How to Comply with Third-Party Risk Management Requirements in HIPAA

Melissa: My name is Melissa and I work here at Prevalent in Business development. Melissa: And today we are joined by our very own compliance experts, Sophie Pothecary, who’s one of our solutions engineers, and Thomas Humphre who is our content manager. Melissa: Um, they will explore how HIPPA impacts your thirdparty risk management program. Melissa: So, welcome to both of you. Sophie: Thank you. Sophie: Hello everyone. Thomas: Hello. Melissa: And, uh, we do have Scott, I’m not sure if he’s on yet, but Scott Lang will also be with us. Melissa: Um, Scott’s our VP of product marketing, and he will dive into how we may be able to mature your TPR and program at the end of this session. Melissa: So stay tuned for that 3 or 4 minute spiel and um you know as a little bit of housekeeping this webinar is being recorded so you will get this along with the slideshow shortly after the webinar and um you’re all muted as you can see so just use that Q&A box for those burning questions and without further ado I will let Sophie and Thomas get started. Melissa: Go ahead guys. Thomas: Thank you Melissa and yes good morning, good afternoon, good evening everyone. Thomas: Everyone, welcome to this um this this webinar um where we’ll be talking through uh HIPPA the HIPPA regulation and how it uh impacts um your TPRM program. Thomas: Um I’m joined by Sophie. Thomas: Um Sophie like to give just a very short introduction to yourself. Sophie: Yes, thank you very much and and thanks for having me today. Sophie: Um as as been alluded to, my name is Sophie Poco. Sophie: I’m one of the solutions engineers here and my focus today is really learn a lot from Thomas in terms of the HIPPA regulations. Sophie: ask some some of my own burning questions and also provide some support. Thomas: Fantastic. Thomas: Thank you. Thomas: And um for those of you who are perhaps joining a webinar for the first time with us, um my name is Thomas Humphre. Thomas: I’m the content manager. Thomas: Um I’m responsible for developing um assessments based on various regulations, standards, uh best practice frameworks. Thomas: Um I used to be an auditor for the best part of 10 years before um joining prevalent and moving into the third party risk space. Thomas: Um, as Melissa stated at the start, um, we always leave time for Q&A and there should be a, uh, Q&A tab that you should see on the screen. Thomas: So, as we go through the presentation, just keep the, uh, questions flowing. Thomas: Um, and then we should have time, um, at the end to to answer as many as we can. Thomas: So, what are we doing today? Thomas: So, we’re looking at um, HIPPA and the TPIM. Thomas: I’m give a brief overview of the healthcare sector um before looking at um some of the key definitions and and key requirements that HIPPA calls out most need notably around uh protected information um and business associates. Thomas: I’ll be taking a look at both the uh security and the privacy um rules or requirements um before doing a deeper dive into some of the aspects that could lead to a third party HIPPO violation um and then broadly speaking around some of the TPR capab TPM capabilities um that only can address PHI risk um um healthcare information risk but also in terms of how you could again use HIPPA um across uh your T prime program and journey particularly if this is the first time you’re looking at this uh this framework as well. Thomas: So let’s start by taking a broader look look at generally what we’re seeing around uh the the sector the sectors and the industry as a whole um I guess one of the obvious areas to note similar to other other industries that across the whole if you look at between 2022 and 2023 there have been increase in many cyber attacks um more often than not privacy and confidentiality is still listed as top risks and top risk areas um both within top management uh within law enforcements, regulatory bodies, um and general standards bodies as well. Thomas: Um and healthcare is no exception. Thomas: Uh we’ve seen that there has been a rise in health care sector risks specifically. Thomas: This is more of a global level. Thomas: Um compared to 2022 um on average about 9 million $9 million is the cost of of some of these or some of the larger uh data breaches um and breaches against regulation or as a result of some of the the loss of information as a result of some of these threats. Thomas: Um the uh WE the World Economic Forum um has publicly said these type of cyber attacks are on the rise. Thomas: If you look at some of the ransomware more notable ransomware based threats um certainly move it that came across um uh in May and July in May and June and is still having an impact. Thomas: We’re still finding more and more companies publicly stating they’ve been impacted. Thomas: Um Um well there are key areas that are perhaps driving this. Thomas: One of them is of course we’re seeing more and more uh push towards uh digital digitization digital transformation use of more and more intelligent systems applications and solutions which more often than not also means a greater and more in-depth supply chain. Thomas: Um but on the same side of that we’re also seeing a lot of companies faced with legacy systems. Thomas: Systems that are not only still used across many organizations but legacy systems that are still housing, holding or using um sensitive data such as healthare information, healthcare data and individuals healthare records. Thomas: Um and of course with the more legacy systems that still remain. Thomas: Um one of the greatest risks being that these systems are no longer being patched being serviced by the by the manufacturers and by the operating organizations means to an increased um uh level of impact um should threats obviously target such such systems. Thomas: And of course the large volumes of sensitive data. Thomas: Um certainly healthcare information is up there in terms of the level of sensitivity. Thomas: And obviously we’re not just talking about uh tens of individuals or thousands but more often than not tens if not hundreds of thousands of of patients of people involved in the health care system. Thomas: And so we’re looking at very very large volumes of data which of course is or can be very ripe for the likes of uh targeted ransomware uh threats and attacks um and and similar attacks caused by um hacking bodies and hacking groups um among other things. Thomas: So there’s a continued growth. Thomas: We’re seeing continued growth in in in the types of sophisticated attacks type of cyber attacks and it’s clear that this is something that’s not going away certainly in the in the short term. Thomas: I mentioned obviously with the advent of more more technology and using more and more applications and systems. Thomas: So this the the the supply chain network naturally will grow as well. Thomas: Um if we look generally across healthcare providers, there are a lot of different third parties we may be dealing with. Thomas: Um support services from the like of IT support, help desks, call centers, account centers to consultancies and contractors working on site and remote um to those dealing with actual medical systems and devices and applications. Thomas: So from farmer to contract manufacturers and maybe distribution vendors as well. Thomas: And obviously what this does is it creates a large or an increased attack surface area for some of those attacks that I was just highlighting. Thomas: So the likes of those ransomware attacks and we’ve seen this in so many cases um not just in healthcare but across um many industries where uh an attack or a target attack on a particular application has then had a uh a ripple or a rippling effect across an organization. Thomas: wide supply chain. Thomas: So the likes of the CASSA, VSA and Solar Winds or the recent move it vulnerabilities are good examples where it’s then had a wider issue um and and spread out across across an organization’s um um supply base. Thomas: Um this is where the likes of HIPPA can then come in to help tighten this and help to make sure that organizations are conducting and and operating under a level of due diligence. Thomas: And HIPPA, which is the Health Insurance Portability and Accountability Act, a US focused act, um really focuses on the lawful use and disclosure of uh health information or protective health from information, PHI. Thomas: And we’ll see throughout today how HIPPA can be used from both a security and a privacy front to really sort of target and identify those risk areas and hopefully start to put in clear miss mitigation plans to minimize the chance of those those threats or at least the impact that those threats will have on the wider organization. Thomas: So let’s start to look at what HIPPO actually means and what actually does. Thomas: So I’ve mentioned security and privacy and these are two separate uh uh uh rules. Thomas: They call them this the security rule and the privacy rule and there certainly are clear objectives for how you establish and implement best practice controls ultimately to secure health information or protected health information PHI. Thomas: Um, as you can see from the right, I’ve put the the trusted CIA. Thomas: Anyone familiar with uh ISO ISO standards and 27,000 will be very familiar with this concept around protecting confidentiality, integrity and availability of data. Thomas: Um, and this is area that HIPPA carries through um within its security ruling. Thomas: So requiring organizations to ensure the confidentiality, integrity, and availability of health care information they’re holding. Thomas: Making sure you’re then protecting against reasonably anticipated threats and hazards. Thomas: So we can think of the first part from a risk perspective. Thomas: So developing a risk program to understand where are the risks based on what type, what volume, what complexity of healthcare information we’re using, where the healthare information is being stored and then starting to think about well how can we protect against those threats and the hazards that we’ve identified. Thomas: So security controls and privacy controls that can help limit the visibility or the access um um and and tighten data security standards protecting against anticipated use and disclosure of PHI that’s not permitted by the HIPPO privacy rule and as we’ll see throughout today uh is this use and disc disclosure of PHI which is so strong and and and and repeats itself so many times um within the privacy rule uh requirements um and it and the purpose here is making sure that we’re putting obviously the right controls in place to protect that data um but also where we can limit um any accidental or mis or or or malicious um wrongful disclosure of healthcare information particular that directly um goes against the expectations of HIPPA and then ensuring compliance of the HIPPA security rule or HSR by the wider workforce. Thomas: So setting four key objectives or or general requirements at the top of the security rule that sets the scene for how companies should address and and approach HIPPA. Thomas: Um so from that risk uh management and risk um identification approach through to the the the concept of identifying appropriate controls, practices, policies, and processes um to start to draw on what do we need to put in place at the right time. Thomas: And what we’ll do later on today is see how that uh works and impacts from a a third party perspective. Sophie: Thomas, just a couple of questions from myself. Sophie: Um. Sophie: touch there the um some of the kind of similarities or some of the kind of terminology you’ve called out with the likes of an ISO for example, but what are the differ that you see between really kind of HIPPA or healthcare industry frameworks versus the likes of a a NIST or an ISO for example. Thomas: So it’s interesting it’s a great question. Thomas: So we’ve got um so yes I did I did mention ISO because CIA is a is a core fundamental part of the 27,000 standard. Thomas: Um so we need to remember obviously the HIPPA is um regulation. Thomas: It sets regulation and requirement from a enforcement perspective. Thomas: Um the likes of ISO and NIST are more uh standards either national or international standards but there is a lot of commonality between all three. Thomas: Um so when we go through and take a look at some of the security rules of HIPPA for example they’re covering very similar areas to ISO for example around technological controls organizational controls such as how you manage uh access of information and access of of systems um uh security awareness and training of staff for example business continuity contingency and a lot of other key topics. Thomas: So there is a lot of similarity between HIPPO and the likes of NIST and ISO. Thomas: Um obviously each standard has its own unique points and where ISO very much focuses on a wider governance context. Thomas: NIST focuses on a very technical capability and actually goes to another level that the likes of HIPPA and to some degree ISO don’t um and so there are some some subtle differences but at the same time what this does mean is that organizations that are say already ISO certified or or or they’ve gone through attestations and compliance against NIST 853 for cyber security it means that if they’re approaching HIPPA for the first time or they need to demonstrate or start to demonstrate um um how they comply it will make it a lot easier because some of the practices identified through the likes of ISO and NIST um um uh as say sort of mirror and and in some ways go above what HIPPO expects as well. Sophie: That’s really interesting. Sophie: I think you mentioned there as well you know that obviously the similarities but the difference between the regulations and the standards etc. Sophie: You’ve touched on there already as well um some of the other domains or risk domains that people typically are covering when they’re potentially approaching HIPPA. Sophie: Do you do you see any benefit of of embedding HIPPA alongside other tracking or TPMR and programs that are looking at other risk domains such as ESG for example. Thomas: Yes. Thomas: Uh potentially yes. Thomas: Um the key thing I think to always remember with with HIPPA and like many of these regulations they do obviously have a a clear focus point. Thomas: The the key part here is is looking at how organizations protect their health information and as we’ll see how that translates to the wider sort of third party base. Thomas: It’s important to note that the third party base is quite evident and clear within this framework as well. Thomas: It’s not just looking at say um a health care center or hospital or or other medical centers or or medical providers, but it’s looking at that wider group of businesses or business associates of course. Thomas: So certainly if you have um other frameworks already established, being able to map the requirements of say what HIPPA expects from a security and privacy perspective um can make a lot of sense. Thomas: and can be used as say to demonstrate wider sort of not compliance actually but going beyond the expectation of HIPPA um which which can always be a good thing or I guess can only be a good thing um because of course you can always focus just on specifically what HIPPA is after but if you can say well actually we’ve gone beyond that and it’s a way of maturing how we handle our third parties or requirements and controls that we’re using with our third party then of course that’s only a good thing. Sophie: Yeah. Sophie: Great. Sophie: Well, thank you very much. Thomas: So I keep mentioning this term uh protective health information PHI like many regulations um HIPPA um do do sort of set out a series of of terms of terminologies and the one that does repeat itself quite frequently is this concept of health information. Thomas: So what is it as defined by by HIPPA? Thomas: So they say individually identifiable health information that’s held or transmitted by a covered entity or its business associate in any form or media whether electronic, paper or orally. Thomas: Let’s dig into a few more details around what this means. Thomas: So firstly, individually identifiable. Thomas: So as you can see on the left hand side, there’s a few uh key bullets here that talk about what does individually identifiable information relate to. Thomas: So any past present, future physical or mental health information of an individual, any provision of health care to that individual and from a payments perspective as well, past, present or future payments for the provision of that health care um to an individual. Thomas: So what this means in p practice is when HIPPA says we need you to abide by these security and privacy practices, implement these set of controls or consider these controls in contracts, agreements, risk assessments. Thomas: The focus is very much on all those organizations including third parties that hold or transmit any such information. Thomas: Um and as you can see in any form. Thomas: So it doesn’t have to be traditional paper copies. Thomas: It could be in any any form of media. Thomas: Um uh electronic paper and all as we can see. Thomas: And one area that comes up quite consist consistently particularly with regards to uh the privacy element of HIPPA is disclosure or it calls use and disclosure of of uh protected health information and we can break this down into a few areas. Thomas: So whether it’s actual disclosure of information to the individual so to the person who whose information that that data belongs to to the HHS health and human services is who are the creators of the HIPPA framework and who set about in terms of enforcement actions and as we’ll see later on violations um in terms of how information can be disclosed whether it’s for ongoing or future treatments for payments of of of um completed treatments and for future and current operations and medical procedures as well. Thomas: Notification and public interest is quite interesting. Thomas: We see this We can sort of see this also from a privacy aspect uh across other areas such as GDPR and other privacy regulations that are not in industry or sector specific but public interest refers to the likes of law enforcement for example and where there are cases perhaps involving highly sensitive individuals such as children and if there’s if there needs to be a from a law enforcement from a from a policing presence and there needs to be visibility of that information there are certain condition where disclosure of such information is um appropriate or allowed by an institution. Thomas: But nevertheless, as we’ll see, there’s also very strict requirements as to when disclosure cannot be deemed appropriate and when violations uh issues, penalties can occur and can be enforced um um by by HHS and and the wider sort of office of civil of civil rights as well. Thomas: So, HIPPA make it quite clear in terms of what they deem individually identifiable health information. Thomas: Um, and this is actually a key thing to point out particularly when we’re looking at um which third party should we consider that would fall under uh HIPPA and that we should impress upon them HIPPA requirements or expectations. Thomas: So, before I go into some of these key terminologies such as business associate. Thomas: Let’s take a wider look at both the security and privacy rules. Thomas: So as I mentioned there’s there’s a lot of uh close link between the likes of HIPPA security requirements and and uh other national international standards such as ISO and NIST. Thomas: And in fact NIST have created um uh standards specifically around how to deal with um or how to implement HIPPA um I believe it’s 800-66 um that really focuses on the NIST uh viewpoint around around um HIPPO and HIPPA best practices. Thomas: So as you can see here there’s three key safeguards the HIPPA call out administrative physical and technical and as we can see there’s a series of key uh uh security functions um sort of sub areas that touch on governance aspects so managing of security roles responsibilities, training of staff um and more uh operational procedures. Thomas: So the likes of incident contingency um business continuity and disaster recovery and business associate contracts which is a key area we’ll be coming on to shortly and then physical and technical safeguards. Thomas: So again thinking from uh from ISO and other other notable frameworks. Thomas: So uh physical security controls, facility access controls, thinking about the workstations, the desktop comput and other uh equipment. Thomas: There may be housing, health information and controls that need to be considered um to secure them. Thomas: And then technical controls around data security, data access, uh data encryption, um authentication of of individuals um and auditing, logging and monitoring based controls as well. Thomas: So again following very similar um processes to that of other uh notable security standards. Thomas: from a privacy rule perspective. Thomas: So the privacy measures set out how PHI data is and can be used um including governance, organizational requirements and addressing change through transition. Thomas: So in a similar vein they’ve got three uh key subject areas what they call use and disclosure, organizational and transitional elements. Thomas: All key areas for an organization to consider. Thomas: So from use and disclosure which I partially covered it includes a permitted use what’s allowed what’s required what’s prohibited for example the sale of health information any minimum uh standards that are necessary when accessing and and using health information to some specific areas for example dealing with the health information of a deceased individual for example uh children as well um the use of confidential communications um and even down to the level of uh protecting disclosure by whistleblowers of an organization if they’ve spotted a potential or a serious violation. Thomas: From an organizational aspect, this is where we come into a lot of uh core areas um from a third party perspective. Thomas: So, business associate contracts, which I’ll touch on shortly, um requirements for specific health plans and for covered entities. Thomas: Covered entities being the uh healthcare organizations, the hospitals to medical care centers and so forth. Thomas: And then transitional elements. Thomas: So where organizations for example already have an authorization with a third party or business associate and they’re looking to move to a different associate and what and the effect that has on handling of of PHI data um in between contracts or in between authorizations or transition between multiple authorizations. Thomas: So in a similar way to security, it sets three key um uh subject areas with multiple um uh sub clauses, sub requirements um um for an organization. Thomas: And I guess the first sorry go ahead on you carry on because you might already ask. Thomas: all I was going to say is um why why is this important from a third party perspective? Thomas: So both the security rule and the privacy rule all of those areas are required by a third party organization. Thomas: Um where appropriate. Thomas: So this is not all just information security rules, controls, policies and processes that say a healthcare organization needs to implement themselves, but where they using third parties and those third parties have access to the same type of data, the same security and the privacy rules apply. Thomas: And what we’ll see in a short moment is how we can use this and use the concept of the business associate agreements uh and contracts to identify that and to incorporate them um um um across formal formal agreements and terms of service. Thomas: Sophie,. Sophie: yeah, great. Sophie: Thank you. Sophie: And and you you’ve slightly touched on this before, so you’ve you’ve gone through kind of the security and privacy rules in terms of those areas and what the what um what HIPPA stipulates is in terms of these are the things that we need to measure and and be aware of. Sophie: Are there any stipulations and we see this in TPRM in general, right? Sophie: We have different critical alities of vendors that could be measured in different ways depending on the standards and frameworks and regulations you’re adearing to similar in that in that way in the sense of we’ve got these rules for security and privacy. Sophie: Do they then waver based on the criticality or what type of data or the extent of the data that they have access to? Thomas: Yes, I’m going to say yes and no. Thomas: I know that’s quite difficult being difficult but this is this is actually something that’s just typical We find in actually a lot of regulations now where they’re they’re setting clear enforcement. Thomas: So you need to drive privacy security controls. Thomas: If you got a third party who’s handling this type of data, you need to enforce those controls as well. Thomas: But where I say it depends is also because um in many ways it’s up to the organization and there’s an expectation that obviously we need to demonstrate we apply the security and the privacy roles. Thomas: Uh rules, sorry, and and expectations and and and we’re we’re we’re doing the same to the third party, but we need to have awareness of that third party and depending on what they do, they may need every control, every every requirement or a subset or a smaller volume of requirements. Thomas: And so although it doesn’t specifically state, say from a tiering perspective, tier one, tier two, tier three or critical, medium, low type of organizations, it’s very much up to that business to determine um and ultimately demonstrate of course um to to the regulator these are the controls that we’re enforcing through our third party and maybe subsequent fourth parties um and and these are the business justifications why um I guess ultimately it’ll then come to a discussion between your regulator and organization if if if HIPPA feel that actually there are other controls that should be in place and and say a data breach is as a result of not having those controls in place. Thomas: And that’s the sort of discussion that that that may warrant um the decision point around do we need to issue a violation um order or or or penalty. Thomas: But ultimately, yes, it’s it’s it’s um uh HIPPA makes it clear when a business associate needs to be involved or a type of control, but it’s then up to the organization to determine based on their process and their their methodology. Sophie: to the auditor. Thomas: to to to the auditor to the regulator. Thomas: Yes. Sophie: Having all of that information and uh kind of collated centralized and all of those attributes that are relevant to making those decisions needs to be recorded to in to enable an organization to effectively deliver back to an auditor. Thomas: Absolutely. Thomas: Yeah. Thomas: And that’s that’s the best way to look at it as well. Thomas: If if an auditor came by tomorrow or or next week and said, I want you to show me how you comply to these regulations or how you third parties reply uh comply. Thomas: How will you demonstrate that? Thomas: Um is it through forms and reports and documentation? Thomas: Is it through systems to to track and manage third parties? Thomas: Um is it a combination of both to say we’ve done our due diligence? Thomas: Here are the risks based on third parties and here’s how we’re managing those risks. Thomas: Um so yes, it’s it’s it’s always worth thinking about what method or series of methods you want to to use and apply. Sophie: Brilliant. Sophie: Thank you. Thomas: So let’s move on to again another key term you touched on PHI. Thomas: Another one that keeps cropping up is business associate and as I mentioned particularly around um uh the security uh the security rule but both security and privacy rules um this term keeps on repeating itself. Thomas: So covered entities and business associates should do X should do Y should do zed. Thomas: So what does a business associate mean? Thomas: Personal organization other than a member of a covered entity’s workforce that performs certain functions or activities on behalf of or provides certain services to a covered entity that involves the use or disclosure of identifiably in individually identifiable health information. Thomas: I’m giving a lot of tongue twisters today in this webinar. Thomas: I’ve noticed um bit of a mouthful. Thomas: Let’s again try and break that down. Thomas: Essentially what it’s saying is business associates can include any third party organization who accesses or manages PHI based on the way HIPP have identified individually identifiable information as you seen earlier. Thomas: Um and it then also gives a breakdown of uh a range of different businesses. Thomas: I’ve got three up on the screen now. Thomas: So third party administrators for example um administrators who maybe help with claims processing for health plan um consultants and consultancy forms uh firms that perform utilization reviews for a hospital and carries out formal reviews. Thomas: Uh legal organizations, attorneys who provide a legal service which may mean accessing a health plan um and accessing protected health information. Thomas: And this is an example of three different types of organization that could all fall under the banner of a business associate. Thomas: And one of the key areas to highlight here is a HIPPA security rule requires organizations or business associates to develop frameworks for risk assessments and implementing controls that address the result of those risk assessments. Thomas: So again, thinking back to sort of that top level of have you identified the risks associated of how you’re handling PHI and and and health information and health data and have you set a series of controls to manage to mitigate um to treat those risks and to address those risks and those concerns. Thomas: So generally we could say it’s any business association that’s involved in claims processing um data analysis quality assurance billing practice management anything that involves that PHI or that identifiable health information. Thomas: So quite a few different types of organizations and the the HIPPA website goes through a much more extensive list of all the type of businesses that do uh that do apply. Thomas: Sorry, go ahead. Sophie: I was gonna say we’re talking through kind of business associate PHI. Sophie: Um, we have a question in the Q&A which I think could be quite relevant to the conversation now. Sophie: So, just wanted to call it out. Sophie: Um, the question is, do you believe a privacy officer’s only concern is PHI protection or should they be responsible for reviewing and risk rating all offshore data due diligence as well? Sophie: If not, which department according to industry standards does this responsibility fall under? Sophie: I can break that down too as well if that’s. Thomas: so um yeah so when it comes to privacy and and privacy office obviously yes the focus should be on how PHI data is being used certainly from an offshore perspective and and and where that data is being uh sort of handled is being um um uh yeah sort of handled dealt with manipulated used stored in whatever capacity um I would say yes a privacy office should have oversight of that. Thomas: They should have um a level of review of of making sure that data um because ultimately obviously what we need to think about is the data and who’s responsible for that data and managing that data. Thomas: Um I think in GDPR talk they call it uh data uh data owners and data processes. Thomas: Um um in terms of who has responsibility and accountability for that um but at the same time that I guess that this is a good example of if you’re if you’re if you have data that is spit across multiple countries or is going across multiple geographies based on the type of supplier and third party organization is using it or or handling it. Thomas: Um there could be a need to involve other functions and departments. Thomas: So from a legal perspective, so if there’s a government’s risk and compliance function, if there’s obviously a legal uh office or legal side of the business, which more often than not there is, um I think very important to get them involved as well. Thomas: But yes, ultimate oversight on is that data being handled in a secure and appropriate manner. Thomas: Um, it’s definitely one from a from a from a privacy officer privacy office uh area. Thomas: Um,. Sophie: perfect. Thomas: I hope that’s. Thomas: good. Thomas: Okay. Thomas: I mentioned throughout uh and certainly earlier today this this is obly the a business associate which you’ve identified but also uh associate contracts as well associate agreements. Thomas: So HIPPA also requires that a covered entity includes certain protections for the information in a business associate agreement. Thomas: If you think about ISO 27,0001 and NIST, this would be around the supply chain supply chain risk management uh control areas where we’re saying you’re engaging with a third party um they’re hold sensitive information. Thomas: Have you done your due diligence around what controls they should uh be implementing and should um uh be enforcing? Thomas: So number one is obviously the agreement to comply with those HIPPO rules. Thomas: And we’ve just seen through today that there’s a lot of um as say repetition in in saying those words, a business associate shall do x y or zed based on the control. Thomas: And so first off, if we know that they fit under the banner of um ind individually identifiable uh health information. Thomas: Um uh but yes, they do need to comply with the HIPPA rules as dictated by the security and privacy uh rules. Thomas: Implementation of security standards for safeguarding PHI. Thomas: So thinking back to the security rule, uh we have those three areas. Thomas: So technical controls, physical controls and governance based controls. Thomas: So everything from risk management to uh security awareness and training to business continuity. Thomas: the data security and encryption controls, backup and so on and so forth. Thomas: And so this is where organizations should then think about what are the most appropriate controls that we need to uh enforce and capture within that agreement um and that we need that third party to sign up to. Thomas: And this is where it becomes quite interesting in terms of should we capture everything everything and um that’s that’s identified within the security rule. Thomas: No, it actually is dependent on the type of service. Thomas: There may be conditions for example, where the physical controls, the physical security controls are not as as as uh critical. Thomas: Um, more often than not, the governance and technical controls will be critical because we’re still talking about uh uh personal uh PII. Thomas: But if for example, this third party is coming onto your site rather than storing data in their premises, in their operations, then maybe some of the physical security controls are less of a concern because they’re managed by yourselves. Thomas: But certainly thinking about what control should best fit this third party is is is is a key area to consider. Thomas: Notification of breaches is very important. Thomas: We’ll be coming on to this as part of the violation uh uh piece shortly. Thomas: Um but setting a clear uh agreed form or type of communication such that if a breach does occur um from a a third party’s premises or operations, how are they going to inform you? Thomas: So you can then inform the appropriate authorities as well. Thomas: So think about how is that communication going to be built uh should uh a data breach or an incident be be uh should occur within that third party and then extendable clauses to subcontractors what we might call fourth parties and so it’s important to highlight this as well so in many cases we may be dealing with one third party and and information doesn’t go beyond them makes it a lot easier in terms of the management and communication and obviously oversight of security and privacy controls. Thomas: But obviously as we know in some cases and thinking back to the the the map we saw earlier on the ever expanding uh supply chain um um particularly as new applications and systems come in. Thomas: Um so thinking about well how do you extend those same clauses that you’re asking a third party to adopt to their third parties your fourth parties as well. Thomas: And so it may be appropriate to say where you are using a third party where there is obvious knowledge that their third party has access to the same health information that we also uh require you to have certain due diligence processes in place for example around the access to that data the training of staff the background security checks whatever is appropriate based on the product and service and of course this brings us on to you know that importance of of of knowing the profiling and taring of your third parties and if appropriate your fourth parties as Well, obviously the more we know, the more easier it will be to identify and determine what type of controls are being used or should we uh be uh asked to be enforced as well. Thomas: So, we have our controls, we have our uh business associate contracts, we’ve established contracts with a third party, we’ve signed the contract, delivering a product and service to us, they’re handling health information. Thomas: We’ve set series of controls that they should be following from uh managing access and privileged access for example to those systems to to managing a business continuity program uh so they can recover from from a disasters in a timely fashion. Thomas: However, HIPPO also set out quite clearly um rules and what’s considered as a violation and failure to enforce or abide by the security and the privacy requirements can result in minor to severe penalties particularly where the impact from a loss or lack of protection of PHI, a loss of confidentiality, integrity or availability um is significant. Thomas: And so on the left hand side we can see what HIPPA determ. Thomas: So where a HIPPA covered entity or business associate fails to comply with one or more provisions of the HIPPA privacy security or breach notification rules an impermissible use or disclosure under the privacy rule that compromises the security or privacy of protected health information. Thomas: What does this mean in practice? Thomas: So, we could be looking at um I mentioned use and disclosure previously, unauthorized use and disclosure, unauthorized access of PHI. Thomas: So, before we mentioned in in in in the privacy section um it it says that what is deemed permitted use and disclosure and one of the areas that’s not permitted is the sale of health information. Thomas: So certainly if an organization if a third party then proceeds to sell health information um unwittingly or or or or deliberately um to advertising marketing agencies or other type of organizations um that could be considered a breach and a violation. Thomas: Failure to provide patients access to their own PHI. Thomas: What’s interesting about that particular uh uh where that sits under the list of violations is it’s found to be one of the most common violations so far. Thomas: It’s where patients have uh for one reason or another requested or tried to gain access and they have not been provided access to their own health information. Thomas: Um failure to conduct regular risk assessments to make sure that you are meeting the privacy security uh rules and requirements. Thomas: Um even improper disposal um of health information. Thomas: So there’s quite a few different areas that could be uh classified as a violation. Thomas: Um usually these can be found picked up through audits, external audits, internal audits, maybe internal supervisors if they spot an individual who’s violating a particular role, a rule, sorry. Thomas: Um if you have obviously a privacy office whose responsibility is is is to make sure that um compliance is is in place. Thomas: Um, and what can this lead to? Thomas: There’s a few different penalties, actions, um, nonconformities if you will. Thomas: As you can see, monetary penalties, that’s a particular common one, ranging from a hundred US dollars to 50,000. Thomas: Um, depending on uh the type and the severity of the penalty, whether it’s a deliberate breach, um, whether it was an accidental breach and and what level of PHI was say disclosed, disposed, or or or breach the level of confidentiality or integrity of that information. Thomas: So there’s obviously various means and and and processes that HIPPA goes through and the uh um the OCR, the Office for Civil Rights who are responsible for issuing those fines, those sort of violation reports and enforcing the action. Thomas: Um in some cases it could be criminal penalties if there’s a deliberate breach of privacy and security provisions and in some cases corrective action plans. Thomas: what we sometimes call Kappers, corrective action, prevent preventive action. Thomas: So clear processes and plans to correct and prevent any further violation or breach of compliance. Thomas: So for example, where it’s found that a particular control has not been implemented, has not been enforced um and through that there’s maybe negligence of um um poor uh security controls in place. Thomas: There may be a need for the OCR to issue a clear proactive action plan and expect an organization to implement and and and develop that plan so that those areas can be filled, those gaps can be filled. Thomas: So that penalty very much depends on the nature of the violation, the severity, how much harm is caused and the level of efforts and made to mitigate the breach. Thomas: Um and and this obviously brings us on to uh some of the level of communication that organizations and business associates need to provide um to the regulatory bodies as well. Thomas: And it may be through that communication if if a violation has been committed but an organization has already taken proactive steps to uh correct the issue, correct the gap, implement formal processes to uh from an instant management perspective to to recover data whatever the process is. Thomas: Again, all these actions will help determine what type of penalty the OCR issues. Thomas: And as you can see lastly at the bottom there, so the O R. Thomas: So again, the Office for Civil Rights is expected to continue to aggressively enforce HIPPA compliance in 23 um after a record-breaking year of HIPPA fines and settlements. Thomas: As I say, many of them uh from from what we’ve seen uh involve uh failure to provide patients access to their own PHI rather than some of the more severe cases as I said. Thomas: So deliberate selling of of health information for example. Sophie: Thomas, just on the um it’s interesting to see some of the impacts on on a violation there. Thomas: yes,. Sophie: organization standpoint, are there any I guess recommendations on on frequency of reviews of some of these rules that they have in place? Sophie: Um so in terms of re-reviewing it just to ensure that you can have as many of those actions in place or prepared in case of a violation that would support an organization. Thomas: Yes. Thomas: So um in in in multiple uh security and privacy controls. Thomas: HIPPA do make it clear that there needs to be a level of review um whether it’s for example um um uh reviewing sort of business continuity disaster recovery plans and testing those plans and capabilities. Thomas: For example, to um um you know the way they conduct audits, the way they they review uh their risks and the risk risk cycle. Thomas: for example, what they don’t do at that stage is obviously dictate in terms of it must be reviewed every month, every six weeks, every year. Thomas: Um, again, I would say they leave it to the organizations, but then again, it’s also about being reasonable as well. Thomas: What you’ll often find with these type of areas, um, such as take the continuity aspect for example around can we recover from a from a environmental threat for example. Thomas: Um, best practice says you should audit, you should conduct tests at least Um if you can afford to do more throughout the year then even better. Thomas: Um in some cases you may have to do more if you’re dealing with highly sensitive systems or you’re in a say a geographic area that’s deemed highly sensitive whether geopolitically or or or or environmentally for example. Thomas: And so there’s there’s multiple instances where organizations should have a formal review um which again translates to third parties. Thomas: So you know we’ve asked third parties through the agreement are they implementing these controls? Thomas: um let’s think about that due diligence. Thomas: So performance reviews, on-site or remote audits of our third parties um um and other areas appropriate. Thomas: So yes, there there are there are multiple occasions where where organizations should if they’re doing it properly have a chance to review these practices. Thomas: But then again, obviously we can never predict also what’s happening and there will always be sort of threats and vulnerabilities um that come in. Thomas: Um but yes, certainly those should go towards the wider mitigation and sort of of awareness piece. Sophie: Yeah,. Thomas: we should focus on. Sophie: that. Sophie: That’s great. Sophie: Thank you. Sophie: And I think um similar well kind of on this topic as well, we’ve actually had a question in the Q&A around fines. Sophie: So one of the questions is are OCR fines able to be fought as being perceived as excessive? Thomas: Uh yes. Thomas: So OCR as say they’re responsible for for for saying this is worth $50,000 or let’s take the two extremes. Thomas: This is worth $100 worth of fine or sorry we can issue not it’s worth we can issue $100. Thomas: We can issue $50,000 fine. Thomas: Um obviously they do their own due diligence first. Thomas: Um but there’s always going to be uh the capability to appeal. Thomas: Um I guess generally that’s going to come down to if an organization feels that yes we may have breached a security or privacy area. Thomas: But based on what we’ve done, based on how we’ve handled it, for example, based on the fact that let’s say for example, PHI has not been leaked out or has not been removed um and so the impact is low. Thomas: We believe we’ve done enough to actually warrant um uh a lesser penalty if you will or violation. Thomas: Um but obviously the OCR do and are responsible for looking at the wider picture as well. Thomas: And that’s where things like these corrective action plans can come in place to say actually you’ve got good practice in place. Thomas: should do need to look at implementing these areas or we should be implementing these areas sorry um um you know to prevent further breaches. Sophie: Brilliant. Sophie: Thank you. Thomas: So I mentioned notifications of violation. Thomas: So where issues do occur organizations should have a clear plan to report violations and hippo highlight the timeliness of a notification. Thomas: What should be notified? Thomas: So the details so descriptions of a breach when it was discovered uh type of PHI that was involved in the breach and who too whether it’s um notifying the individual whose data it belongs to the media if there’s a notable uh notable case uh the secretary of the uh OCR and and HHS uh so the office of civil rights and so there’s various processes to to notify different individuals what’s interesting about this one if you look at the top The timeline is without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Thomas: That’s really interesting particularly when you compare it to other uh privacy regulations and requirements. Thomas: Uh GDPR for example I believe requires no more than 48 hours if I’m not mistaken. Thomas: 48 or 72 hours to the relevant um data privacy um uh regulator CP RA in California and CCPA have something similar. Thomas: 60 days personally seems quite a long time. Thomas: I guess uh in many ways that gives an organization sufficient time to not only identify what the root cause is but put in place actions and plans of attack in terms of how we will or how we have addressed it as well. Thomas: But as you can see it’s quite a large time frame and that extends to third parties as well or business associates. Thomas: So business associates as we’ve mentioned as part of the agreement must provide notice um to to an organization upon the discovery of a breach. Thomas: But that also means they they they can provide that notification of a breach um up to and and no later than 60 calendar days um of the discovery. Thomas: Uh now if you want to reduce that and and and within particularly within the uh you know the terms of agreement um with a with a third party business associate um because 60 days 2 months seems quite a long timeline without knowing that 60 days ago a breach happened. Thomas: We’re only being told now. Thomas: Um formally from a HIPPA requirement that’s the expectation. Thomas: However um um if if there’s an agreement between yourself and third party um uh for a more reasonable timeline that’s something that would be captured within the business associate agreement. Thomas: But for me from a HIPPA perspective no later 60 calendar days after discovery of a breach. Thomas: And you’d hope also within that time frame, depending on the type of breach, there’s there’s been enough thought and process to work out an action plan as say or plan of attack as well. Thomas: So thinking about the wider TPRM capabilities and how this can be addressed from a PHI risk perspective. Thomas: So establishing a structured TPM program or risk management framework certainly can help ensure that Not only PHI risks are being identified, we have that process to review, monitor and address those risks as well. Thomas: So from preparing and developing a risk plan and understanding where is our health health information created, where is it being received and maintained, what data processing do we do, what data transmission do we have data flow processes and data flow um diagrams that can demonstrate and give us visibility of where this data is being held and managed. Thomas: But obviously the greater visibility we have of what we’re doing with that data, the greater we can work out what areas are posing the greater threats. Thomas: What threats and vulnerabilities should we be concerned about? Thomas: Whether it’s natural, human, environmental based threats, uh cyber based threats, ransomware. Thomas: Um we mentioned at the at the start the use of uh aged systems, um redundant systems or or or um old outofdate systems that are no longer patched for example and supported. Thomas: Um so there’s a lot of areas obviously to think about but you should always have in the back of the mind the relationship to the PHI itself and where it’s being stored and again to borrow the ISO phrase the confidentiality integrity and availability of that data as well. Thomas: Obviously if thinking of the traditional format of risk management from identifying the threats and vulnerabilities looking at well how do we quantify this So is there a risk likelihood of occurrence? Thomas: What’s the level of impact it will have to to PHI to the to the owners custodians of the PHI data to the individuals whose data it relates to so starting to think about how do we quantify how likelihood how likely that threat will occur and if it has occurred what level of impact is it going to be to protecting that health information? Thomas: And of course all of this should then help build up that picture of the type of controls and best practices that we need to implement. Thomas: And obviously once you’ve got a likelihood and impact combining them together to say what’s the overall level of risk to EPI as a whole to electronic protective health information but also non- electronic health I should make that clear. Thomas: Sorry. Thomas: Um what’s the overall level of risk to the health information? Thomas: So we’ve identified a formal risk process. Thomas: We’ve got the PHI at the back of our mind and there’s the expectation from a third party perspective that they’ve done the same because we’re handling them that type of data. Thomas: So, what’s the level of risk that we need to be concerned about? Thomas: And then finally, making sure we’ve got a process to record, risk, review, and plan for any remediation um uh to deal with those risks and to implement the necessary controls. Thomas: Application controls required to protect PHI and to create, receive, maintain or trans MIT um electronic and non- electronic protected health information um as I say it’s a fundamental aspect of of of third party agreements or BA agreements um and and the rule requires organizations to develop that framework for risk assessments and implementing controls to address the results of those risk assessments. Thomas: So what does this mean in practice? Thomas: Uh well it means obly identifying risks associated with our health information. Thomas: Have we identified what are those minimum controls and again thinking about the type of vendors, the type of organizations we’re dealing with that can also have an effect on identifying do we need to enforce physical security controls for example um based on what they’re doing with the data? Thomas: Are there particular aspects on the use and disclosure of information that again we need to enforce or we need the third party to demonstrate that they’re implementing and finally establishing that ongoing process for monitoring and adjusting security and privacy controls as and when new new uh technologies emerge, new and emerging threats um uh and of course uh changes to to to the regulations um as as they do on a periodic basis. Thomas: And what always means it’s all wrapped under that consistent risk process, having that structured approach for identifying and managing risk um using some form of third party risk process and program and having that consistency and continual review process to enable a recurring third party assessment. Thomas: So year one-year monitoring of risk, adapting to new and emerging risk and ensuring those security and privacy controls they’re asking our business associates, third parties to implement uh are being effective or effectively conducted. Thomas: So in summary, what does this mean or where do we go from here? Thomas: So if we haven’t already started developer third party risk assessment process to really start to understand and where HIPPA requirements are are are necessary for business associates start to understand those security and privacy elements that that we need to enforce on a third party. Thomas: Um what’s expected that a BA should be demonstrating when handling health information and what do we start to incorporate into a formal contract and agreement. Thomas: Once we’ve done that, we start to build our critical control domains, mandatory control requirements, standards mapping within HIPPA to identify those critical controls. Thomas: And then that process of engaging those third parties, conducting those regular risk assessments and executing plans to address the risk so that if we need to demonstrate compliance, we need to demonstrate compliance to HIPPA security and privacy rules, we’ve got that process to say we’ve done our due diligence for our third parties and we’re going through that regular process um and continued improvement process. Thomas: Um I’d now like to very briefly hand over to Scott. Scott: Thanks, Thomas. Scott: Awesome, everybody. Scott: Um, you know, real quick 10-second overview. Scott: Um, you know, if you’re challenged with assessing your business associates against the security rule or the privacy rule, we’ve got built-in assessment content in the prevalent platform to help you automate that process, enable workflow to help you progress that assessment through its life cycle. Scott: Gather some external intelligence to validate the that those controls are in place and give you good risk reporting to uh determine where your riskiest business associates are and the remediation recommendations to then reduce that risk over time. Scott: We also um have what you see on the screen right now, which is our HIPPA third-party risk management checklist, which is a 10-page guide that really breaks down the security rule in in in very finite detail and then provides some best practices recommendations and capabilities to help make that process faster. Scott: I’ll pitch it back to Melissa. Scott: You guys can open up for questions. Melissa: Oh, there we go. Melissa: Um, you know, since we are at the top of the hour, I’m going to go ahead and drop my email in the chat real quick. Melissa: So, if there is a question, um, I know a lot of people have to drop for meetings if they haven’t already, but let’s see. Melissa: Prevalent.net. Melissa: There we go. Melissa: Can’t talk and type at the same time. Melissa: But, um, you know, I really do appreciate Sophie and Thomas. Melissa: Obviously, you know, your brain is so fun to pick. Melissa: And Scott, thanks for doing a very expedited spiel. Melissa: on how prevalent can help. Melissa: But you will get a copy of this um in your inbox shortly. Melissa: And um like I said, my emails in the chat if you need it. Melissa: And that is pretty much that. Melissa: I hope you guys have a great rest of your day or evening wherever you are. Melissa: And we will see you hopefully at a future webinar.