In a recent study conducted by the Ponemon Institute, it was determined that 54% of healthcare vendors had experienced at least one data breach affecting protected health information (PHI). However, healthcare providers are continually neglecting their obligation to adequately vet vendors they are working with. It was found that although many healthcare providers somewhat address their vendor vetting obligation by sending risk assessment questionnaires, 41% continue to work with vendors that have gaps in their security and privacy practices surrounding PHI, without requiring vendors to address gaps. Additionally, 42% of healthcare providers fail to obtain proof that vendors are securing PHI.
As the cost of healthcare breaches continues to rise, with the average cost at $408 per lost or stolen record, and the average size of the breach at 10,000 affected individuals, a healthcare breach can cost $2.75 million.
The cost of healthcare breaches can comprise of several factors that are often overlooked such as company downtime, cost of recovering files, reputational damage, and Office for Civil Rights (OCR) fines. For instance, in a recent OCR settlement, a sole practitioner was fined $1.5 million, in part for failure to vet a vendor.
How can you conduct vendor vetting and protect your practice?
Vendor Vetting: Vendor Questionnaire
Healthcare providers must conduct their technical due diligence by sending vendors a vendor questionnaire. This ensures that they are properly handling and protecting the PHI they create, store, transmit, or maintain on behalf of their healthcare clients. Vendor questionnaires are a series of yes/no questions that assess the vendor’s administrative, physical, and technical safeguards.
Completing a vendor questionnaire identifies gaps that the vendor has in their safeguards protecting PHI. Before a healthcare provider can work with the vendor, they must ensure that the vendor will address gaps with remediation efforts. If a vendor is unwilling to address gaps, the healthcare provider should work with another vendor.
When a healthcare provider continues to work with a vendor with known gaps, they are putting patients’ PHI at risk, and are not considered HIPAA compliant. In the event of a HIPAA audit, both parties would be held liable for unaddressed gaps.
Business Associate Agreement
Healthcare organizations must have signed business associate agreements with all of their vendors before they are permitted to work with them. A business associate agreement (BAA) is a legal document that determines the safeguards that the vendor is required to have to secure PHI. A BAA also determines which party is required to report a breach should one occur. Lastly, a BAA limits the liability for both signing parties as it states that each party is responsible for managing their own HIPAA compliance.
