“A Few Steps for Better Vendor Management: A Lifecycle Approach to Vendor Security”
Written by Mac McMillan for Becker’s Hospital Review
CynergisTek CEO, Mac McMillan recently wrote an article for Becker’s Hospital Review to provide guidance for Covered Entities (CEs) when it comes to managing their vendors now that the Omnibus requires them to hold their Business Associates (BAs) accountable. McMillan states that you have to perform the necessary and appropriate due diligence with all vendors that handle PHI. He provides several practical tips that can help providers implement a lifecycle approach.
Where to start
- Security considerations should take place as soon as you anticipate business with a vendor. Some of the most important factors to consider are the level of access the vendor will have to PHI, details of what the vendor will be performing on the providers behalf, and the length of the contract.
- Create a security questionnaire to include in RFIs and RFPs. It will help determine the vendor’s capability and readiness to meet security requirements.
- Identify what is the “minimal necessary” in this relationship to control the vendor’s access to sensitive information. OCR will provide more guidance on “minimal necessary” soon.
- Only let the vendors that meet these requirements move forward in the vendor selection process.
- Identify and document all of the privacy and security requirements.
- Consider further evaluation including interviews with the vendor’s key-players, review of relevant documentation, possibly visit on-site.
- The Omnibus Rule changes must be included in the Business Associate Agreement (BAA) for any contract signed after January 25th, 2013, if contract was prior to then are grandfathered until September 23rd, 2014.
- Include custom security requirements in the contract.
Maintenance and Monitoring
- There is no regulation that requires providers to monitor BAs, however, be aware of the risks involved and monitor them as appropriate, based on their risk factor. E.g. how much information do they have access to? The more information, the higher the risk and the increased need to monitor.
- Consider requesting written security policies, proof of background checks, proof of terminations, documentation of third party security assessments.
- There are many tools available to provide guidance on requirement and assist with monitoring.
When Incidents Happen
- Be prepared, planning in advance is key for the new breach notification requirements.
- BAs are now also held accountable should an incident occur.
- CEs should be aware of their vendors readiness in regard to a potential breech.
- BAs must notify CEs, media, OCR and victims of any breach.
- The business associate agreement should be well defined and include all of the CEs expectations of how the BA should react to an incident.
- The Omnibus Rule makes it much easier for OCR to enforce and seek a final outcome.
- Clearly define what a vendor is responsible for when a contact ends/terminates.
- Contracts should include what steps a vendor must take in returning or destroying the PHI that they have in their possession. It should include the appropriate destruction certificates.
- Make sure any subcontractors are included in the agreement.
- Monitor and audit vendors throughout the agreement.
Covered entities have to take an active role in managing their business associates and their processes. Business associate agreements need to be clearly defined and vendor specific, no more “blanket BAAs”. Additional guidance is expected in the coming months regarding how to apply minimal necessary and the accounting for disclosure rule. This information will need to be included in BAAs and the vendor management process. McMillan concludes with, “No matter how you slice it, vendors are both integral to the industry’s success and critical to achieving compliance.”
Click here to read the full article in Becker’s Hospital Review