Security breaches caused by healthcare providers’ business associates (BAs) are surging. Several major incidents in 2018, some of which have just been reported in the last month, have compromised over 20 million patients’ privacy. So it’s not coincidental that a group of major hospitals and hospital systems have come together in a formal concerted effort to provide better vendor risk management standards to the industry. The crucial task of individually vetting and contracting with hundreds, even thousands of business associates (per institution), which is the norm — and then managing their service levels for security has become a near-impossibility for many hospital security staffs.
Maybe this challenge seemed logical to OCR’s Department of Health and Human Services in 2013 when it expanded HIPAA regulations to include greater business associate liability for breaches. But with the explosion of outsourcing to digitally-founded BAs since then, Chief Information Security Officers have found their jobs unmanageable — to the detriment of patients’ privacy and hospitals’ systems security. The Provider Third-Party Risk Management Initiative aims to change that.