Third-Party Risk Management in Healthcare: A Quick Overview

Healthcare and Third-Party Risk Management Key Terms

The healthcare industry uses its own lingo for third-party risk management requirements. There are several key terms to understand in healthcare and third-party risk management. 

• Covered entities – These are individuals and organizations required to comply with HIPAA requirements and ensure protected health information (PHI) is protected. This includes healthcare providers, health plans, healthcare clearinghouses, and business associates. 
• Business associates – A business associate is any third-party vendor that handles PHI on behalf of a healthcare organization. Examples of business associates include billing companies, IT vendors, and cloud services. 
• Protected health information (PHI) – This is information such as names, medical records, health plan numbers, and any other unique identifying numbers, characteristics, or codes. 

How Healthcare Organization Can Utilize the Third-Party Risk Management Lifecycle to Meet Industry Requirements

As data breaches continue to rise in the healthcare industry, the Department of Health and Human Services (HHS) has scrutinized HIPAA compliance with healthcare organizations and business associates. Healthcare organizations’ business associates must follow HIPAA regulations and ensure PHI is protected. Fortunately, there are easy-to-use third-party risk management best practices that can help. One of those is to follow the third-party risk management lifecycle. 

The lifecycle consists of three different stages, each with its own specific activities for identifying, assessing, and managing risks. Each of these activities can help healthcare organizations reach and maintain HIPAA compliance and ensure their business associates are, too. To achieve the best results, the stages and activities must follow a specific order, since each activity is typically informed by its preceding activities. 

Let’s examine the lifecycle stages and activities:

Onboarding

Onboarding is potentially the most important stage of the lifecycle, as it sets the foundation for the third-party relationship throughout the life of the contract. This stage includes:

• Planning & Risk Assessment: Organizations should plan for the relationship before entering into a contract with a third party or business associate. This involves identifying the need for the third party’s products or services, assessing the risks, and determining responsible parties for the relationship. Proper management and oversight should also be defined for the lifetime of the relationship.
• Due Diligence: To effectively address identified risks, it's important to ensure business associates or third-party vendors have appropriate risk management practices and controls in place. This can be verified through gathering and analyzing evidence of their control environment. Due diligence should be proportional to the risks and criticality of the engagement. Subject matter experts (SMEs) should conduct a thorough review and provide their qualified opinion on any gaps or weaknesses that require remediation.
• Contracting: Developing a well-written contract also further mitigates risks by legally obligating the business associate or third-party vendor to meet specific requirements for information security, privacy, regulatory compliance, breach notifications, and more. The contract should also call out the rights and responsibilities of the two organizations.

Ongoing

Once your contracts have been executed and your healthcare organization has formally entered into a business relationship, there’s a continuing need to monitor for emerging or changing risks and manage the third party’s performance.

• Re-Assessments: A periodic risk re-assessment verifies whether anything has changed in the business associate or third-party vendor relationship. The frequency of the risk re-assessment is determined by the risk and criticality of the engagement.
• Monitoring & Performance: Risk is always changing, so it’s essential to monitor new or evolving risks that can develop as a result of a business associate or third party’s declining financial health, a business-interrupting event, new laws or regulations, or changes in the industry. Likewise, it’s important to monitor how your business associates and vendors are performing against contractual service levels, best practices, and other expectations.
• Due Diligence: It’s important to conduct due diligence regularly rather than just once. This should continue throughout your relationship with a business associate or third-party vendor. By doing so, you can make sure that your organization collects, reviews, and analyzes their current risk management practices and control environment. This helps prevent serious incidents such as cybersecurity breaches and other events that can result from missing, ineffective, or failed controls.
• Contract Renewal: It’s important to review any contract before renewing it, to determine if negotiations or adjustments are necessary or if you want to terminate the contract altogether. By fully reviewing the contract well in advance of renewal or termination, your organization will have sufficient time to negotiate important provisions or prepare for contract termination

Offboarding 

Whether it’s the expected end of the contract or an early termination, sometimes business associate or vendor relationships must come to an end. It’s important to exit the relationship safely and securely.

• Termination: The first step is formally notifying the business associate or third-party vendor that the contract won’t be renewed, or it’s being terminated, taking into account all contractually required notification periods and clauses.
• Exit Plan Execution: The exit plan includes details for the business associate or vendor’s tasks and responsibilities and how they’ll return or destroy any sensitive data. It should also include contingencies in case the business associate or vendor cannot or will not fulfill their duties as agreed upon.
• TPRM Closure: As a final step, it’s important to complete all administrative tasks related to the end of the relationship, such as reviewing final invoices before payment and updating systems of records such as third-party risk management, accounts payable, or access management, to reflect the current status of the relationship. Properly organizing and storing records and documentation and ensuring they are accessible for audits, regulatory exams, or legal reviews is essential.