It seems vendor management is an important topic and for the OCR as well based on their audit focus. The new audit program launched by OCR this past November is just ramping up with the first 20 audits, but already we are beginning to see some of the areas that they are placing emphasis on. One of those is the relationship between the Covered Entity (CE) and the Business Associate (BA). Questions asked by auditors covered the entire lifecycle of the contracting process and relationship with business associates. This should hardly be a surprise to anyone given that nearly half of all major breaches reported in 2011 involved vendors and more than 70% of the records exposed have been associated with these incidents.
Areas addressed included the service evaluation for minimal necessary, the contracting process, the business associate agreement, evaluation of vendor security, monitoring of vendor security, joint responsibilities if security incidents occur and actions upon termination. The emphasis was on attaining appropriate documentation to demonstrate enough due diligence to warrant sharing of PHI with confidence.
The implications are clear. If audited, organizations need to be able to demonstrate that they have exercised due diligence in their contractual relationships that require or involve sharing of access or receipt of ePHI. This means making sure that security is addressed in contractual documents, that there is a formal BAA in place, that they have received and reviewed things like SAS-70, SAES-16, Disaster Recovery and Back Up Plans, etc. and can attest to the vendors ability to safeguard the data/systems they are sharing adequately. It means understanding and communicating the minimal amount of access/information necessary to support the business purpose of the agreement. It means monitoring the relationship through periodic updates of documentation, conducting site visits when appropriate, etc. It means having clear policies and procedures for responding to suspected security incidents and notification protocols in the event of a breach. And it means understanding and planning for contract termination and disposition of the information access appropriately. It means receiving documentation of services provided when appropriate such as Destruction Certificates from vendors who dispose of systems or sensitive information. It means being able to connect the dots between your vendor management policy, the contractual requirements of the relationship, and actual vendor performance through multiple checks and documentation.
This of course only covers the compliance waterfront. CEs will want to address other matters such as indemnification and costs associated with security incidents. For those I’ll allow my legal colleagues to comment. Suffice it to say vendors represent a very important part of the business and vendor management is going to require much more serious consideration going forward.