A HIPAA Compliance Checklist for Third-Party Risk Management

The US Health Insurance Portability and Accountability Act (HIPAA) was established to ensure that sensitive protected health information (PHI) would not be disclosed without a patient’s consent. HIPAA includes a Security Rule that establishes safeguards for organizations holding electronically stored protected health information PHI (ePHI), as well as a Privacy Rule that sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

Although HIPAA regulations are most closely aligned with “covered entities” such as health plans, healthcare clearinghouses, and some healthcare providers, it also applies to “business associates” — third-party vendors that have access to PHI. This dramatically expands the number of organizations that must comply with HIPAA requirements – and the number of third parties that providers must assess.

How HIPAA Defines Protected Information: Privacy and Security

The HIPAA Privacy Rule defines Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

The HIPAA Security Rule deals specifically with safeguarding electronically stored PHI (ePHI). It states that the ePHI that an organization (known as a covered entity) creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The HIPAA Security Rule sets forth general rules around security standards, including administrative, technical, and physical safeguards. Organizational requirements and documented policies and procedures round out the legislative specifications.

How Is Third-Party Risk Related to HIPAA?

Organizations must be aware of risks to critical information both within their own entity and with third parties that have access to ePHI. HIPAA makes this a requirement, and extends the term “organization” to covered entities and business associates. Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

You can evaluate a vendor’s readiness to comply with your security expectations with a vendor risk assessment.

Next Steps for HIPAA Compliance

Complying with HIPAA requires a complete internal and external view of the controls in place for all business associates. Managing this process efficiently across hundreds of third parties with manual spreadsheets is impossible. At a basic level, organizations should:

• Automate business associate vendor onboarding and offboarding to ensure consistent processes
• Profile, tier and score inherent risk to guide full risk assessment decisions
• Assess business associates against standardized content that simplifies regulatory and standards mapping
• Centralize all business associate documentation, including contracts, reporting and evidence
• Perform continuous monitoring of cybersecurity, business/reputational and financial information to correlate risks against assessment results
• Report regularly against SLAs, performance and compliance using standardized, pre-built templates
• Leverage best practices guidance to guide remediation decisions according to organizational risk appetite

For a complete listing of the HIPAA third-party risk management requirements and how Prevalent capabilities map, read The HIPAA Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.