A new study conducted by the Ponemon Institute indicates that many business associates don’t notify their organizations of a data breach during the investigation or after determining the cause of the incident. In fact, 47 percent of those polled either have no timeframe for notification or they do not notify the organization at all.
These facts alone are alarming but can be especially detrimental to an organization in the health care industry, where the new HIPAA Omnibus Final Rule broadens the definition of a data breach and calls for stricter enforcement and greater penalties. The Omnibus Rule took effect in March 2013, although organizations have until September to comply.
Under the omnibus, most incidents in which protected health information (PHI) is lost or stolen will now be considered a breach unless the organization can prove otherwise. In the past, an incident wasn’t considered a breach unless the disclosure of the PHI violated privacy rules and posed significant risks to the affected individuals. The bottom line, according to privacy attorneys, is that this will cause an enormous spike in the number of reported data breaches, meaning organizations will have to notify individuals, police, the Department of Health and Human Services and other agencies more often.
This regulation will not only affect health care organizations but will also impact third-party vendors and their subcontractors. In other words, any company hired by a healthcare organization to handle PHI will be responsible for protecting that information just the same as the main organization. This could include third-party vendors who handle marketing, payment processing or cloud services.
So the good news is that vendors may start to be more careful with PHI and that may result in a decline in the number of breaches caused by third parties, but the bad news is that it could take years before these results come to fruition. But there are mechanisms that can be put into place now to make the transition smoother. Here are five tips to help organizations work with third-party vendors.
1) Be specific in your business associate agreements
Although business associate agreements have always been required under HIPAA, they now need to be more specific. You need to spell out exactly how the business associate can use your patients’ PHI and what disclosures should be incorporated.
2) Provide guidance and training
Write policies to explain your data handling practices and provide training to your vendor on how to comply with these policies. Your policies should also include strict enforcement procedures. It’s important to enforce your policies because negligence and lost or stolen devices are the top reasons for data breaches caused by third parties, according to Ponemon. The study found that 55 percent of the breaches were caused by negligence and 39 percent were caused by lost or stolen devices.
3) Lead by example
You may want to improve your own IT security and control procedures to show third-party vendors that you’re not requiring them to do anything that you don’t do yourself. By improving your own security, you may be able to prevent more breaches or at the very least, detect them at an earlier stage.
4) No more double standards
Third-party associates should be held to the same standards as your in-house security team. Unfortunately, according to the Ponemon study, this is not always the case. The study found that organizations tend to require more of their in-house team than of their vendors.
5) Evaluate third-party vendors before hiring them
Many organizations hire business associates without completing a thorough analysis. For instance, less than half of the organizations in the Ponemon study obtained evidence of a security certification, such as ISO 27001, before hiring them. And only 9 percent conducted an audit of the vendor’s security and privacy practices before sharing sensitive information with them.
Following these tips can help you create a more collaborative atmosphere between your organization and business associates, while helping to reduce data breaches at the same time.
For more information, download the Ponemon Institute’s “Securing Outsourced Consumer Data” study.