NEW YORK – A recent study shows that third-party mistakes account for 39 percent of data breaches – which is why one security expert says it's so important that healthcare organizations take a good look at who they hire to handle personal health information.

"Today’s global economy is driving organizations to work with an ever-increasing pool of third parties to take on critical – and sometimes highly sensitive – functions," says Brian Lapidus, chief operating officer for fraud solutions at Kroll. "For the healthcare industry, the bar for maintaining privacy and security is set quite high – HIPAA/HITECH mandates certain requirements for a Business Associate (BA), to ensure the privacy and security of the Covered Entities’ sensitive PHI."

"The requirements are generally outlined as obligations included within the Business Associate Agreement (BAA)," he adds. "However, before a BAA is signed, stringent due diligence must be undertaken to curb some of the most substantial risk. Failing to do so can have severe consequences: for instance, the most recent Ponemon study revealed that third party mistakes cost nearly double that of a breach originating within an organization – $302 vs. $158 per record."
 
Lapidus offers a few of the top questions that every organization must ask its BAs and other third-party partners. 



1. What type of background check do you perform on your employees? Unfortunately, malicious insiders still count for a significant portion of data breaches. One way to mitigate this risk is to ensure that your BA thoroughly screens all its employees, which demonstrates an organizational commitment to safety and security. Moreover, you can require BA employees with access to your data, assets or facilities to be subject to a background check that mirrors your own internal policies or standards.

2. How and where will our data be stored? Accessed? Shared? Transmitted? It is imperative that the CE understand exactly where and how its data will be stored with BAs. Stringent access controls should be in place, as well as sufficient storage, transmittal and physical security measures. If a BA is located outside the United States, it may be more difficult to enforce contractual agreements if the vendor is in a country with lax security and notification laws.

3. Do you have a comprehensive privacy awareness training program for employees? Training is the cornerstone of any privacy awareness program. Why? Because policies and procedures are only as good as the employees who implement them. A BA’s employees should be trained to recognize sensitive information and to carry out proper handling techniques. They should be taught to recognize an exposure event and reminded of the proper procedure for escalating news of the exposure within the organization. Finally, they should be aware of legal, contractual, or regulatory consequences associated with a data breach. The HHS Notice of Proposed Rulemaking released last year made it clear that HHS is considering fines and penalties to BAs that breach PHI as well.

4. Will you allow us to perform an onsite review or audit? An on-site review provides your organization with a firsthand glimpse of how information is stored, transmitted and utilized by the BA. Periodic review can be written into the contract to ensure that security adherence is maintained. Also helpful to initial due diligence is determining if the BA is accredited under recognized international standards or has received a security audit from a well-known and trusted assessment group, or is already a CE under HIPAA.

5. Do you have an incident response plan in place? Let’s face it, even the best-planned alliances can experience security gaps that represent opportunity for breach or fraud. Therefore, it’s important to have contingencies accounted for, as well. Be sure to determine the scope and depth of the BA’s incident response plan, including mandated provisions to notify the CE if an event occurs, and without unreasonable delay.

6. What subcontractors will you utilize, and how is PHI/PII disclosed to them?  Once the final rule for HIPAA/HITECH is established, BAs may be required to obtain assurances from their own subcontractors in the form of BAAs. For this reason, consider asking  up front if any of your organization’s information will be disclosed to any of the BAs subcontractors. This aids in identifying risk level as well as the ability to account for access and disclosure of PHI. A recent Office of Civil Rights proposed rule states that CEs must account for BA disclosures, or require the BA to do so themselves. BAs will also be required to respond directly to individual requests for accounting of disclosures.

For more information, click here or read Kroll’s blog, “A Dialogue on Data Security.”