Third-Party Risk Management in Healthcare: A Quick Overview

When it comes to third-party risk, regulators in the healthcare industry, such as the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services and the Office of the National Coordinator for Health Information Technology, are primarily focused on how health providers, plans and clearinghouses (otherwise known as covered entities) manage their third parties that help them carry out healthcare activities and functions (otherwise known as their business associates).

Typically, the primary guidelines on how they need to do this are established by OCR’s Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST).

Decoding the Healthcare Lingo

The healthcare industry’s management of their third parties essentially has a language of its own, when compared to other third-party risk management programs. For example, a typical risk management question such as, “What are you doing to protect your organization from risks associated with outsourcing?” becomes:

“As a Covered Entity (CE), do you have Business Associate Agreements (BAAs) in place with any service provider that has access to Protected Health Information (PHI)?” or “How are you assuring your BAs are meeting the requirements outlined in the terms of the BAA?”

Unfortunately, I’ve noticed that because of this language barrier, some other important areas of vendor risk management take a backburner to service providers that specifically handle PHI. 

How to Translate for Third-Party Risk Management

Don’t get me wrong, HITRUST is one of the most comprehensive guidelines for information security out there.

It maps leading regulations which include:

• FFIEC - Federal Financial Institutions Examination Council
• ISO - International Organization for Standardization
• COBIT - Control Objectives for Information Technologies by ISACA
• AICPA - American Institute of Certified Public Accountants
• NIST - National Institute of Standards and Technology
• PCI DSS - Payment Card Industry Data Security Standard
• HIPAA - Health Insurance Portability and Accountability Act
• HITECH - Health Information Technology for Economic and Clinical Health Act
• CRR - Capital Requirements Regulation (UK)
• And more.

It also includes control objectives that are further broken down based on the size of the organization implementing them.

(Note: Size, according to HITRUST, is a tiered system based on how many “beds.” i.e., patients or member records a company manages.)

HIPAA standards provide excellent guidance on how to protect the privacy of our health information without inhibiting services.

The Problem that Can Arise in Healthcare Vendor Risk Management

The problem is that since the regulatory language is focused on business associates, it’s easy to fall into the assumption that these are the only engagements that require the time and attention of risk management programs. Healthcare regulators, by no means, tolerate lapses in security, privacy OR risk management. However, they’re best implemented when built on top of existing best practices to make sure covered entities pay special attention to protected health information.

It’s important to remember that any organization that interfaces with customers, members, patients or clients poses risk, even if they are not exposed to protected health information, per se. There are also other areas of vendor risk, such as:

• Financial risk
• Reputational risk
• Strategic risk

All of which can be threat to your organization if not properly managed. Furthermore, we all know that it doesn’t take a signed contract to open us up to risk. Anyone that we interface, interact or integrate with could potentially pose a threat if we don’t properly maintain our own security. 

Follow the Third-Party Risk Management Lifecyle

No matter what industry you fall into, the Golden Rule of third-party risk management is to follow the lifecycle. Getting a good process in place for the beginning to end management of all contracts and engagements is the best way to make sure you don’t miss anything.

In case you need a refresher, the lifecycle goes as follows:

The first stage is Scoping. Have a clearly defined scope of who (vendors) do and don’t need to go through the lifecycle process. To do this, you’ll need to define what a vendor is to your organization.

The second stage is Inherent Risk and Criticality Assessment. Here, you’ll perform a risk assessment to review the vendor’s inherent risk and determine exactly how critical they are to your organization. 

The third stage is Due Diligence and Residual Risk Determination. In this stage, you’ll begin your initial due diligence to analyze and verify that your prospective vendor meets your needs, comes with a risk level you’re comfortable with and is in regulatory compliance. This will ultimately lead you to the residual risk. 

The fourth stage is Vendor Selection and Contract Management. Now that a vendor has been selected, you’ll begin the contract process. Vendor contract management includes negotiating the terms of contracts and ensuring compliance, change management and ongoing maintenance of the relationship.

The fifth stage is Ongoing Monitoring. Ongoing monitoring is critical to the success of a vendor risk management program. As you may already know, risk fluctuates, and a vendor’s performance can change at any moment. This is why it’s important to periodically request, collect and reassess vendor due diligence.

Finally, the sixth stage is Termination. If you decide the vendor no longer meets your needs, then it may be time to end the relationship. This should involve facilitating a proper exit strategy and notifying the vendor of contract non-renewal. 

3 Healthcare Third-Party Risk Management Tips to Know

Once you have the lifecycle stages in place, consider the following 3 tips:

1. Validate compliance with BAAs. It's one thing to make sure the BAAs include the language and terms required by HIPAA, but it doesn't always mean they're being followed. A solid third-party risk management program is the only way to truly protect your organization from risk.
2. Round out your healthcare industry requirements. Leverage existing guidance on cross-industry standards for how to manage third-party risk.
3. Pay attention to your contracts. Pay attention to all contracts, especially business associate agreements. Make sure to get your paperwork in order, sign a well-reviewed, mutually agreeable contract and continuously monitor.

Regardless of the industry, the formula works. However you want to slice it, it’s still our job to make sure we’re all doing our part to maintain security and the best interests of our partners, clients, stakeholders and customers.