How important is protecting the patient health information (PHI) to your vendors?
Aktueller Standort:
>
> This Story


Log in oder Register to rate this News Story
Forward Printable StoryPrint Comment
advertisement

 

advertisement

 

Health IT Homepage

Demanding a proactive approach to healthcare cybersecurity How the FDA is incentivizing manufacturers to get proactive on device safety

Mercy Technology Services launches real-world evidence network nationwide Source of data for making clinical and business decisions

Is Apple health team seeing some discontent? CNBC reports high rate of departures and 'tension' among members

Data sharing 'insufficient' for close to a third of healthcare providers Survey finds many switching to single, integrated EHRs to be interoperable

PHDA and Amazon Web Services team up in machine learning healthcare sponsorship Aiming to enhance medical imaging, precision medicine and cancer diagnostics

Actively regulated EHR standards are driving demand for outsourcing critical functionality Staying ahead of the curve as SCRIPT17 deadline approaches

Patient record breaches in 2019 already double the total from last year Report finds almost 32 million patient record breaches, compared to 15 million in 2018

Kaiser Permanente team standardizes definition of complete imaging history Developed prompts to help in order entry process

Everyone’s part in the perfect EMR Tips for optimizing your facility's approach to patient data

Browser beware: Study uncovers data leaks that could impact health IT Chrome and Firefox extensions may cause vulnerability

How important is protecting the patient health information (PHI) to your vendors?


The steps below should be performed at least annually to help organizations ensure that their vendors are securing their data. Covered entities may do this internally or enlist the services of an independent agency to do the review.

Verify the organization has required BAAs: Organizations must compare their vendor master file against their BAA file. Many organizations know they set up processes to obtain BAAs when the HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act regulations related to Business Associates were released in 2013, and Accounts Payable (AP) has been trained not to process a check without a BAA. However, experience shows that if there is a way around those controls someone will have figured it out! Vendors can get established without a BAA when you merge or acquire another provider. Vendors can get established without a BAA when an emergency purchase is made from a vendor. Vendors can change ownership without providing you with notice that you need an updated BAA.
Story Continues Below Advertisement

THE (LEADER) IN MEDICAL IMAGING TECHNOLOGY SINCE 1982. SALES-SERVICE-REPAIR

Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.




Reviewing the vendor master file should begin with elimination of vendors that the organization knows are not BAAs, such as utilities, employee expense reimbursement, contracted physicians, etc. The organization should then look at all remaining vendors and determine their use and access to PHI. The process can be time-consuming and painful, but if this basic first step is never done, an organization will never know if they have identified the vendors that are putting the organization at risk. At the end of this process, the organization will have two lists; vendors with BAAs and vendors without BAAs.

Evaluation of vendors: Once the organization has a list of vendors that access their PHI, they need to determine “what these vendors are doing to protect patient PHI.” Some questions organizations should ask themselves:

• Do we do any periodic reviews of vendor security?
• Did we evaluate security before we started working with the vendor?
• Do our vendors have certifications they can provide to us?
• If they advertise HITRUST certification, have they sent us a current report?
• What do we know about what they are doing with our data?
• Are they sending our data offshore?
• Do they have security standards that at least meet HIPAA standards?

Evaluation can be done in a number of ways. If a vendor is audited annually to maintain their HITRUST certification, or they have a SOC II or other audit done to validate their security controls, ask for the reports. Furthermore, they should be reviewed to make sure that the controls the organization is relying upon to protect ePHI are functioning. If the vendor doesn’t have an independent review, the organization may need to do their own review. Reach out to the vendor and talk to them about their security. Covered entities may find it helpful to survey their vendors on security.
<< Pages: 1 - 2 - 3 >>

Health IT Homepage


You Must Be Logged In To Post A Comment