June 20 2017 | 0 Comments | 220 reads Average Rating: 3
7 Tips For Effective Vendor Management
You can lead a horse to water but you can’t make it drink. If you’re an organization working with protected health information (PHI), however, and your business associates are the proverbial horses, you better try to make them drink the HIPAA privacy rules. Why? If a business associate violates HIPAA requirements, your organization will be held liable as well. For example, according to an article in Security Intelligence, the covered entity was liable for part of a $550,000 total settlement when its business associated violated privacy rules.
At SCIO Health Analytics, we do everything possible to ensure that our business associates stay in compliance with the HIPAA rules. All covered entities – provider and payer organizations – should do the same. More specifically, you should implement a vendor management program that includes:
1 - Assessing the level of potential PHI exposure.
Before working with business associates, it’s essential to not only identify the companies that will be directly working with PHI -- but to also identify vendors that could have incidental access to PHI. For example, an IT consultant is most likely to access PHI frequently. A paper shredding company, on the other hand, is not likely to work directly with PHI – but staff members could come across PHI in the course of carrying out their duties. So, protections still need to be in place.
2 - Educating vendors.
Some business associates might not realize that they are required to comply with HIPAA regulations. As such, you need to explain the in-and-outs of the privacy rules and ensure that the vendors understand that they will be held liable for any violations of the PHI requirements.
3 - Ensuring business associates are taking adequate precautions.
For example, when working with a data vendor, it’s a good idea to require that they possess advanced security certifications such as SSAE 16. While it wouldn’t be necessary to require a paper shredding company to have such certification, it would behoove a covered entity to require that the paper shredding company provide employee background checks and drug screening.
4 - Conducting annual assessments.
Compliance work is not a once-and-done endeavor. As such, it’s essential to survey vendors at least annually to ensure continued compliance.
5 - Encouraging non-responsive vendors to respond.
Vendors sometimes don’t respond to compliance surveys. So, continual follow-up is required. It’s important to use multiple communication channels when attempting to get a response. For example, if a vendor doesn’t reply to an e-mail, a follow up call might be necessary.
6 - Offering remediation assistance.
When business associates complete the assessment and non-compliance red flags surface, as a covered entity, you need to work closely with the vendor to resolve these issues.
7 - Terminating relationships with non-compliant business associates.
If the compliance issues cannot be resolved, then it is time to terminate the business arrangement and seek another vendor.
These are some of the best practices that we’ve discovered while implementing vendor compliance management programs. Do you know of any others?
Taryn Bevilacqua serves as Compliance Director for SCIOinspire. In this role, she is responsible for leading the internal processes for promoting and ensuring SCIO’s compliance with laws, regulations, company policies and contracts.