Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Keeping Control: Data Security and Vendor Management

Paige Rasid
Paige Rasid

This document discusses strategies for organizations to manage risks associated with non-business associate vendors. It recommends that organizations implement organizational policies, conduct due diligence on vendors, and enter into confidentiality agreements. Specific policies are suggested around data access, premises access, and incidental data use or disclosure. Due diligence may involve vendor screening and obtaining privacy assurances. Confidentiality agreements should address data use, compliance with laws and policies, incident reporting, reimbursement for incidents, and indemnification. Proper management of non-business associate vendors can help organizations address privacy risks beyond those regulated by HIPAA.

1 of 12
Download to read offline
www.shipmangoodwin.com @SGHealthLaw Non-Business Associate Vendors • Generally, a vendor is not a business associate if it does not receive, use, disclose or maintain PHI. • Examples: IT vendor will have access to hospital information systems to install, update or maintain malware protection. Cleaning service with access to staff offices, medical record rooms or other areas in which PHI may exist. A software company which licenses a locally hosted program which utilizes or processes PHI. A consultant who is granted limited access to quality, compliance or other internal reports which include only aggregate information. 1
www.shipmangoodwin.com @SGHealthLaw Non-Business Associate Vendors 2 • Despite not being subject to HIPAA, your organization’s relationship with a non-business associate vendor may entail significant risk for your organization. Consider: Data Access: What type of data will the vendor have access to? Even if not PHI subject to HIPAA, confidentiality concerns may nevertheless exist under state law or concerns with proprietary information. Access to Premises: Will the vendor have access to your premises or information systems? If so, would that access enable the vendor to access PHI? Incidental Use or Disclosure: Will the vendor have incidental use or disclosure of PHI? • Key Point: Don’t ignore a vendor simply because it’s not a business associate!
www.shipmangoodwin.com @SGHealthLaw Example of Non-BA Incident • Community health center engages a local IT security firm to install patches. Parties agree that vendor is not a business associate. While in the center’s information system, a newly hired vendor employee stumbles upon locally maintained patient and employee records. Bored, he starts reviewing the records and finds a former classmate of his. He copies the records to a USB drive and emails the records to the former classmate. Several weeks later, the former classmate contacts the state AG and says “look what the health center gave [the employee] access to.” • Vendor employee failed to appreciate the seriousness of the access (no privacy training provided), was under no obligation to report the access to employer, and Vendor had no obligation to notify, indemnify, reimburse or cooperate with the center. • Resulted in HIPAA and state law violations and an extensive corrective action plan. 3
www.shipmangoodwin.com @SGHealthLaw 3 Part Strategy for Non-Business Associates Organizational Policies Due Diligence Confidentiality Agreement 4
www.shipmangoodwin.com @SGHealthLaw Organizational Policies • Don’t limit your privacy and security policies to only HIPAA compliance – while important, HIPAA is not the only privacy and security concern a covered entity or business associate should have. Proprietary information and trade secrets. State privacy laws. • Ensure that policies apply to all vendors, and not merely those subject to HIPAA. • Revisit policies regarding access to premises and information systems. • Determine when your organization requires a non-business associate to enter into a confidentiality agreement. 5
www.shipmangoodwin.com @SGHealthLaw Due Diligence • Consider implementing a vendor screening tool as part of your contracting process. Obtain privacy and security information and assurances from a potential vendor prior to entering into negotiations. Receive comfort that a vendor who will have access to your premises or information systems is cognizant of privacy concerns, takes privacy seriously and has a privacy and security plan in place. Use vendor screening tool as a way to periodically monitor vendor and remind vendor of privacy and security expectations (i.e. annual or bi- annual re-certification). Make privacy and security a factor when choosing vendors. 6
www.shipmangoodwin.com @SGHealthLaw Confidentiality Agreements • In many instances, a covered entity or business associate may desire to require the vendor to agree to a confidentiality agreement or contract clause. • The extent and scope of such requirements should be based upon the risk to the organization. • Key Terms: Commitment to confidentiality Compliance with laws and policies Incident reporting Reimbursement 7
www.shipmangoodwin.com @SGHealthLaw Logistics • Three main options for binding a vendor to confidentiality requirements: Compliance addendum; Traditional NDA or confidentiality agreement; and/or Preparing standard, organization-approved language to insert into services or other agreements. • Many organizations have developed all three and use them in different situations. Consider a confidentiality tool to guide business owners regarding when to use which form/language. • Don’t limit yourself to privacy and security – for example, the compliance addendum is a great opportunity to address other pertinent issues such as exclusions or Medicare access to records. 8
www.shipmangoodwin.com @SGHealthLaw Confidentiality • HIPAA: Acknowledge that vendor is not a business associate and require vendor to enter into BAA should scope of services change or HIPAA changes such that the vendor would be considered a business associate. • Data Use Requirements: Prohibit requesting or accessing data outside the scope of the engagement. Maintain information obtained through “incidental” use or disclosure in strict confidence. Do not use or disclose PHI for any purpose except to the extent incidental use or disclosure of PHI is necessary in performance of the services. Do not maintain, copy or misappropriate any PHI. 9
www.shipmangoodwin.com @SGHealthLaw Compliance • Require vendor to comply with all applicable law, including state data privacy and security laws. • Require vendor to comply with all organizational policies and procedures regarding access to information systems or premises, including: User authentication; Sharing of passwords; Visitor sign-in/out and badge requirements; and Remaining accompanied by organization personnel while on-site. 10
www.shipmangoodwin.com @SGHealthLaw Incident Reporting • Require vendors to report data security incidents in a manner similar to the breach reporting obligations required by HIPAA and state law. A data security incident may be defined as any use or disclosure of confidential information in violation of the confidentiality agreement. • Key Requirements for Vendor: report the incident; safeguard the confidentiality of the information involved in the incident; take reasonable steps to destroy or return the information involved in the incident; and take reasonable steps to mitigate any harm from the incident. 11
www.shipmangoodwin.com @SGHealthLaw Reimbursement and Liability • Particularly if a large amount of data is involved, or the potential exists for access to medical records or other sensitive information, consider: Incident Reimbursement: Require vendor to reimburse organization for any costs, fines, penalties or expenses incurred as a result of the incident. Consider specifying which costs (if not all), cap on liability (tied to insurance?), insurance mandate, and exceptions to reimbursement (vendor not solely to blame?). Indemnification: Vendor holds organization harmless and makes organization whole in the event of a claim arising from the vendor’s use or disclosure of data. ► More important in light of growing negligence claim activity. 12

More Related Content

Keeping Control: Data Security and Vendor Management

  • 1. www.shipmangoodwin.com @SGHealthLaw Non-Business Associate Vendors • Generally, a vendor is not a business associate if it does not receive, use, disclose or maintain PHI. • Examples: IT vendor will have access to hospital information systems to install, update or maintain malware protection. Cleaning service with access to staff offices, medical record rooms or other areas in which PHI may exist. A software company which licenses a locally hosted program which utilizes or processes PHI. A consultant who is granted limited access to quality, compliance or other internal reports which include only aggregate information. 1
  • 2. www.shipmangoodwin.com @SGHealthLaw Non-Business Associate Vendors 2 • Despite not being subject to HIPAA, your organization’s relationship with a non-business associate vendor may entail significant risk for your organization. Consider: Data Access: What type of data will the vendor have access to? Even if not PHI subject to HIPAA, confidentiality concerns may nevertheless exist under state law or concerns with proprietary information. Access to Premises: Will the vendor have access to your premises or information systems? If so, would that access enable the vendor to access PHI? Incidental Use or Disclosure: Will the vendor have incidental use or disclosure of PHI? • Key Point: Don’t ignore a vendor simply because it’s not a business associate!
  • 3. www.shipmangoodwin.com @SGHealthLaw Example of Non-BA Incident • Community health center engages a local IT security firm to install patches. Parties agree that vendor is not a business associate. While in the center’s information system, a newly hired vendor employee stumbles upon locally maintained patient and employee records. Bored, he starts reviewing the records and finds a former classmate of his. He copies the records to a USB drive and emails the records to the former classmate. Several weeks later, the former classmate contacts the state AG and says “look what the health center gave [the employee] access to.” • Vendor employee failed to appreciate the seriousness of the access (no privacy training provided), was under no obligation to report the access to employer, and Vendor had no obligation to notify, indemnify, reimburse or cooperate with the center. • Resulted in HIPAA and state law violations and an extensive corrective action plan. 3
  • 4. www.shipmangoodwin.com @SGHealthLaw 3 Part Strategy for Non-Business Associates Organizational Policies Due Diligence Confidentiality Agreement 4
  • 5. www.shipmangoodwin.com @SGHealthLaw Organizational Policies • Don’t limit your privacy and security policies to only HIPAA compliance – while important, HIPAA is not the only privacy and security concern a covered entity or business associate should have. Proprietary information and trade secrets. State privacy laws. • Ensure that policies apply to all vendors, and not merely those subject to HIPAA. • Revisit policies regarding access to premises and information systems. • Determine when your organization requires a non-business associate to enter into a confidentiality agreement. 5
  • 6. www.shipmangoodwin.com @SGHealthLaw Due Diligence • Consider implementing a vendor screening tool as part of your contracting process. Obtain privacy and security information and assurances from a potential vendor prior to entering into negotiations. Receive comfort that a vendor who will have access to your premises or information systems is cognizant of privacy concerns, takes privacy seriously and has a privacy and security plan in place. Use vendor screening tool as a way to periodically monitor vendor and remind vendor of privacy and security expectations (i.e. annual or bi- annual re-certification). Make privacy and security a factor when choosing vendors. 6
  • 7. www.shipmangoodwin.com @SGHealthLaw Confidentiality Agreements • In many instances, a covered entity or business associate may desire to require the vendor to agree to a confidentiality agreement or contract clause. • The extent and scope of such requirements should be based upon the risk to the organization. • Key Terms: Commitment to confidentiality Compliance with laws and policies Incident reporting Reimbursement 7
  • 8. www.shipmangoodwin.com @SGHealthLaw Logistics • Three main options for binding a vendor to confidentiality requirements: Compliance addendum; Traditional NDA or confidentiality agreement; and/or Preparing standard, organization-approved language to insert into services or other agreements. • Many organizations have developed all three and use them in different situations. Consider a confidentiality tool to guide business owners regarding when to use which form/language. • Don’t limit yourself to privacy and security – for example, the compliance addendum is a great opportunity to address other pertinent issues such as exclusions or Medicare access to records. 8
  • 9. www.shipmangoodwin.com @SGHealthLaw Confidentiality • HIPAA: Acknowledge that vendor is not a business associate and require vendor to enter into BAA should scope of services change or HIPAA changes such that the vendor would be considered a business associate. • Data Use Requirements: Prohibit requesting or accessing data outside the scope of the engagement. Maintain information obtained through “incidental” use or disclosure in strict confidence. Do not use or disclose PHI for any purpose except to the extent incidental use or disclosure of PHI is necessary in performance of the services. Do not maintain, copy or misappropriate any PHI. 9
  • 10. www.shipmangoodwin.com @SGHealthLaw Compliance • Require vendor to comply with all applicable law, including state data privacy and security laws. • Require vendor to comply with all organizational policies and procedures regarding access to information systems or premises, including: User authentication; Sharing of passwords; Visitor sign-in/out and badge requirements; and Remaining accompanied by organization personnel while on-site. 10
  • 11. www.shipmangoodwin.com @SGHealthLaw Incident Reporting • Require vendors to report data security incidents in a manner similar to the breach reporting obligations required by HIPAA and state law. A data security incident may be defined as any use or disclosure of confidential information in violation of the confidentiality agreement. • Key Requirements for Vendor: report the incident; safeguard the confidentiality of the information involved in the incident; take reasonable steps to destroy or return the information involved in the incident; and take reasonable steps to mitigate any harm from the incident. 11
  • 12. www.shipmangoodwin.com @SGHealthLaw Reimbursement and Liability • Particularly if a large amount of data is involved, or the potential exists for access to medical records or other sensitive information, consider: Incident Reimbursement: Require vendor to reimburse organization for any costs, fines, penalties or expenses incurred as a result of the incident. Consider specifying which costs (if not all), cap on liability (tied to insurance?), insurance mandate, and exceptions to reimbursement (vendor not solely to blame?). Indemnification: Vendor holds organization harmless and makes organization whole in the event of a claim arising from the vendor’s use or disclosure of data. ► More important in light of growing negligence claim activity. 12