healthcare BPO

Implementing a Business Associate Risk Management Program for Healthcare Outsourcing

Implementing a Business Associate Risk Management Program for Healthcare Outsourcing

Hiring a third-party vendor for your healthcare business can expose your practice to significant security risk. The risk gets particularly enhanced when the vendor in turn hires a sub-contractor. Therefore, healthcare outsourcing entails lot of complex decision making.

HIPPA risk assessment is the first aspect that you should consider while selecting a healthcare outsourcing company. This is because HIPAA mandates you to obtain from your partner in writing a compliance assurance form. If you fail to do so, the Office of Civil Right may hold you responsible in case of any breach. They may impose penalties on you too.

Therefore, you must first assess the healthcare outsourcing company’s compliance with HIPAA regulations. Next you should evaluate their data integrity process, and their capabilities.  A security or a privacy office should ideally observe everything firsthand.

Parameters to Consider for Healthcare Outsourcing Company

Let us now look into the various parameters a healthcare outsourcing companies should fulfill in order to be your partner.

1. Policy Driven

Your prospective healthcare outsourcing partner’s processes must be driven by a documented set of privacy and security policies. You should seek these policy documents and review it to understand the extent to which it meets HIPAA requirements. The policies should cover the vendor’s employees, contractors, volunteers, and other members of their workforce.

Security Program In the policy, you must look for an active security / privacy program. The program must align with HIPAA requirements and sync with your practice’s security program. It must also include continuous security administration activities to evaluate, monitor and mitigate security threats.

The program must be particularly tuned towards discovering sudden breaches. They should also include an immediate response plan to manage it. You must also look for annual HIPAA training initiatives in the program. One clause you can make mandatory in the agreement is to carry out privacy / security assessments annually and submit the report to your organization.

healthcare outsourcing companies experience electronic data security incidents in every two years

2. Sub-Contract Agreement

Every healthcare outsourcing partner enters into a sub-contracting agreement at some point of time. Therefore, while evaluating a prospect see for the kind of agreements they have for sub-contracting jobs.

In these agreements, you need to check if they are imposing appropriate data security and privacy requirements on them. Further, the agreement must be neatly documented with all clauses and sub-clauses including the termination clause.

In case of several subcontractors, it is advisable to examine the security agreement with the primary sub-vendor and a random check of agreements with other vendors.

3. Safe Infrastructure

Your healthcare outsourcing partner should also have the right physical security protections in place. This is a requirement in addition to process protections. It must include assessing facility access and every other physical security measure in workplace.

This assessment should be carried out onsite.    You must visit it even if it happens to be an offshore destination. This visit is of great importance if the vendor is likely to have easy access to most of your critical data. Physical security inspection must also include assessing the recovery program or backup plan in the face of a disaster and implementing appropriate redundancies to avert data loss.

4. HIPAA Breach Report

The initial assessment phase of a reputed healthcare outsourcing vendor may look rosy. The fact remains that one point or the other a vendor or a subcontractor must have experienced HIPAA breaches. It’s just like some of the minor accidents that drivers get involved with in their driving journey.

Therefore, your evaluation process must seek a HIPAA report. It will help to spot the HIPAA breaches they might have triggered or been part of. It will also throw light on the correctional steps they had taken. You must look into the impact of the breach history on their clients and how difficult was it for the them  to overcome the breach.

The most important part, however, is to investigate the vendor’s correctional measures. It must be quick and robust enough to justify entering a contract.

5. Financial Stability

It is also critical to look into the financial stability of the healthcare outsourcing vendor. A stable vendor will always seek to grow and expand. It also reassures you that the vendor is not vulnerable to failures. This will avert a possible chance of playing with data security. Therefore, you must also seek and have in an in-depth look at the vendors financials.

You Must Never Stop Evaluating Your Healthcare Outsourcing Company

Your risk assessment process is far from over, even after you have zeroed in on a healthcare outsourcing company. Due diligence is a key aspect of vendor evaluation that ideally should be continuous. This means even after the healthcare outsourcing vendor is roped in you need to have a continuous process of monitoring them for performance.  You must entrust this task to a dedicated officer. The officer must regularly monitor the vendor for performance as per SLA and every privacy and security related activities. This includes receiving and evaluating reports on a yearly basis. The evaluation can be made comprehensive and end-to-end by including all reports provided to the vendor by its subcontractors.

All said and done, your vendor risk management program can be effective if your security / privacy officer is held accountable for aberrations. In many hospitals, this HIPAA-required role is assigned as a part-time role to staff members. In some practices they are given low priority. Resource constraints may be a major problem, but that should never be an excuse to make this a low priority requirement. The fact of the matter is that any compliance program driven by someone who is not specialized, whether part-time or full-time is bound to fail.

 

 

 

Continue Reading