Many of the recent conversations regarding risk to health care provider and technology entities, both as a result of state and federal regulatory enforcement and pursuant to litigation, centers around the relationships that such entities have with their third-party vendors. Indeed, all economic sectors spend significant resources attempting to address these vendor risks, but, because of the nature of the sensitive information that entities in the health care sector create, hold, and process, and because of the literally life and death services that such entities provide, the fall-out associated with any single vendor issue can be exponentially larger than in other industries. As such, given the nature of a health care sector that continues to become more and more dependent on third-party vendor services, health care provider and technology entities must remain focused on the risks that their vendors present, for purposes of reducing those risks as much as possible.
Health care provider and technology entities increasingly use third-party vendors to decrease overhead costs and increase efficiency. Generally speaking, outsourcing tasks to vendors requires not only depending on such vendors for operational readiness, but usually also requires providing such vendors with large amounts of sensitive information. For example, most health care provider entities use vendors from everything including patient care and patient communications to requesting, tracking, and auditing reimbursement for that care. Such tasks involve both personally identifiable information protected by state laws and protected health information (“PHI”) covered by HIPAA.
Of course, not all third-party vendors are created equal, in this respect, however; the risk presented to health care entities as a result of their vendor relationships reflects, again, both the nature of the services provided and the information the vendor needs to provide such services. Given this, health care provider and technology entities should consider risk as a scale, as below, where the risk increases with the need for the services and the nature of the information provided to the vendor of such services. Vendors on the “high” side of either axis of the graph must be evaluated more stringently than vendors on the “low” side of both axes of the graph, given the risks they present.
The Definitive Guide to Medical Billing Outsourcing: 5 Top Companies
In today’s healthcare landscape, your choice of medical billing partner directly impacts your bottom line. What are the best medical billing outsourcing companies, and which one is right for you?
Obviously, the specific risks posed by these third-party vendors vary significantly. However, health care provider and technology entities should address at least the following types of enterprise risk.
- Use or disclosure of information (identifiable or proprietary) by the vendor not provided for under the services agreement or under state or federal law, including for the vendor to develop additional products or services not provided to the entity.
- Negligence or neglect by the vendor in the provision of services, potentially resulting in harm to individuals.
Improving Medical Billing to Cut Payment Bottlenecks
Yusuf Qasim, President of Payments Optimization at Zelis, discussed how the company is transforming healthcare payments from a fragmented, patchwork system into a modern, digital infrastructure.
- Disruption of services provided by the vendor, including from an act of God or a security incident.
- Data breach at the vendor, including because of an insider threat, cyber-attack, or employee error.
So, where should health care provider and technology entities start, when it comes to evaluating third-party vendor relationships?
- Of course, they should start with understanding the goals of the relationship; what specifically does the entity wish to achieve with the relationship with the particular third-party vendor? Oftentimes, the only articulated goal relates to the desire of one person or one entity department to engage the vendor and that should not be good enough. Given the risk posed by most vendors, the entity should be able to articulate the specific benefits to the entity of the vendor relationship, due to the services that vendor provides, and so they can weigh such benefits against the risks the vendor relationship presents.
- Next the entity should understand what information the third-party vendor needs to provide the services. Quite often vendors will request access to information that arguably is not necessary to provide the services contemplated, and the entity should consider not only how to limit the information provided to the vendor, but also how to limit the processing of such information and any future uses or disclosures of such information, as well.
- The entity should then consider how best to address any risks posed by the relationship with the vendor, given the services provided and the information necessary for such services. In other words, should the entity build in additional contractual requirements? Or should the entity implement additional technical controls? Would indemnification or insurance assist to address the risk? What other actions can the entity take to address the risk?
As part of these risk mitigation strategies, health care provider and technology entities must understand the legal requirements applicable to any third-party vendor relationship and must apply such requirements to that relationship. Therefore, as entities evaluate the risks associated with any vendor relationship, they should consider what legal “baseline” they may wish to use for both risks associated with the nature of the services provided and the information necessary for such services. For example, with regard to legal requirements for PHI, arguably HIPAA constitutes the baseline. With regard to donor PII, arguably the state law where the donor resides provides the baseline. As such, oftentimes, health care provider and technology entities confront a patchwork of legal requirements applicable to any particular third-party vendor relationship, and they will need to determine the best baseline to apply in any particular circumstance.
Naturally, health care provider and technology entities should try to avoid common pitfalls that parties experience when engaging with vendors, as well, including the following.
- Inadequate communication or lack of clarity in communications between parties, particularly with regard to contracts or other agreements between the parties.
- Failure to monitor performance in relation to the contracted purpose and/or services.
- Failure to properly assess vendor risks prior to and during the arrangement, particularly when services change.
- Overreliance on boilerplate language in contracts, including in data processing agreements or HIPAA Business Associate Agreements. Using a one-size-fits-all contract may not sufficiently address risks.
Ultimately, risk can be mitigated. Reviewing third-party vendor relationships and the associated contractual arrangements and other enterprise safeguards in various perspectives — necessary services, protection against disruption, information ownership and rights, security obligations, breach requirements, indemnification, and insurance, as outlined above — remains critical to such mitigation efforts.
Photo: erhui1979, Getty Images
Iliana Peters is a Washington, D.C.-based shareholder in national law firm Polsinelli's HIPAA/Health Information Privacy & Security practice. Iliana counsels clients on data privacy and security compliance, incident response, regulatory investigations, complex data sharing projects, including AI, and training matters. She also assists in defending clients in data privacy, security, and breach claims. Previously, Iliana served as Acting Deputy Director and Senior Advisor for HIPAA at the Department of Health and Human Services (HHS), Office for Civil Rights. In this role, Iliana developed information privacy and security policy, including on emerging technologies and cyber threats, for HHS, while coordinating with multiple federal agencies, State Attorneys General, and the White House. She spent years enforcing HIPAA regulations through spearheading multimillion-dollar settlement agreements and civil money penalties pursuant to HIPAA.
Hiba Al-Ramahi is a St. Louis-based associate in national law firm Polsinelli's HIPAA/Health Information Privacy & Security practice. Hiba provides strategic counsel to healthcare industry companies on a myriad of data privacy and cybersecurity matters.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.