HIPAA and Vendor Management

Helping HIPAA and Vendor Management With The HITRUST Framework

Soon after figuring out how to go about the definition of “business entity”, Congress introduced the Omnibus rule. Thanks to the establishment of the Health Information Trust Alliance or HITRUST, the HITRUST framework assists vendor management and HIPAA, which had unexpectedly become “a thing”. The management of patient health information can be compared to the gathering of evidence from a given crime scene.

HIPAA and Vendor Management

If you can recall the O.J. Simpson trial, then you probably know about the bloody fingerprint. The blood sample of O.J. Simpson disappeared during police investigations. However, only 6ml out of the 8ml blood was accounted for, arousing suspicions of planted evidence. Although HIPAA may not be exhilarating as you would expect a high car speed chase to be, tracking a chain of evidence or chain of trust matters a lot.

What Does PHI Entail?

PHI comprises different types of information that is accessible to health providers. When trying to understand the different ways that the HITRUST Framework assists vendor management and HIPAA, you need first to learn the various terms that fall under this particular umbrella.

Health Information

“Health information” includes information received or created by a health care provider, healthcare clearinghouse, health plan public health authority, school or university, and employer life insurer. The information can be linked to the past, current or future mental and physical health of a person.

Individually Identifiable Health Information

“Individually Identifiable Health Information” encompasses all the demographic information, which can be traced back to patients. In short, this covers the information that can be used to spot a person or clearly identify him or her.

Protected Health Information

Protected health information (PHI) entails all individually identifiable health details or information, which can be maintained in electronic media, conveyed through electronic media, or maintained or conveyed in any other media. The protected health information excludes all the education records safeguarded by the Family Educational Rights and Privacy Act, employment record maintained by a covered entity in its duty as an employer, and the records featured in 20 U.S.C.1232g(a)(4)(B)(iv).

What is a Business Associate?

According to Health Insurance Portability and Accountability Act (HIPAA), a business associate entails any entity or person, excluding a covered entity’s workforce member, who provides services to or carries out activities and functions on behalf of a covered entity with access to PHI. A business associate could be a cleaning service that works around files or a cloud storage vendor.

How is Health Information Exchange Related to This?

Health information exchange makes up one of the common IT terminologies with different meanings. In essence, it refers to the sending and receiving of digital information that occurs between various providers. In other areas, the term translates to the broader idea of general information movement that takes place between stakeholders. In terms of how HITRUST Framework aids vendor management and HIPAA, health information exchange can also refer to the entity that facilitates information movement.

Health information exchange can refer to all the vendors that handle your patient data. As such, vetting such vendors is crucial due to the safety concerns associated with that information.

What Does a Chain of Trust Partner Agreement Mean?

Although HIPAA and vendor management are akin to other types of vendor monitoring, they are more invasive, especially if you are the vendor. Under HIPAA, working with vendors calls for the need to trust them with not only your information but also your client’s information. While this may not require you to complete an SSAE 18 review and be SOC compliant, you have to know how your vendors oversee their information security measures and interact with information.

You can consider a chain of trust partner contract as a written trust fall task. “Trust falls “used to exist in corporate training.  A chain of trust agreement acts as the adult, contractual form of this case. The business entity positioned at the top of the chain engages in a contract with its vendor.

The particular relationship is covered by the agreement between the business entity and the vendor. Nonetheless, that particular vendor may require having some vendor for itself. As such, this means that in spite of having some degree of isolation from the initial business entity, the vendors are also associated with the business entity through their functions with other vendors.

How the HITRUST Framework Assists HIPAA and Vendor Management by Alleviating the Impact on Your Business

In case your business falls anywhere in the scope of a business entity, you need to figure out how to comply with HIPAA.

Most of the HIPAA compliance conditions feature in other frameworks, particularly those involved in governing information systems like FISMA, ISO, and NIST. However, if you are planning to implement HIPAA, or you have already done so, you may want to focus on the possible gaps.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × 1 =