Simplify HIPAA Security Rule Assessments
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-66 was developed to help healthcare delivery organizations (HDOs) understand the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and provide a framework to support its implementation.
The HIPAA Security Rule applies to any organization managing electronic protected health information (ePHI), whether they are a covered entity or a business associate (e.g., third-party vendor, supplier or partner). The rule requires organizations to:
Adhering to the guidelines and best practices in NIST 800-66r2 will help healthcare organizations simplify their HIPAA Security Rule compliance.
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
The NIST 800-66 Third-Party Compliance Checklist
Learn about SP 800-66 HIPAA Security Rule risk assessments and management guidance for third-party business associates.
Understanding the HIPAA Security Rule
The HIPAA Security Rule recommends seven steps to include in a comprehensive risk assessment process. The table below maps Prevalent solution capabilities to each step, illustrating how a third-party risk management solution can help to address these best practices.
NOTE: This information is presented as summary guidance only. Organizations should review NIST 800-66r2 and HIPAA Security Rule requirements in full on their own in consultation with their auditors.
Recommended Steps & Tasks | How We Help |
---|---|
1. Prepare for the Assessment Understand where ePHI is created, received, maintained, processed or transmitted. Define the scope of the assessment. |
Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding. Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored for financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. Once third and fourth parties are identified, you can leverage the 750+ pre-defined assessment templates available in the Prevalent Platform to assess third-party business associates against NIST, HIPAA or other requirements. |
2. Identify Realistic Threats Identify the potential threat events and threat sources that are applicable to the regulated entity and its operating environment. |
Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Monitoring sources include:
|
3. Identify Potential Vulnerabilities and Predisposing Conditions Use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases. |
Prevalent normalizes, correlates and analyzes information across inside-out risk assessments and outside-in monitoring. This unified model provides context, quantification, management and remediation support for risks. It also validates the presence and effectiveness of internal controls with external monitoring. |
4.-6. Determine the Likelihood (and Impact) of a Threat Exploiting a Vulnerability; Determine the Level of Risk Determine the likelihood (Very Low to Very High) of a threat successfully exploiting a vulnerability. Determine the impact (operational, individual, asset, etc.) that could occur to ePHI if a threat event exploits a vulnerability. Assess the level of risk (Low, Medium, High) to ePHI, considering the information gathered and determinations made during the previous steps. |
The Prevalent Platform enables you to define risk thresholds and categorize and score risks based on likelihood and impact. The resulting heat map enables teams to focus on the most important risks. |
7. Document the Risk Assessment Results Document the results of the risk assessment. |
With Prevalent, you can generate risk registers upon survey completion, integrating real-time cyber, business, reputational and financial monitoring insights to automate risk reviews, reporting and response. From the risk register, you can create tasks related to risks or other items; check task status via email rules linked to the platform; and leverage built-in remediation recommendations and guidance. The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, and generating reports for dozens of government regulations and industry frameworks, including NIST, HIPAA and many more. |
Mapping Prevalent Capabilities to NIST SP 800-66r2 HIPAA Security Rule Requirements
NIST SP 800-66r2 presents security measures that are relevant to each standard of the HIPAA Security Rule. The table below identifies specific business associate measures and maps Prevalent capabilities that help to satisfy the requirements.
NOTE: This information is presented as summary guidance only. Organizations should review NIST 800-66r2 and HIPAA Security Rule requirements in full on their own in consultation with their auditors.
Key Activity & Description | How We Help |
---|---|
5.1.9 Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)) HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. |
|
1. Identify Entities that are Business Associates Under the HIPAA Security Rule
|
Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment. Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties and business associates during onboarding. Criteria includes:
From this inherent risk assessment, your team can centrally manage all business associates; automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. |
2. Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met
|
Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments. When a third party is found to be out of contract compliance, the Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. |
3. Written Contract or Other Arrangement
|
Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include:
With these capabilities, you can ensure that the right clauses – such as security protections over ePHI and training – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders. |
5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. |
|
1. Contract Must Provide that Business Associates Will Comply with the Applicable Requirements of the Security Rule Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity. 2. Contract Must Provide that the Business Associates Enter into Contracts with Subcontractors to Ensure the Protection of ePHI In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section. |
Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With these capabilities, you can ensure that the right clauses – such as security controls enforcement, auditability, incident response, notifications, fourth-party subcontractor arrangements, etc. – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders. |
3. Contract Must Provide that Business Associates Will Report Security Incidents
|
In addition to contract lifecycle management, Prevalent offers a Third-Party Incident Response Service that enables teams to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations. |
4. Other Arrangements The covered entity complies with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). 5. Business Associate Contracts with Subcontractors The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. |
In addition to ensuring that business associate contracts contain provisions for assess fourth-party risks, Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment. |
Navigate the TPRM Compliance Landscape
The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.
Complying with HIPAA legislation requires gaining complete, internal view of third-party security and privacy controls. Learn...
With an ever-growing number of healthcare vendor data breaches, use this guidance to be more proactive...
NIST has authored several industry standards that deal with identifying, assessing and managing supply chain risk...