No organization can afford to take the risk of inadequate data protection, particularly when it is business associates dealing with sensitive patient information. Under the HIPAA Omnibus Rule, business associates of covered entities are directly liable for HIPAA compliance. However in reality, although healthcare organizations enter into comprehensive business associate agreements, many fail to hold vendors accountable for maintaining the privacy and security of patient information.
Protecting sensitive data needs to top the list of all priorities as a data breach is not only expensive, but also results in a tarnished reputation, embarrassment and additional scrutiny. Risk management expert, Rocco Grillo, believes that a mature vendor risk management program can help identify all deficiencies. He opines that every healthcare organization needs to develop vendor management programs with razor-sharp requirements, to help prevent data breaches involving business associates. Besides this, healthcare entities also need to conduct periodic audits of business associates to ensure that they are taking appropriate security steps. Grillo suggests that healthcare organizations must:
- Conduct due diligence research on the vendor before signing a contract with business associates
- Ensure that if a BA has access to PHI [protected health information], then it is an absolute necessity to have controls in place and avoid loss of money and reputation
Grillo goes on to emphasize that while you can outsource the function, you can’t outsource the risk. Therefore, the vendor may be accountable, but in reality, it is the data owner who has to bear the brunt of being in the headlines for the wrong reasons.
There’s a lot at stake when you’re protecting privacy data or when you are faced with a data breach. It is important to adopt a proactive approach to prevent breaches rather than just react to breach incidents. While these precautionary steps suggested by Grillo can greatly minimize risks and associated costs, platforms like Aegify SecureGRC help automate the security, risk, and compliance management processes of all external vendors and sub-contractors. eGestalt’s vendor management solution prevents breaches and lets you know how far your vendors and Business Associates have progressed in their compliance efforts. Gain complete visibility and control over the security and compliance posture of all your vendors with eGestalt.