Healthcare covered entities rely on a large and diverse group of vendors to deliver care and operate their businesses. Many of these third parties perform functions or activities that include the use or disclosure of protected health information either on behalf of, or during the provision of services to, the covered entity.
Other vendors may have no or only limited contact with protected health information however provide products or services that may otherwise introduce cyber risk to a covered entity’s environment. Still other vendors have no or limited contact with protected health information and pose no cyber risk to the organization.
Distinguishing between these types of relationships, understanding the level of due diligence that should be performed and the appropriate contractual language to put in place to address cyber risk and protect patients’ health information is no easy task. As a result, organizations face an increasing struggle to manage cyber risk associated with their vendor relationships.
Vendors who wish to sell their products and services to covered entities, particularly those in the first two groups described above, face their own compliance and cyber risk challenges.
- First, they need to comply with applicable laws and regulations. If they fall under the definition of a business associate, it means compliance with HIPAA.
- Second, they want to understand and manage their own cyber risk in order to protect their business and customers.
- Third, they need to convince their customers that they are a low risk choice by attesting to and/or demonstrating in some way that they are actively managing cyber risk in their own organizations and/or considering it in the development of their products.
Balancing and achieving these objectives, while not being overwhelmed by risk surveys and other requests for information flooding in from customers, is also no easy task.
This webinar will explore the challenges of managing vendor cyber risk from both covered entity and vendor perspectives. HIPAA compliance requirements will be discussed along with cyber risk management, contractual considerations and due diligence approaches.
Attendees will gain a better understand the following:
Who qualifies as a business associate and when a business associate agreement is required.
What a business associate agreement should contain.
Understand what “satisfactory assurances” means in the context of HIPAA.
How and if covered entities should understand and manage vendor cyber risk beyond a business associate agreement.
What a vendor should consider before entering the healthcare market?
The differences in HIPAA requirements for a business associate versus a covered entity.
How a business associate can best demonstrate its compliance with HIPAA and the maturity of its cyber risk management program?
Date & Time
January 31, 2019
11 am – 12 pm CT