Healthcare needs to take a page out of the financial sector’s playbook when it comes to how it practices vendor management security. HIPAA, for the moment, only calls for covered entities to issue a Business Associate Agreement with contracts for those vendors who will have access to ePHI. But an agreement is simply not enough, and there are plenty of sad stories out there on the DHHS Wall of Shame to prove it. The Breach Notification Rule under HITECH makes it clear that the covered entity and the business associate are joined at the hip when it comes to responsibility for protecting patient information. All the more reason to have a sound program for managing the risks associated with vendors who have access.
This program should take a lifecycle approach to data security and each contract should reflect the program’s priorities. It should begin when conceiving the idea for service and end with final disposition of the data. The Business Associate Agreement (BAA) may not be the best vehicle for conveying these requirements, but is still both necessary and a good idea for conveying the responsibility of the law. The program itself should have the following elements:
- Vendor security management policy
- Vendor security selection checklist
- Vendor security questionnaire (post selection)
- Vendor audit progam (periodic reviews)
- Post contract disposition process
Vendor management is a big responsibility. Not doing it correctly can invite some unwanted surprises. Learn more about CynergisTek’s Vendor Security Management service.