The steps below should be performed at least annually to help organizations ensure that their vendors are securing their data. Covered entities may do this internally or enlist the services of an independent agency to do the review.
Verify the organization has required BAAs: Organizations must compare their vendor master file against their BAA file. Many organizations know they set up processes to obtain BAAs when the HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act regulations related to Business Associates were released in 2013, and Accounts Payable (AP) has been trained not to process a check without a BAA. However, experience shows that if there is a way around those controls someone will have figured it out! Vendors can get established without a BAA when you merge or acquire another provider. Vendors can get established without a BAA when an emergency purchase is made from a vendor. Vendors can change ownership without providing you with notice that you need an updated BAA.
Reviewing the vendor master file should begin with elimination of vendors that the organization knows are not BAAs, such as utilities, employee expense reimbursement, contracted physicians, etc. The organization should then look at all remaining vendors and determine their use and access to PHI. The process can be time-consuming and painful, but if this basic first step is never done, an organization will never know if they have identified the vendors that are putting the organization at risk. At the end of this process, the organization will have two lists; vendors with BAAs and vendors without BAAs.
Evaluation of vendors: Once the organization has a list of vendors that access their PHI, they need to determine “what these vendors are doing to protect patient PHI.” Some questions organizations should ask themselves:
• Do we do any periodic reviews of vendor security?
• Did we evaluate security before we started working with the vendor?
• Do our vendors have certifications they can provide to us?
• If they advertise HITRUST certification, have they sent us a current report?
• What do we know about what they are doing with our data?
• Are they sending our data offshore?
• Do they have security standards that at least meet HIPAA standards?
Evaluation can be done in a number of ways. If a vendor is audited annually to maintain their HITRUST certification, or they have a SOC II or other audit done to validate their security controls, ask for the reports. Furthermore, they should be reviewed to make sure that the controls the organization is relying upon to protect ePHI are functioning. If the vendor doesn’t have an independent review, the organization may need to do their own review. Reach out to the vendor and talk to them about their security. Covered entities may find it helpful to survey their vendors on security.
