Downloaded 14 times
Uploaded byGrant Thornton LLP
Third-Party Relationships and Your Confidential Data
The document discusses the risks associated with third-party relationships in healthcare, particularly in relation to managing electronic medical data and compliance with the HIPAA omnibus rule. It highlights the importance of vendor selection, monitoring processes, and identification of potential data breaches. Additionally, it outlines the necessary steps for organizations to establish effective controls and ensure management oversight in order to mitigate risks associated with third-party vendors.
More Related Content
Similar to Third-Party Relationships and Your Confidential Data
Third-Party Relationships and Your Confidential Data
- 1. CPE Credit isnot available for viewing archived programs. Please visit http://www.grantthornton.com/events for upcoming programs. Third-Party Relationships and Your Confidential Data Assessing risk and management oversight processes Original Broadcast Date: September 2013 © Grant Thornton LLP. All rights reserved.
- 2. Presenters David Reitzel Grant ThorntonLLP Partner and National Health IT Leader, Health Care Advisory Services Joined by Mark Ruppert Cedars-Sinai Medical Center Chief Audit Executive © Grant Thornton LLP. All rights reserved. 2 2
- 3. Third-Party Relationships and YourConfidential Data Learning objectives • Describe how health care auditors and technologists can assist management by identifying compliance risks, and establishing effective vendor selection and monitoring as the use of third parties becomes more prevalent • Identify various types of third-party relationships and the breaches most commonly associated with them • Define the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule and key factors that management and internal auditors should consider when evaluating whether a breach has occurred in their organization © Grant Thornton LLP. All rights reserved. 3 3
- 4. Third-Party Relationships and YourConfidential Data Agenda • Electronic medical data • HIPAA Omnibus Rule • Third-party involvement • Breaches • Vendor selection, management • Questions © Grant Thornton LLP. All rights reserved. 4
- 5. Electronic medical data •Volume has grown • Definitions have grown – Protected health information, or PHI – Electronic protected health information, or ePHI • Protection is required – HIPAA Omnibus Rule • Protection rules are changing © Grant Thornton LLP. All rights reserved. 5
- 6. Third-Party Relationships and YourConfidential Data Agenda • Electronic medical data • HIPAA Omnibus Rule • Third-party involvement • Breaches • Vendor selection, management • Questions © Grant Thornton LLP. All rights reserved. 6
- 7. HIPAA Omnibus Rulechanges effective Sept. 23 • "Business associate" – Redefined as anyone who maintains paper PHI or ePHI • ePHI use – New limits imposed on marketing and fundraising • "Breach" and "risk" – Redefined and assessments required • Penalties – Fines escalate with violation severity © Grant Thornton LLP. All rights reserved. 7
- 8. Third-Party Relationships and YourConfidential Data Agenda • Electronic medical data • HIPAA Omnibus Rule • Third-party involvement • Breaches • Vendor selection, management • Questions © Grant Thornton LLP. All rights reserved. 8
- 9. What's a thirdparty? Businesses not under direct business control of the organization that engages them Including: • Vendors • Distributors • Suppliers • Franchisees/licensees • Joint venture or alliance partners • Technology outsourcing providers © Grant Thornton LLP. All rights reserved. 9
- 10. Cloud computing The cloud:Server network and software managed by third party in private or shared environment Risks: 1. Data security and controls 2. Data transmission 3. Multitenancy 4. Location 5. Reliability 6. Sustainability © Grant Thornton LLP. All rights reserved. 10
- 11. Types of third-partyrelationships • Infrastructure only – Vendor provides key structure but no apps or app support (e.g., third-party data centers) • Managed apps – Vendor exerts some control over installation, maintenance, and support of infrastructure and apps • All data – Vendor provides infrastructure and managed apps, as well as support, maintenance and disaster recovery (e.g., backup and recovery site) © Grant Thornton LLP. All rights reserved. 11
- 12. Third-party risks 1. Increasingvolume of electronic medical data 2. Increasing reliance on third-party vendors 3. Increasing risk from this reliance: Third parties have been responsible for almost half of all data breaches. © Grant Thornton LLP. All rights reserved. 12
- 13. Third-Party Relationships and YourConfidential Data Agenda • Electronic medical data • HIPAA Omnibus Rule • Third-party involvement • Breaches • Vendor selection, management • Questions © Grant Thornton LLP. All rights reserved. 13
- 14. Determining a breachhas occurred • Could the patient be identified? • Who received or used the information and to whom were disclosures made? • Was the data actually acquired or viewed by someone who shouldn't have had access to it? • What steps were taken to mitigate the risk? Has the recipient of the data given assurances that it was not used inappropriately? © Grant Thornton LLP. All rights reserved. 14
- 15. Consequences of abreach HIPAA notification rules Covered entities and their business associates must notify: • HHS – Report annually via a website for breaches affecting fewer than 500 individuals • HHS and the media – Notify within 60 days of determination that breach affects 500 or more individuals and meets Federal Breach Reporting Requirements • Patients – Notify per federal and state laws with varying notification requirements © Grant Thornton LLP. All rights reserved. 15
- 16. Third-Party Relationships and YourConfidential Data Agenda • Electronic medical data • HIPAA Omnibus Rule • Third-party involvement • Breaches • Vendor selection, management • Questions © Grant Thornton LLP. All rights reserved. 16
- 17. Challenges for theorganization Selecting third-party vendors • Risk-based criteria • Due diligence Monitoring third-party vendors • Management oversight © Grant Thornton LLP. All rights reserved. 17
- 18. Challenges for internalaudit Testing the organization's selection assessments • Risk-based criteria • Due diligence Reviewing the organization's monitoring process • Management oversight © Grant Thornton LLP. All rights reserved. 18
- 19. Steps to establisheffective controls 1. Identify your vendor population 2. Develop risk profile of all vendors 3. Focus first on highest-risk vendors 4. Maintain vendor screening 5. Establish ongoing monitoring process © Grant Thornton LLP. All rights reserved. 19
- 20. Third-Party Relationships and YourConfidential Data Agenda • Electronic medical data • HIPAA Omnibus Rule • Third-party involvement • Breaches • Vendor selection, management • Questions © Grant Thornton LLP. All rights reserved. 20
- 21. Comments? Questions? © Grant ThorntonLLP. All rights reserved. 21 21
- 22. The white paper Third-partyrelationships and your confidential data: Assessing risk and management oversight processes Association of Healthcare Internal Auditors (AHIA) Whitepaper Subcommittee • Mark Eddy, CPA (HCA Healthcare) • Michael Fabrizius, CPA (Carolinas HealthCare System) • Linda McKee, CPA, AHIA Board Liaison (Sentara Healthcare) • Glen Mueller, CPA, AHIA Whitepaper Subcommittee Chair (Scripps Health) • Mark Ruppert, CPA (Cedars-Sinai Health System) • Debi Weatherford, CPA (Piedmont Healthcare) © Grant Thornton LLP. All rights reserved. 22
- 23. Contact Information David Reitzel Grant ThorntonLLP Partner and National Health IT Leader, Health Care Advisory Services david.reitzel@us.gt.com 312.602.8531 Mark Ruppert Cedars-Sinai Medical Center Chief Audit Executive mark.ruppert@cshs.org 323.866.6900 © Grant Thornton LLP. All rights reserved. 23 23
- 24. Disclaimer This Grant ThorntonLLP presentation is not a comprehensive analysis of the subject matters covered and may include proposed guidance that is subject to change before it is issued in final form. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this presentation. The views and interpretations expressed in the presentation are those of the presenters and the presentation is not intended to provide accounting or other advice or guidance with respect to the matters covered. For additional information on matters covered in this presentation, contact your Grant Thornton LLP adviser. © Grant Thornton LLP. All rights reserved. 24
- 25. Thank you forviewing this presentation. Visit us online at: www.GrantThornton.com twitter.com/GrantThorntonUS linkd.in/GrantThorntonUS © Grant Thornton LLP. All rights reserved.
Editor's Notes
- #6 The volume of electronic medical data is growing rapidly, driven by the potential quality of care considerations, desired process efficiencies, cost savings and looming federal requirements to migrate all health care providers to electronic records by 2015.In the past year, the use of electronic medical records has more than doubled, and the U.S. Department of Health and Human Services (HHS) has already exceeded its goal to have 50% of doctors’ offices and 80% of eligible hospitals using electronic records by the end of 2013.
- #8 Four-tiered risk assessment replaces the harm threshold in identifying a breach.
- #10 These third-party relationships offer a host of benefits for health care providers. Contracting with an outside firm to manage data systems enables providers to streamline their IT systems and related processes, and accelerate the deployment of IT resources, such as new software. These relationships also allow health care providers to focus key limited people resources on vision and mission-critical activities.
- #11 In health care, cloud computing can support electronic medical records, prescription data, practice management, computerized physician order entry, billing and administration. Clouds offer flexibility and affordability, enabling providers to expand resources as their needs dictate while paying only for what they use. Cloud computing reduces the need for capital investment in IT infrastructure and speeds the deployment of new applications and software updates.
- #12 Managed applications — including cloud computing, infrastructure and software-as-a-service — can be used to more rapidly deploy software to a larger number of users across a network, and reduce the capital needed to support and manage applications over an extended period of time.
- #13 Once a health care organization enters into a third-party relationship, it faces the challenge of compliance requirements for computer networks and software that another company owns. What’s more, the organization is dependent on such third parties for the reliability and availability of mission-critical data systems, which may include applications that require instant and constant availability (e.g., clinical applications).
- #15 The new rules put a greater onus on providers and their auditors to understand all aspects of third-party ePHI risk and develop a process for minimizing it.
- #18 Organizations should establish a management process for properly vetting vendors before their selection, and then actively monitor vendor security and privacy controls to reduce the risks created by third-party relationships. To be effective, the overall process will require more formality and rigor in vendor management than in the past.
- #19 Organizations should establish a management process for properly vetting vendors before their selection, and then actively monitor vendor security and privacy controls to reduce the risks created by third-party relationships. To be effective, the overall process will require more formality and rigor in vendor management than in the past.
- #20 1. The list should include any smaller third-party contracts that may have been added at the department level rather than through the typical centralized review and centralized contracting channels. These smaller arrangements may actually hold some of the higher risks because the contracts may not be as complete, and smaller vendors are less inclined to have the level of controls found with larger organizations.Focus the inquiries on vendors’ controls and financial stability. Ideally, this type of risk profile should be developed by management for auditor review, but it may require the auditor to lead and/or complete the effort. If completed by the auditor, the auditor should work with management on developing a process to maintain it on a periodic basis.3. Work with management and the vendor to mitigate the most immediate threats, using concepts such as data protection and digital rights management to close risk gaps.Create standard criteria such as ethics, financial stability, good references, invoice accuracy and service quality to assess new vendors and their technologies for protecting data. In decentralizedenvironments or environments where departments can create vendor relationships without a central conduit such as purchasing or legal, ensuring this happens will be much more difficult and will requiremore internal audit consideration and efforts.5. Continue to use surveys, questionnaires and inspections to review the compliance of third parties on an ongoing basis. Year-to-year comparisons can flag potential lapses in security control environments.
- #23 You will all receive an email with a link to this whitepaper, we collaborated and created with the whitepaper subcommittee/AHIA. The whitepaper lists key questions that might be helpful to review. Health care organizations considering risks associated with third-party custodians entrusted with ePHI should first understand the implications of the Final Rule and any related state regulations, and then complete a robust risk assessment of its existing vendor relationships. A similar level of management due diligence is important before entering any contractual relationship with new vendors. Internal auditors can play a key role in such due diligence by asking management to ensure it understands if the vendor has the proper security controls in place to protect organizational data by, at a minimum, addressing these key questions.