This chapter discusses the importance and purpose of managing risk associated with third parties. This includes understanding the definition of third parties, risk assessment and management activities, and requirements for maintaining a third-party inventory, applying security standards and practices, determining assessment requirements, and addressing incident response and connectivity requirements.
Security Management Process | |
Key Activities | Description |
Identify relevant information systems | Identify all information systems that house EPHI
Include all hardware and software that are used to collect, store, process, or transmit EPHI
Analyze business functions and verify ownership and control of information system elements as necessary
|
Conduct risk assessment | Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the third party (refer to Chapter 6 for risk assessment methodology)
|
Implement a risk management program | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
|
Acquire IT systems and services | Although the HIPAA Security Rule does not require purchasing any particular technology, additional hardware, software, or services may be needed to adequately protect information. Considerations for their selection should include the following:
• Applicability of the IT solution to the intended environment
• The sensitivity of the data
• The organization’s security policies, procedures, and standards
• Other requirements such as resources available for operation, maintenance, and training
|
Create and deploy policies and procedures | Implement the decisions concerning the management, operational, and technical controls selected to mitigate identified risks
Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices
Create procedures to be followed to accomplish particular security-related tasks
|
Develop and implement a sanction policy | Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the third party
Develop policies and procedures for imposing appropriate sanctions (e.g., reprimand, termination) for noncompliance with the organization’s security policies
Implement sanction policy as cases arise
|
Develop and deploy the information system activity review process | Implement procedures to regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports
|
Develop appropriate standard operating procedures | Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports
|
Implement the information system activity review and audit process | Activate the necessary review process
Begin auditing and logging activity
|
Assigned Security Responsibilities | |
Key Activities | Description |
Select a security official to be assigned responsibility for HIPAA security | Identify the individual who has final responsibility for security
Select an individual who is able to assess effective security and to serve as the point of contact for security policy, implementation, and monitoring
|
Assign and document the individual’s responsibility | Document the assignment to one individual’s responsibilities in a job description
Communicate this assigned role to the entire organization
|
Workforce Security | |
Key Activities | Description |
Implement procedures for authorization and/or supervision | Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed
|
Establish clear job descriptions and responsibilities | Define roles and responsibilities for all job functions
Assign appropriate levels of security oversight, training, and access
Identify in writing who has the business need – and who has been granted permission – to view, alter, retrieve, and store EPHI, and at what times, under what circumstances, and for what purposes
|
Establish criteria and procedures for hiring and assigning tasks | Ensure that staff members have the necessary knowledge, skills, and abilities to fulfill particular roles
Ensure that these requirements are included as part of the personnel hiring process
|
Establish a workforce clearance procedure | Implement procedures to determine that the access of a workforce member to EPHI is appropriate
Implement appropriate screening of persons who will have access to EPHI
Implement a procedure for obtaining clearance from appropriate offices or individuals where access is provided or terminated
|
Establish termination procedures | Implement procedures for terminating access to EPHI when the employment of a workforce member ends or as required
Develop a standard set of procedures that should be followed to recover access control devices (e.g., identification badges, access cards)
Deactivate computer access accounts
|
Information Access Management | |
Key Activities | Description |
Isolate healthcare clearinghouse functions | If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization
Determine if a component of the third party constitutes a healthcare clearinghouse under the HIPAA Security Rule
If no clearinghouse functions exist, document this finding. If it does, ensure implementation of procedures for access consistent with the HIPAA Privacy Rule
|
Implement policies and procedures for authorizing access | Implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism
Decide how access will be granted to workforce members within the organization
Select the basis for restricting access
Select an access control method (e.g., identity-based, role-based)
Determine if direct access to EPHI will ever be appropriate for individuals external to the organization (e.g., third parties, subcontractors)
|
Implement policies and procedures for access establishment and modification | Implement policies and procedures that, based on the organization’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process
Establish standards for granting access
Provide formal authorization from the appropriate authority before granting access to sensitive information
|
Evaluate existing security measures related to access controls | Evaluate the security features of access controls already in place, or those of any planned for implementation, as appropriate
Determine if these security features involve alignment with other existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and review of audit trails, identification and authorization of users, and physical access controls
|
Term | Definition |
Chain of custody | Documenting the preservation of evidence from the time it is collected to the time it is presented in court |
Covered entity | The primary entity such as a health plan, healthcare clearinghouse, and certain healthcare providers who maintains a direct relationship with patients |
Third party | Also referred to as business associates, a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Third parties can also be subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate |
Incident response | Process to help organizations minimize loss or theft of information, disruption of services, and reduce overall risk associated with incidents |
Level of trust | Assessed based on the results of the covered entity’s risk assessment, identified deficiencies, and status of remediation plans |
Connection agreement | Used to define and mutually agree on the type of connectivity that will be established between the parties |
HIPAA Privacy Rule | Requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization |
HIPAA Security Rule | Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity |
1. The HIPAA Privacy Rule applies only to covered (primary) entities including:
a. Health plans
b. Healthcare clearinghouses
c. Certain healthcare providers
d. All of the above
2. Under HIPAA, written contracts must be implemented to address:
a. Termination
b. Breach reimbursement
c. Event notification
d. a and c
3. Risk assessments are generally triggered when a third party will:
a. Store, process, and/or transmit personal health information
b. Store and/or process personal health information
c. Transmit and/or process personal health information
d. Transmit and/or store personal health information
4. Which NIST Special Publication describes the key administrative, physical, and technical controls and activities required under the HIPAA Security Rule?
a. 800-61 Revision 2
b. 800-39
c. 800-66 Revision 1
d. 800-30 Revision 1
5. Findings resulting from completed third-party assessments should be clearly communicated to:
a. Management at the covered entity
b. Management at the third party
c. a and b
d. None of the above
6. Incident response helps organizations to:
a. Reduce overall risk associated with incidents
b. Minimize disruption of services
c. Minimize loss or theft of information
d. All of the above
7. Which NIST Special Publication focuses on computer security incident response handling?
a. 800-61 Revision 2
b. 800-39
c. 800-66 Revision 1
d. 800-30 Revision 1
8. Under the HIPAA Breach Notification Rule, notification is generally required to the affected individuals, the Secretary, and in certain circumstances, the media within:
a. 30 days
b. 45 days
c. 60 days
d. 90 days
9. A covered entity’s level of trust for a third party can be assessed based on the results of:
a. Identified deficiencies
b. The covered entity’s risk assessment
c. Status of remediation plans
d. All of the above
10. Connection agreements with third parties can be used to:
a. Address administrative, physical, and technical safeguard requirements
b. Define and mutually agree on the type of connectivity established between parties
c. a and b
d. None of the above
11. To determine the value and risk associated with data, an organization must assess data:
a. Confidentiality requirements
b. Integrity requirements
c. Availability requirements
d. All of the above
12. The HIPAA Privacy Rule establishes:
a. National standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically
b. National standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity
c. International standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically
d. International standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity
13. The HIPAA Security Rule establishes:
a. National standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically
b. National standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity
c. International standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically
d. International standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity
14. Who is ultimately responsible for the protection of data entrusted to a healthcare organization?
a. Patient
b. Third party accessing, processing, or storing healthcare data
c. Primary healthcare organization
d. Department of Health and Human Services (HHS)
Practice Exam Answers
1. d
2. d
3. a
4. c
5. c
6. d
7. a
8. c
9. d
10. c
11. d
12. a
13. b
14. c
18.116.19.75