Do Your Partners Handle PHI With Care? Not Sure?

Written by Karen Pursch, Director, Patient Privacy Solutions

A great deal of your hospital’s patient information is now handled by outside partners — physician practices, outside labs, insurance companies, and many others. In an ideal world, you could trust these business associates and their subcontractors to always take the necessary precautions to keep sensitive information safe. Dream on!

Third parties are often the weakest link in a hospital’s security efforts, and their vulnerabilities can lead to your own organization being compromised, with all the cost and drama that result. According to the Ponemon Institute Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data (May 2016), nearly 90 percent of healthcare organizations had a data breach in the past two years, at an estimated average cost of more than $2.2 million. The high value of healthcare data is highlighted by Symantec’s 2016 Internet Security Threat Report, which ranked healthcare at the top of high-risk industries based on incidents caused by cyber criminals or insider theft.

With the increased sharing of digital data, CMS and OCR now recognize that every partner to whom you grant network access represents a potential breach of patient privacy. The HIPAA Omnibus Final Rule requires hospitals to ensure that any business associate that creates, receives, maintains, or transmits PHI on their behalf also complies with HIPAA requirements for patient privacy. Hospitals that fail to adequately monitor business associates are not only at risk of a breach, but also risk a charge of willful neglect.

Thus you need to understand how your third-party vendors are accessing PHI, what systems they are accessing, and who is accessing them. You also need to be able to prove that you’re in compliance, and you’re doing all you can to keep patient information safe.

Viewpoint From a CIO
Rob Rhodes knows these challenges well. As a hospital CIO for many years (and now Vice President, Product Management, at Iatric Systems), Rob has been working since the late nineties to address the security risks faced by hospitals when sharing digital information with third parties. As demand grew, he realized how important it was to put in place sound practices to protect against data theft as well as disruption to hospital operations.

Over the past 15 years, the solutions developed by Rob and his colleagues have been adopted by hundreds of other hospitals. But in those early days, they had to solve security problems on their own. “We would begin by asking questions. For example, how well do we know this organization? What type of data is being exchanged? Who needs to see it, and what will they do with it? Based on what we learned, we determined levels of risk and created policies, defining things like encryption required, credentials users would need, and levels of access they would be granted. We then put automated controls in place to enforce those policies, monitor access, and detect inappropriate behavior.”

Rob has seen healthcare emerge as a prime target for cyber criminals and is on the front lines helping hospitals adapt as technology and the threat landscape evolve. “We’re now in a much more connected world, which means we have to defend against state actors, criminal syndicates, and the insider threat constantly probing for vulnerabilities to exploit.” As he works with hospitals and partners to deal with current threats, he draws upon lessons learned from the early days, when all the challenges were new. “It was well before the Omnibus Rule but we needed to be proactive to create good security practices. We’ve carried that thinking forward and built on it, and it’s helped get us where we are today.”

Compliance is Within Reach
Monitoring and auditing an ecosystem of third parties can be daunting for many CIOs and CISOs, who already have a lot on their plate. A recent study by Ponemon Reseach, Data Risk in the Third Party Ecosystem, found that there is a lack of confidence in third parties’ data safeguards, security policies and procedures, and if their security posture is sufficient to respond to a data breach or cyber attack.

Take advantage of those third party relationships while protecting patient privacy and your hospital’s reputation by joining our upcoming webinar demonstration on Partner Risk Manager™.

Register for the webinar now

Topics: patient privacy monitoring, Healthcare Breaches, Partner Risk Management

Subscribe to the Patient Privacy blog.

Receive the latest articles directly in your inbox.
Enter your email address and click SUBSCRIBE:



Ignorance, Bliss, and the Zen of Risk Management

We all probably have heard the old saying “Ignorance is Bliss.”  Many of us, as we get older, look back fondly on our childhood and remember how true that was. Children often have the luxury of...Read More

New HIPAA Enforcer Means Business – Make Sure You’re Prepared

I was very interested to read a recent article in Healthcare Info Security about the new HIPAA enforcer’s plans. Roger Severino, the new director of the Department of Health and Human Services'...Read More

New Lessons on Patient Privacy Breaches and OCR HIPAA Settlements

When I came across this article on "5 Lessons Learned in OCR HIPAA Settlements" I knew I wanted to share it with you. It reports on the outcome of the past two years of OCR...Read More

Are you monitoring user reporting in MEDITECH’s Data Repository?

In my experience, hospitals typically don't add any kind of PHI access logging to their Data Repository reports. This seems like a gap in PHI monitoring. It may be true that HIPAA provides an...Read More

How Beaufort Memorial Hospital Handles Vendor Risk Management

Recently, Ed Ricks, CIO at Beaufort Memorial Hospital had an interview with Marianne Kolbasuk McGee with HealthcareInfo Security. It is a very relevant and timely discussion since The Department of...Read More

Use Patient Trust as a Competitive Advantage

I recently read this article from HealthData Management — Privacy, security issues cause consumers to distrust HIT — published on January 9th, 2017. With all the news going on today...Read More

Do Your Partners Handle PHI With Care? Not Sure?

A great deal of your hospital’s patient information is now handled by outside partners — physician practices, outside labs, insurance companies, and many others. In an ideal world, you could trust...Read More

OCR to Expand Compliance Reviews of Small Healthcare Breaches

The Health and Human Services (HHS) Office for Civil Rights (OCR) announced in August, that it has launched a new initiative to more widely investigate HIPAA breaches of protected health information...Read More

Security app helps hospital pass CMS risk assessment, HIPAA audit

Iatric Systems customer, Ed Ricks, CIO of Beaufort Memorial, shares that “technology can produce useful details to further prove your privacy compliance efforts to federal auditors.” In this recent...Read More

Healthcare — today's biggest ransomware target

It's no surprise to me that healthcare is now a prime target of cyber-criminals using ransomware to extort money. They want to go after a business that cannot function without access to its data and...Read More

OCR is doing a good thing by making us “Eat our Vegetables”

Healthcare is, at its core, based on relationships. And, as with any relationship, trust is foundational to building and maintaining a strong relationship. Trust can be fragile and fleeting. It can...Read More

Why You Should Embrace an OCR Audit

News that your organization could be facing an audit is usually cause for anxiety and much gnashing of teeth. At best, it means scrambling to assemble the required information before the deadline...Read More

Reducing Improper Access of Patient Records by 98%

When hospital clinicians are accessing patient records thousands of times daily, how do you spot the access that’s questionable or worse? Trying to comply with privacy rules can tie a hospital’s IT...Read More

4 Ways To Reduce the Number of Patient Privacy Audits

We all know that as EMRs replace paper records, it is impossible to manually review millions of audit logs to check for potential patient privacy breaches. As a result, in the past, most...Read More

Map Your Way to a Successful Patient Privacy Program

I have had many conversations with our customers regarding patient privacy monitoring, including the importance of capturing and mapping key data elements such as Guarantor/Subscriber, Next of Kin,...Read More

Risk Based Patient Privacy Monitoring

Healthcare Privacy and Information Security programs have evolved substantially in recent years. This is due not only to the requirements of Meaningful Use, HIPAA, and HITECH, but due to the growing...Read More

My Trip to the Clinic and Protecting Patient Privacy

One internal value that has always been strong at Iatric Systems is that our Founder and CEO, Joel Berman, cares for his “family” by providing the best healthcare insurance and wellness plans...Read More

Could Your Organization Demonstrate HIPAA Compliance?

On September 30th, CynergisTek and Iatric Systems teamed up to host a complimentary webinar, “How to Prepare Your Organization for an OCR HIPAA Audit.” In this informative session, industry...Read More

Are You Ready for the Return of OCR’s HIPAA Audit Program?

One thing is for sure…you don’t want to wait until you get a notification letter from the Office for Civil Rights (OCR) to start preparing for a HIPAA compliance audit. Organizations that are going...Read More

Privacy breaches cost $5.6 billion a year

$5.6 billion.  $5,600,000,000.  Seeing the amount, instead of just reading the amount, gives it more meaning — at least to me it does. That rather large number is how much privacy breaches...Read More

Riding the Magic Omnibus

Every day I want to cry (too much Omnibus)How can I protect your PHI (too much Omnibus)I'm confused and at a loss (too much Omnibus)So can you please explain Omnibus (too much Omnibus) I may be...Read More

How To Justify Your Patient Privacy Program

When I talk to the privacy staff at healthcare organizations, they tell me that they understand the benefits of using technology for their patient privacy program, but they’re having a difficult time...Read More

What is Reasonable and Appropriate under the HIPAA Security Rule?

I am often faced with the following question from customers: "Can you tell me specifically what we need to do to comply with HIPAA’s information system activity review requirement…What is ‘reasonable...Read More

Let’s face it, protecting patient privacy has never been healthcare’s strong suit

In a recent report, "2015 Data Breach Investigations Report," conducted by Verizon, analysts put healthcare security under the microscope and identified that insider snooping (think employee snooping...Read More