The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States Federal Law designed to protect sensitive patient information from unauthorized disclosure, either through accidental data leakage or the result of a planned cyberattack.
The framework for this data protection standard is divided into two components:
- The HIPAA Security Rule - Stipulating protection standards for all electronic forms of personal health information (ePHI).
- The HIPAA Privacy Rule - A set of limitations for using and disclosing patient information.
Included in the list of “Covered Entities” that must comply with the HIPAA regulation is “business associates,” which includes any external entity with access to Personal Health Information (PHI) - also known as third-party vendors.
This third-party risk management component of HIPAA is probably the most difficult to achieve compliance in. Third-party vendors must be sufficiently evaluated before onboarding and then continuously monitored to ensure their security vulnerabilities don’t violate HIPAA’s Security Rule standards.
To learn how to comply with all of the third-party risk management requirements of HIPAA, read on.
What Does it Mean to Be HIPAA Compliant?
A HIPAA-compliant entity has all the necessary network and process controls required to meet the personal data protection standards outlined in HIPAA’s security and privacy rules.
At a high level, a cybersecurity program that’s compliant with HIPAA meets the following ten requirements:
- The implementation of security policies aligning behaviors and process standards against HIPAA’s privacy rule.
- The designation of a compliance officer and a compliance committee.
- Hosting regular cyber threat awareness training for staff.
- The establishment of efficient cyber threat communication streams.
- Regular internal and external threat landscape monitoring and security risk assessments.
- The enforcement of private information disclosure and security standards.
- The implementation of cyber mechanisms for prompt detection and remediation of sensitive data threats, including a Cyber Security Incident Response Plan.
- Ensuring the continuous availability, security, integrity, and confidentiality of all electronic Protected Health Information (ePHI).
- The implementation of a cybersecurity mechanism for detecting and mitigating anticipated threats to PHI.
- The establishment of processes for detecting and preventing unauthorized disclosures of PHI.
It also helps to understand which behaviors constitute a direct violation of the HIPAA regulation. Some extreme examples of violating practices are:
- Failing to report a data breach to the Secretary within the stipulated time frame of 60 days for incidents involving more than 500 people.
- Inadequate employee cyber threat awareness training.
- Unauthorized access and disclosures of Personal Health Information (PHI).
- Accidental PHI disclosures, such as a data leak or emailing patient information to the wrong recipient.
- Manual theft of data storage devices hosting PHI following an office break-in.
The technical compliance expectations, specifically in the third-party vendor domain, are outlined in greater detail below.
Compliance with the HIPAA regulation is ultimately verified by the Office for Civil Rights (OCR), either through an annual compliance review, or following a violation complaint.
If you haven't yet implemented a HIPAA compliance program, use this checklist to establish a foundation for you third-party risk compliance efforts.
Learn the most common HIPAA violations that affect healthcare institutions >
Is HIPAA Compliance Mandatory?
Compliance with HIPAA is enforced by the Department of Health and Human Services (HHS) and the Office for Civil RIghts (OCR).
Entities that must comply with the HIPAA regulation are referred to as “Covered Entities.” These include:
- Healthcare Providers - All providers processing electric patient information, regardless of entity size.
- Health Plans - Includes all health, dental, vision, prescription insurers, and nursing homes.
- Healthcare Clearinghouses - Entities providing processing services to a health plan or healthcare providers involving Personal Health Information.
- Business Associates - Any person or organization providing PHI services to any above-covered entities.
Learn how to choose an ideal HIPAA compliance product >
Including Healthcare Clearinghouses and Business Associates in the definition of Covered Entities significantly increases the scope of entities that must comply with HIPAA. Digital transformation has the adverse side effect of tightening attack surfaces between Covered Entities and their third-party vendors.
The threat landscape has now become so interconnected, a data breach involving a fourth-party vendor (your vendor’s vendor) could put your sensitive health information at risk of compromise.
See the list of biggest data breaches in the healthcare industry >
With so many potential digital avenues to sensitive resources, the potential of non-compliance with the HIPAA regulation is high, making third-party risk management the most complicated element of HIPAA compliance.
But if the Vendor Risk Management component of HIPAA compliance is effectively addressed, regulatory compliance with the remaining information security components becomes relatively easy.
Learn about the worst cases of HIPAA violations in history >
How to Comply with the Vendor Risk Management Requirements of the HIPAA Regulation
If you’re a healthcare clearinghouse, a healthcare provider, or a health plan, you must be aware of the following third-party data security requirements of HIPAA. Each listed HIPAA requirement is supported with an example of a security measure offered by UpGuard for the establishment of a TPRM Program supportive of HIPAA compliance.
45 CFR § 164.308(a)(1) - Administrative safeguards
(A) Risk Analysis [Required]
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
What Does This Mean?
First, a baseline must be established to determine your starting degree of compliance with the HIPAA regulation. This evaluation should also consider prospective vendors in the pipeline since a new vendor's inherent risk profile could significantly impact your security posture.
A risk assessment should involve a comprehensive evaluation of all information systems, both internally and externally, to determine Personal Health Information access levels.
The Healthcare industry commonly outsources a significant portion of its PHI processing to Business Associates and subcontractors. A scalable risk assessment management solution is imperative to prevent overlooking sensitive health information technology in the supply chain.
How UpGuard Can Help You Comply with this HIPAA Security Rule
UpGuard’s TPRM platform includes a security rating feature for performing a preliminary assessment of the potential security risks associated with prospective vendors. This feature streamlines the onboarding management process by shortlisting candidates with the highest likelihood of following exemplary security standards and technical safeguards.
After onboarding, each vendor’s attack surface is then continuously monitored for vulnerabilities putting medical records at a heightened risk of compromise. A library or risk assessment and customizable security questionnaires are also offered for a more detailed evaluation of specific security risks.
By also optimizing remediation management for the most critical third-party risks jeopardizing HIPAA compliance, UpGuard addresses the entire scope of Vendor Risk Management in one powerful, yet refreshingly intuitive, platform.
Request a free demo of UpGuard >
45 CFR § 164.308(a)(1) - Administrative Safeguards
(B) Risk Management [Required]
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (HIPAA’s security standards)
What Does This Mean?
After cyber risks threatening PHI safety, availability and integrity have been identified, healthcare organizations must exercise the necessary cybersecurity due diligence to mitigate these risks - either through implementing new security controls or vulnerability remediation.
How UpGuard Can Help You Comply with this HIPAA Security Rule
UpGuard maps security questionnaire submissions to popular cybersecurity frameworks to identify the particular risks of covered entities and business associates impeding compliance.
NIST, an information security standard trusted by Government entities, is included in this list of popular cyber frameworks. By aligning security controls against the NIST cybersecurity framework, sensitive health data will receive a level of protection that supports HIPAA compliance.
UpGuard also indicates the projected security posture improvements associated with each suggested remediation response. This feature helps security teams prioritize remediation efforts with the greatest positive impacts on your security posture.
Request a free demo of UpGuard >
45 CFR § 164.308(a)(1) - Administrative Safeguards
(D) Information System Activity Review [Required]
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Learn how UpGuard helped Burgess Group achieve HIPAA compliance.
What Does This Mean?
Third-party security risks can surface at any time, so with an annual assessment schedule, it’s not possible to keep PHI protected from emerging threats. To maintain security teams informed of sudden risks threatening PHI safety, a continuous vulnerability monitoring solution should be coupled with a regular risk assessment schedule.
How UpGuard Can Help You Comply with this HIPAA Security Rule
The UpGuard platform includes an attack surface monitoring solution that continuously scans for vulnerabilities and data leaks threatening PHI safety, both internally and throughout the vendor network.
Request a free demo of UpGuard >
45 CFR § 164.308(b)(1) - Business Associate Contracts and Other Arrangements
A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
What Does This Mean?
A Business Associate Agreement (BAA) is required from Business Associates to assure compliance with HIPAA’s PHI security standards when processing sensitive health data.
How UpGuard Can Help You Comply with this HIPAA Security Rule
UpGuard allows all third-party vendors to keep a repository of all relevant security documentation in a Shared Profile, including completed Business Associate Agreements, helping you track their security efforts against their assurances of PHI safety.
Request a free demo of UpGuard >
45 CFR § 164.308(a)(6) - Administrative Safeguards
(D) Implementation Specification: Response and reporting [Required]
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
What Does This Mean?
All discovered security threats associated with third-party vendors should be addressed in a timely manner to mitigate harmful impacts on PHI safety. The prompting notification of critical vulnerabilities to vendors will help them address each security risk before it develops into a data breach.
How UpGuard Can Help You Comply with this HIPAA Security Rule
UpGuard’s Vendor Risk Executive Summary matrix helps security leaders and decision makers instantly identify critical security threats each vendor should address to significantly reduce the potential for PHI compromise.
UpGuard’s clean and intuitive dashboard provides a detailed overview of all assessment completion statuses, identified risks, and risk remediation activities to keep you continuously informed of the threats and security responses impacting your HIPAA compliance efforts.
45 CFR § 164.308(a)(8) - Administrative Safeguards
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
What Does This Mean?
You must continuously monitor for emerging vulnerabilities that could affect a vendor’s compliance with HIPAA regulations. All vendor risks should be aggregated into a risk profile drawing data from security questionnaires, risk assessments, and security ratings.
How UpGuard Can Help You Comply with this HIPAA Security Rule
UpGuard’ has developed a HIPAA security questonnaire helping healthcare entities determing which vendor are complying with the HIPAA privacy rule. The result of these assessments are mapped against HIPAA's security standards to identify the specific risks threatening HIPAA compliance,
45 CFR § 164.308(a)(8) - Policies and Procedures and Documentation Requirements.
(1) Standard Documentation
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity, or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
What Does This Mean?
Covered Entities must supply evidence of an implemented cybersecurity program designed to protect PHI from compromise. Evidence of alignment with all security policies supporting HIPAA compliance should be kept updated and readily available.
Learn how to communicate third-party risk to the Board >
How UpGuard Can Help You Comply with this HIPAA Security Rule
UpGuard allows Covered Entities to host documentation supporting the establishment of security controls supporting HIPAA compliance in a Shared Profile that can be readily accessed when required.
Reports demonstrating relevant cybersecurity efforts can be instantly generated with UpGuard’s executive report creation tool, reducing the administrative burden of manual report creation.
