Security of Patient Data Survey Reveals Due Diligence is Spotty for Third Party Vendors

Posted · Add Comment

by Brian Lapidus, Senior VP of Strategic Partnerships, Kroll Advisory Solutions

Just weeks after the launch of the 2012 HIMSS Analytics Report: Security of Patient Data, the third installment of a survey Kroll Advisory Solutions conducts bi-annually of healthcare provider facilities in the United States, I remain amazed at the data that we learned from the participants in the study.

While Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) and Red Flags (a written identity theft prevention program) have certainly raised the base standard for protecting patient data, compliance alone cannot combat the industry’s biggest security threats; compliance and sound security must go hand-in-hand.

That same security and compliance must not only apply to the healthcare organization, but must also be reflective of all vendors that an organization works with as well. Individuals involved in the employment screening process can play a key role in mitigating the risk of patient data security breaches from third party vendors.

Healthcare Data Breaches on the Rise
It was no surprise that healthcare data breaches have continued to rise over the past 6 years, despite increasingly stringent regulatory activity surrounding reporting and auditing procedures. But I was surprised at the industry’s expectations of the vendors that they work with on a daily basis. These expectations of third party data security practices are not keeping pace with the increased outsourcing of patient data. The discrepancy is a key indicator of why third party breaches are on the rise.

Based on our survey results, 18 percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause. Twenty-eight percent of respondents indicated that “sharing information with external parties” is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).

With these staggering results, I think it’s critical for organizations to be more mindful regarding third party vendors and conduct appropriate due diligence. Ensure you know who you are doing business with, ideally before the business relationship begins. Part of getting to know your vendor is the required security questionnaire, which will give insight into their security protocol.

In addition, asking potential third parties to provide proof of industry-specific security designations, like a certificate of completion of SAS 70 audit results, can provide further validation that an organization is taking responsible and industry-recognized steps toward proper data security.

Make sure that you have a Business Associate Agreement (BAA) in place that has definitive rules regarding who is financially responsible for a data security event, and has clear insight into notification requirements. These types of steps will help assure that security stays on your third party’s radar.

Due diligence patient data chart

Source: 2012 HIMSS Analytics Report: Security of Patient Data

Enhance Security of Patient Data with Background Screening
To ensure that you have truly satisfied your organization’s comfort level regarding sharing your data, you may have to delve even deeper. Consider these interesting – and alarming – findings from the study. Nearly all respondents (98 percent) require vendors to sign BAAs as required under current regulations; and yet, only 56 percent of them require vendors to provide proof of employee background checks.

Where the majority of respondents use hiring practices (like background screening) as a measure to secure patient data at their own facilities, half of them are okay with not confirming if this basic safeguard is used where data is outsourced. If you perform background checks, then you should expect the same from your vendors.

At the end of the day, the third parties you work with should be viewed as an extension of your organization and should be reflective of your organization’s security profile. Your customers and patients won’t care if it was their mistake – in their eyes – it will be yours.

Complimentary Report & On-Demand Webinar: 2012 HIMMS Analytics Report: Security of Patient Data
2012 HIMMS Analytics Report Security of Patient Data
Kroll Advisory Solutions, a leading provider of risk mitigation services, shares insights into the evolving state of patient data security.

Gain insight into the effect and effectiveness of regulatory changes and the resulting compliance efforts taking place.

Download Now


HireRight is a leading provider of on-demand employment background checks, drug and health screening, and electronic Form I-9 and E-Verify solutions that help employers automate, manage and control background screening and related programs.

More Posts

Follow Me:
TwitterFacebookGoogle Plus



The HireRight Blog is provided for informational purposes only. It is not intended to be comprehensive, and is not a substitute for and should not be construed as legal advice. HireRight does not warrant any statements in the HireRight Blog. Any statutes or laws cited herein should be read in their entirety. You should direct to your own experienced legal counsel questions involving your organization’s compliance with or interpretation or application of laws or regulations and any additional legal requirements that may apply.