Written by Ayla Ellison (Twitter | Google+) | May 12, 2014, Becker’s Hospital Review
In a May 7 webinar provided by eHealth Initiative and sponsored by PwC, experts from PwC and Independence Blue Cross discussed protecting patient information and data security measures to utilize when dealing with third-party vendors and business associates.
The webinar featured Mick Coady, principal and health information privacy and security leader at PwC, Mark Lantzy, independent consultant, and Dave Snyder, chief information security leader and director of information security and risk management offices at Independence Blue Cross.
The panel of experts provided the following tips to healthcare organizations for protecting patient information when dealing with third-party vendors:
1. Make a list of vendors. All healthcare organizations should have a complete list of all the vendors they are currently doing business with, and a list of vendors they have done business with in the past, said Mr. Lantzy. Make clear what you expect from the vendor as far as deliverables and make sure they know you are going to hold them accountable and perform audits, he added.
2. Keep contracts up-to-date. “Relationships with vendors change,” said Mr. Snyder. With this, contracts need to be updated to ensure they accurately reflect the patient information vendors have access to as well the exact work they are performing for the healthcare organization.
3. Rank vendors based on risk. Healthcare organizations need to send questionnaires to vendors to adequately assess what their vendors’ data security practices are and then rank those vendors based on security risk, said Mr. Lantzy.
“When you’re sending questionnaires to vendors, there has to be a link between how your business is run and those questions,” said Mr. Snyder. Healthcare organizations need to be able to show how the questions they are sending to vendors enable them to rank vendors based on risk, he added.
4. Perform audits. After ranking vendors based on risk, healthcare organizations need to then perform on-site audits of the high-risk vendors, said Mr. Snyder.
Although it becomes burdensome, periodic audits are crucial because when a data breach occurs, the hospitals reputation is on the line, said Mr. Coady.
5. Use a team approach. Executives at healthcare organizations should “partner with the legal department and purchasing department to make sure all vendors are vetted through a similar process and all contracts are reviewed,” said Mr. Snyder. Data security is a priority that needs to be driven back through the entire business, and “pulling together the team approach works well,” he added.
There needs to be set data security standards across the entire organization, said Mr. Lantzy. This requires establishing a culture of compliance throughout the entire business, he added.
About Morgan Hunter HealthSearch
Morgan Hunter HealthSearch (MHHS) provides Executive Search and Interim Leadership solutions for hospitals and health systems throughout the United States. Our services include executive healthcare recruiting, retained healthcare executive search, healthcare interim management, executive placement for hospitals.