Post on 15-Jul-2015
© Grant Thornton LLP. All rights reserved.
CPE Credit is not available for viewing archived programs.
Please visit http://www.grantthornton.com/events for upcoming programs.
Third-Party Relationships and Your Confidential Data
Assessing risk and management
oversight processes
Original Broadcast Date: September 2013
© Grant Thornton LLP. All rights reserved. 2
David ReitzelGrant Thornton LLP
Partner and National Health IT Leader, Health Care
Advisory Services
Presenters
Mark RuppertCedars-Sinai Medical Center
Chief Audit Executive
Joined by
2
© Grant Thornton LLP. All rights reserved. 3
Third-Party Relationships
and Your Confidential Data
Learning objectives
• Describe how health care auditors and technologists can
assist management by identifying compliance risks, and
establishing effective vendor selection and monitoring as
the use of third parties becomes more prevalent
• Identify various types of third-party relationships and the
breaches most commonly associated with them
• Define the Health Insurance Portability and Accountability
Act (HIPAA) Omnibus Rule and key factors that
management and internal auditors should consider when
evaluating whether a breach has occurred in their
organization3
© Grant Thornton LLP. All rights reserved. 4
Third-Party Relationships
and Your Confidential Data
Agenda
• Electronic medical data
• HIPAA Omnibus Rule
• Third-party involvement
• Breaches
• Vendor selection, management
• Questions
© Grant Thornton LLP. All rights reserved.
• Volume has grown
• Definitions have grown
– Protected health information, or PHI
– Electronic protected health information, or ePHI
• Protection is required
– HIPAA Omnibus Rule
• Protection rules are changing
5
Electronic medical data
© Grant Thornton LLP. All rights reserved. 6
Third-Party Relationships
and Your Confidential Data
Agenda
• Electronic medical data
• HIPAA Omnibus Rule
• Third-party involvement
• Breaches
• Vendor selection, management
• Questions
© Grant Thornton LLP. All rights reserved. 7
HIPAA Omnibus Rule changes effective Sept. 23
• "Business associate"
– Redefined as anyone who maintains paper PHI or ePHI
• ePHI use
– New limits imposed on marketing and fundraising
• "Breach" and "risk"
– Redefined and assessments required
• Penalties
– Fines escalate with violation severity
© Grant Thornton LLP. All rights reserved. 8
Third-Party Relationships
and Your Confidential Data
Agenda
• Electronic medical data
• HIPAA Omnibus Rule
• Third-party involvement
• Breaches
• Vendor selection, management
• Questions
© Grant Thornton LLP. All rights reserved.
What's a third party?
9
Businesses not under direct business control of the
organization that engages them
Including:
• Vendors
• Distributors
• Suppliers
• Franchisees/licensees
• Joint venture or alliance partners
• Technology outsourcing providers
© Grant Thornton LLP. All rights reserved.
The cloud: Server network and software managed by third
party in private or shared environment
Risks:
1. Data security and controls
2. Data transmission
3. Multitenancy
4. Location
5. Reliability
6. Sustainability
Cloud computing
10
© Grant Thornton LLP. All rights reserved.
• Infrastructure only
– Vendor provides key structure but no apps or app
support (e.g., third-party data centers)
• Managed apps
– Vendor exerts some control over installation,
maintenance, and support of infrastructure and apps
• All data
– Vendor provides infrastructure and managed apps, as
well as support, maintenance and disaster recovery
(e.g., backup and recovery site)
Types of third-party relationships
11
© Grant Thornton LLP. All rights reserved. 12
1. Increasing volume of electronic medical data
2. Increasing reliance on third-party vendors
3. Increasing risk from this reliance:
Third parties have been responsible
for almost half of all data breaches.
Third-party risks
© Grant Thornton LLP. All rights reserved. 13
• Electronic medical data
• HIPAA Omnibus Rule
• Third-party involvement
• Breaches
• Vendor selection, management
• Questions
Third-Party Relationships
and Your Confidential Data
Agenda
© Grant Thornton LLP. All rights reserved. 14
• Could the patient be identified?
• Who received or used the information and to whom
were disclosures made?
• Was the data actually acquired or viewed by someone
who shouldn't have had access to it?
• What steps were taken to mitigate the risk?
Has the recipient of the data given assurances that
it was not used inappropriately?
Determining a breach has occurred
© Grant Thornton LLP. All rights reserved.
Covered entities and their business associates must notify:
• HHS
– Report annually via a website for breaches affecting
fewer than 500 individuals
• HHS and the media
– Notify within 60 days of determination that breach affects
500 or more individuals and meets Federal Breach
Reporting Requirements
• Patients
– Notify per federal and state laws with varying notification
requirements
Consequences of a breach HIPAA notification rules
15
© Grant Thornton LLP. All rights reserved. 16
• Electronic medical data
• HIPAA Omnibus Rule
• Third-party involvement
• Breaches
• Vendor selection, management
• Questions
Third-Party Relationships
and Your Confidential Data
Agenda
© Grant Thornton LLP. All rights reserved. 17
Selecting third-party vendors
• Risk-based criteria
• Due diligence
Monitoring third-party vendors
• Management oversight
Challenges for the organization
© Grant Thornton LLP. All rights reserved. 18
Testing the organization's selection assessments
• Risk-based criteria
• Due diligence
Reviewing the organization's monitoring process
• Management oversight
Challenges for internal audit
© Grant Thornton LLP. All rights reserved.
1. Identify your vendor population
2. Develop risk profile of all vendors
3. Focus first on highest-risk vendors
4. Maintain vendor screening
5. Establish ongoing monitoring process
Steps to establish effective controls
19
© Grant Thornton LLP. All rights reserved. 20
• Electronic medical data
• HIPAA Omnibus Rule
• Third-party involvement
• Breaches
• Vendor selection, management
• Questions
Third-Party Relationships
and Your Confidential Data
Agenda
© Grant Thornton LLP. All rights reserved.
Comments?
Questions?
2121
© Grant Thornton LLP. All rights reserved.
The white paper
22
Third-party relationships and your confidential data:
Assessing risk and management oversight processes
Association of Healthcare Internal Auditors (AHIA) Whitepaper
Subcommittee
• Mark Eddy, CPA (HCA Healthcare)
• Michael Fabrizius, CPA (Carolinas HealthCare System)
• Linda McKee, CPA, AHIA Board Liaison (Sentara Healthcare)
• Glen Mueller, CPA, AHIA Whitepaper Subcommittee Chair (Scripps
Health)
• Mark Ruppert, CPA (Cedars-Sinai Health System)
• Debi Weatherford, CPA (Piedmont Healthcare)
© Grant Thornton LLP. All rights reserved. 23
David ReitzelGrant Thornton LLP
Partner and National Health IT Leader, Health Care
Advisory Services
david.reitzel@us.gt.com
312.602.8531
Contact
Information
Mark RuppertCedars-Sinai Medical Center
Chief Audit Executive
mark.ruppert@cshs.org
323.866.6900
23
© Grant Thornton LLP. All rights reserved.
Disclaimer
This Grant Thornton LLP presentation is not a comprehensive analysis of the
subject matters covered and may include proposed guidance that is subject to
change before it is issued in final form. All relevant facts and
circumstances, including the pertinent authoritative literature, need to be
considered to arrive at conclusions that comply with matters addressed in this
presentation. The views and interpretations expressed in the presentation are
those of the presenters and the presentation is not intended to provide accounting
or other advice or guidance with respect to the matters covered.
For additional information on matters covered in this presentation, contact your
Grant Thornton LLP adviser.
24
© Grant Thornton LLP. All rights reserved.
Thank you for viewing this presentation.
Visit us online at:
www.GrantThornton.com
twitter.com/GrantThorntonUS
linkd.in/GrantThorntonUS