data have become increasingly valuable over the last decade, and that means that the data owner has significant risk anytime they hand their data to a third party, she says. Data security has been at issue in a variety of different state and federal regulatory efforts, including not just HIPAA, but also Federal Trade Commission and state law requirements, she says.
“From a compliance perspective, this is a huge area of risk at both the state and federal level as well as, of course, the international level. If you look at these issues from a HIPAA perspective, it is somewhat a narrow focus because there are a lot of uses of data, particularly in healthcare, that are happening outside the HIPAA construct,” Peters says.
The risks are dependent on the relationship with the third party vendor, she says, meaning what are they actually doing for the data owner, the covered entity.
“A lot of times, there’s a lack of understanding on the part of both the data owner, the covered entity, and the data processor, which is a business associate, conversation about exactly what the relationship means from a data perspective,” Peters says. “ They don’t have a good handle on what specific data elements are being accessed or shared by or with that third party, and then, similarly, what services are actually being provided to the data owner as part of that relationship.”
Establishing proper agreements with vendors has become more difficult in recent years as some covered entities try to include requirements that go beyond what is necessary, says Barry Mathis, managing principal of IT advisory consulting at PYA, a healthcare management consulting firm in Chattanooga, TN.
“I’d scratch my head and say, ‘There are things in here that absolutely don’t belong in a BAA,’ but because you have to sign one, the vendors are up against the wall with this. We’ve seen some healthcare systems, especially the large ones, where the attorneys got all in the BAA and were putting some third-party management in there.”
The number of third-party vendors is increasing rapidly, especially with the advent of artificial intelligence, Mathis says, and that increases the HIPAA risk for covered entities.
“Not all of those are going to be as solid as somebody who’s been in there for 15 years with their business associate agreements and all their checks and balances, with their third-party assessments completed,” he says. “Buyer beware. The vendors that you’re getting engaged with should know that the diligence is not only recommended but absolutely required.”
Healthcare organizations cannot outsource accountability, which makes proactive vendor risk management critical, says Gaurav Kapoor, co-CEO of MetricStream, a company in San Jose, CA, providing governance, risk management, and compliance services.
“This starts with robust due diligence during onboarding, including verifying the vendor’s security posture and alignment with HIPAA standards. This should also entail a business associate agreement that clearly defines roles, responsibilities, and breach protocols,” he says. “Most important is the ongoing monitoring, regular security assessments, and integrating vendors into incident response planning. Overall, treating vendors as true extensions of organization, rather than separate entities, is the best practice to reducing liability and maintaining patient trust.”
Vetting needs to go beyond a simple check list, Kapoor says. Healthcare organizations need a multi-tiered risk approach that reflects the level of access and sensitivity of data each vendor handles, he says.
For vendors managing or transmitting protected health information (PHI), this might include aspects such as comprehensive security questionnaires, SOC2 or HITRUST certifications, evidence of HIPAA training, penetration testing reports, vulnerability scans, and clear incident response protocols, he says.
“Even lower-risk vendors should undergo a baseline review and sign a BAA to avoid any potential issues,” Kapoor says. “The goal is to create transparency and accountability from the outset, and to repeat the process periodically as static vendor assessments tend to be a blind spot in many programs.”
Kapoor says these are the most common missteps with vendors and HIPAA compliance:
- Assuming the BAA is enough and treating it as just a box to check off, instead of approaching it as a dynamic agreement that requires proactive enforcement.
- Not keeping up with ongoing monitoring as risks continue to change. As vendors bring on subcontractors, update software, or scale their operations, this opens a path for potential problems. Without continuous visibility, organizations and their patients will be left exposed to risks.
- Not involving vendors in incident response planning is another, since time is a huge component when a breach occurs. If third parties do not know their role in the response playbook, delays and miscommunication can fuel the fire further.
- Failing to tier vendors appropriately also is an area where issues arise. If you apply the same vetting process across the board, and regardless of data access, it will either overwhelm the team or leave high-risk vendors insufficiently scrutinized.
“The main lesson here: Proactive, robust vendor risk management is no longer optional in today’s business world. In fact, it’s a strategic imperative to the success of any healthcare organization,” Kapoor says. “As cyber threats evolve and HIPAA enforcement tightens, healthcare organizations must take a continuous, collaborative approach to safeguarding patient data.”
It is important to note that different contracting and vendor oversight steps are triggered depending on the specific federal and state laws, says Simone Colgan Dunlap, JD, partner with the Quarles law firm in Phoenix, AZ. Therefore, a critical first step is to inventory data and identify the data that the vendor will create, receive, maintain or transmit on behalf of the organization. “If we are talking about a vendor in the context of HIPAA, the vendor in question is going to be a business associate — a person or entity that performs certain functions involving the use or disclosure of protected health information on behalf of a covered entity or an upstream business associate,” she explains.
To minimize the risk that an entity will be held responsible for the compliance errors of its business associate, Colgan Dunlap advises taking a few key steps. First, establish a formal privacy and data security vendor management process. “This process should involve conducting due diligence on vendors pre-engagement to assess the vendor’s ability to comply with HIPAA’s requirements and assess whether the vendor has the wherewithal — via assets and insurance — to make the entity whole in the event that the vendor creates liability as a result of a compliance mishap,” she says. “Note that HIPAA’s requirements related to security may shift significantly and be much more proscriptive if the proposed rule to modify HIPAA’s Security Rule is adopted. If the Proposed Rule is adopted, entities subject to HIPAA should reassess vendor relationships.”
Second, manage risks via contracts. Entities should enter into a compliant BAA and ensure that vendor agreements contain appropriate risk-shifting provisions, Colgan Dunlap says. Entities also may wish to include requirements to maintain a cyber insurance policy and processes for measuring adequate performance of privacy- and security-related requirements, she says. “One often overlooked area when engaging a vendor is thinking through expectations for a coordinated breach response and who will pay for various aspects of the response, Colgan Dunlap notes.
Cyber insurance can provide coverage from expenses related to breaches that are not covered by traditional commercial insurance policies. For example, policies can cover costs related to computer forensics, legal fees related to drafting notification letters, or even costs for the payments of settlements amounts stemming from regulatory investigations, she says.
Third, consider whether to require independent third-party assessments, audits, or certifications as part of onboarding.
Fourth, engage in continuous monitoring to ensure the vendor is meeting its contractual obligations, and proactively identify issues like misuse of data, Colgan Dunlap advises.
“HIPAA requires a regulated entity to obtain written assurances in the form of a business associate agreement, that its business associates will appropriately safeguard ePHI (electronic PHI). But, at present, the Security Rule does not require a regulated entity to verify that a business associate is taking steps to protect ePHI,” she says.
If the proposed rule to modify HIPAA’s Security Rule is adopted, this would change, she says. Importantly, nothing prohibits regulated entities from implementing more stringent standards. For example, many regulated entities use the National Institute of Standards and Technology’s Cybersecurity Framework to structure vendor management programs, she notes.
“We sometimes see organizations misclassify entities as business associates when this is not the case,” Colgan Dunlap says. “A great way to avoid unnecessary liability under HIPAA is to be clear about when HIPAA does not attach.”
Another common pitfall is insufficient upfront vendor diligence and monitoring, she says. Many vendors are willing to agree to rigorous contract terms but are not actually living up to these requirements, she notes.
“Related, failure to ask questions abouts a vendor’s subcontractor relationships is another source of liability that is often under-investigated,” Colgan Dunlap says. “A vendor may actually have a solid privacy and information security program, but their program is only as good as their weakest subcontractor.”
Healthcare organizations should manage risk from third-party vendors by appropriately vetting vendors during the vendor selection and contracting process, says Elizabeth F. Hodge, JD, partner with the Akerman law firm in West Palm Beach, FL. Other key steps include monitoring certain vendors over the term of the engagement and addressing in the contract, including the BAA, what is expected of the vendor in the event of a compliance error or worse.
“Because different vendors present varying levels of risk to a healthcare organization, and healthcare organizations face resource constraints, it’s not practicable for an organization to apply the same level of vetting to all third-party vendors,” she says. “As a result, organizations should perform a risk analysis to determine the level and type of risk a vendor presents to the organization and create a tiered vendor review process accordingly. Those vendors that assist with mission-critical services or that have access to the most sensitive data may warrant more scrutiny while those vendors that don’t have access to sensitive or confidential data or that provide non-critical services may receive a lesser degree of review.”
Hodge says one common mistake that organizations make with third-party vendor vetting is not appreciating how an incident caused by the vendor or one affecting the vendor’s ability to provide services in turn affects the healthcare organization.
“In other words, how does an issue with a particular vendor affect the organization’s business continuity? This lack of understanding can cause an organization to not perform the appropriate level of vetting,” she says. “Another mistake is failing to identify which vendors may warrant ongoing review during the term of the agreement and then implementing a process to conduct periodic assessments.”
Also, if the scope of services provided by a vendor changes over time, the organization should reassess whether it needs to change how it evaluates that vendor based on the changed circumstances, Hodge says.
“Vendor management should be a dynamic process,” she says.
Ensure that the contracts and the vendor technical questionnaires are being reviewed by your staff or vendor reviews are an outsourceable function, says Amy S. Mushahwar, JD, partner with the Lowenstein Sandler law firm in Washington, DC.
“If there were deficiencies on the face of the vetting documents that you have, it doesn’t show good third-party security. Do the necessary follow-up to demonstrate remediation,” she says. “If a vendor will have PHI, ensure your business team is working with security and procurement to ensure the vetting occurs and, if they pass vetting, companies are given the right level of data access.”
At a minimum, a covered entity must have security questionnaires with appropriate security artifacts at the time of retention before data access, with follow-up attestations regarding compliance for ongoing retention, Mushahwar says.
“Annual attestation of security is ideal, but it can be every two years if staffing cannot support annual vetting,” she says. “We also want you to risk assess your vendors, and those with the most access, storage, and/or handling of PHI and PII (personally identifiable information) should be the vendors that are vetted most frequently and subject to additional technical pen testing and scanning, as well as any onsite audits.”
Mushahwar says the three most common errors are allowing the business to proceed with work without having appropriate vetting and contracts in place, over-provisioning access, and vendor work creep over time, where a vendor’s true risk footprint and access to data may not fully be known.
It is crucial to engage a third-party vendor that shares a dedication to HIPAA compliance and patient safety, says Heidi Drafall, senior vice president of quality with Agiliti, a medical equipment supplier based in Eden Prairie, MN. Using a risk-based approach, look for vendors that follow critical best practices and adhere to the latest industry quality standards, she says.
The foundational step is to establish a comprehensive process for identifying and inventorying all vendors, Drafall advises. An evaluation of each vendor’s quality practices and HIPAA compliance history will confirm whether they are a good partner to engage before any PHI is shared, she says.
“From a patient safety perspective, it’s important to determine if a vendor’s quality processes are based on rigorous, patient risk-based standards and if they follow original equipment manufacturer guidelines for service and maintenance,” she says. “Specifically, for those medical devices that store PHI, the vendor should have standard processes to clear the information from each device between patient use and/or at the intervals recommended by the OEM (original equipment manufacturer). This is crucial for safeguarding patient-specific data.”
Furthermore, ongoing assessments, monitoring, and audits are vital to ensure continued compliance with HIPAA regulations and adherence to the necessary quality standards for handling and maintaining medical devices, she says.
Safeguarding PHI is fundamental to high-quality service providers, Drafall notes. When vetting third-party services, a detailed assessment to align experience and expertise with the specific medical devices in each healthcare facility is necessary. Each medical device model is unique, and it is important to partner with a service provider who understands the processes necessary to clear PHI from each device owned by the healthcare facility, she says. Furthermore, some devices require special software developed and maintained by the device OEM to clear the PHI data. Ensuring adequate access and availability to such software is crucial.
“The most common mistakes made when managing third-party risk for HIPAA compliance — especially when vendors are involved with medical devices — often stem from insufficient upfront vetting,” Drafall says. “This includes failing to thoroughly evaluate whether a vendor meets both HIPAA compliance and critical medical device quality standards.”
Often, these mistakes stem from failures such as not fully evaluating a vendor’s quality management system, including their adherence to OEM guidelines, record-keeping practices, technician training, and controls for recalled devices, she says. Another oversight is the lack of ongoing monitoring of both HIPAA compliance and adherence to medical device quality standards, she adds.
“Organizations that fail to adopt a risk-based approach that considers the likelihood and impact of HIPAA violations or device malfunctions due to inadequate service will have insufficient oversight of high-risk vendors,” Drafall says.
Sources
- Heidi Drafall, Senior Vice President of Quality, Agiliti, Eden Prairie, MN. Telephone: (800) 847-7368.
- Simone Colgan Dunlap, JD, Partner, Quarles, Phoenix, AZ. Telephone: (602) 229-5510. Email: [email protected].
- Milada Goturi, JD, Partner, Thompson Coburn, Washington, DC. Telephone: (202) 585-6951. Email: [email protected].
- Elizabeth F. Hodge, JD, Partner, Akerman, West Palm Beach, FL. Telephone: (561) 273-5503. Email: [email protected].
- Gaurav Kapoor, Co-CEO, MetricStream, San Jose, CA. Telephone: (650) 620-2955.
- Barry Mathis, Managing Principal of IT Advisory Consulting, PYA, Chattanooga, TN. Email: [email protected].
- Amy S. Mushahwar, JD, Partner, Lowenstein Sandler, Washington, DC. Telephone: (202) 753-3825. Email: [email protected].
- Iliana L. Peters, JD, Shareholder, Polsinelli, Washington, DC. Telephone: (202) 626-8327. Email: [email protected].
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
Third-party vendors pose a significant risk to a healthcare organization’s HIPAA compliance program, but those risks can be mitigated by diligently following best practices.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content