HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the Hcs PP certification course with Sai Buri
00:06
Managing Bird Party relationships. I'm your instructor, Shalane Hutchins.
00:14
In today's video, we're going to talk about relationship management
00:19
and comprehending compliance requirements.
00:27
So once the decision has been made to engage a third party vendor,
00:31
the contract because a key tool,
00:34
as we talked about before contracts with third parties are a critical component to the vendor management lifecycle.
00:42
Under HIPPA, third party vendors are classified as business associates and must execute a business associate agreement that spells out privacy and security compliance. Expectations
00:56
on the HHS website Template Languages provided for the provision that belong in a business associate agreement.
01:03
In addition to the B A A. Many primary entities also elect to have additional contractual provisions to be more specific about security requirements.
01:14
Contracts should also articulate the terms that cover the primary entities, expectations regarding the following
01:23
compliance with applicable privacy and security laws and regulations,
01:27
consideration for administrative, physical and technical controls.
01:33
How much notice the primary entity has to give before conducting an audit.
01:38
What time frame less the vendor adhere to from notifying the primary entity in the event of a breach.
01:46
Will the entity notify its customers, or will that be the responsibility of the vendor?
01:53
Additionally, terms should be drafted concerning where the data will be access, process or stored.
02:01
It's important to know the specific locations and ensure that the vendor will notify the primary entity. If there is a need to add change or remove a location,
02:14
it's important to set the expectation up front as to whether an activity can be performed in another country or not.
02:22
Understanding which countries are on the sanctions list for conducting transactions is also important.
02:29
Understanding if a bit, if offender has a location in other countries, or if your data will be routed to or stored in a data center in a different country, is important to identify up front.
02:43
Whether the data will be returned or destroyed when the contract is terminated should be defined in the terms of agreement.
02:52
If the data will not be returned, the expectation is that the Burger Party will protect the data at the same level as under an in force contract.
03:04
The primary entity should know whether the vendor will be using its own employees
03:08
contracting labour or a combination of boat.
03:13
They should also know what's included in the background check,
03:15
for example, Ah, criminal history, credit history, drug testing or educational background.
03:23
The expectation of the employee training should be in the terms of agreement as well, for how the vendor provides specific training regarding special considerations for the handling of health care information and how often is the refresh your training Mandated.
03:45
Additional considerations are the ability of the vendor to subcontract work.
03:51
The primary entity may require that it pre approves any subcontractor that the vendor wishes to use to carry out the entities work.
04:00
If the primary entities unaware of these relationships, it can introduce unnecessary risk.
04:08
Okay,
04:09
Business continuity and disaster recovery plans should also be in the terms of agreement,
04:15
their terms to define what time frame must the vendors function be recovered in the event of a disaster?
04:23
How will the vendor notify the primary entity if a major outage or disaster occurs? And is the vendor prepared to move the work? If it's facility is unavailable
04:40
in the event that a vendor relationship process international borders, it is important to understand the laws under which both the primary entity and the vendor operate and how it affects the protection of health information.
04:55
In addition, primary entities will want to consider under whose laws they will be held to envy. Event that an incident occurs that requires law enforcement to investigate or prompts some sort of legal action.
05:11
It's also important to consider the attitudes about security and privacy and other countries.
05:16
Do those attitudes and societal norms match those of the primary entities country?
05:23
And is the country's political system favorable or unfavorable towards security and privacy of personal information?
05:34
It's time for a knowledge check.
05:38
True or false.
05:40
Her party agreements should include rights. Tow it.
05:47
Uh,
05:51
that answer is true.
05:57
The blank
05:58
is most responsible to perform due diligence to determine the level of risk introduced by a vendor or bird party
06:08
is the answer. A a sub tender.
06:11
Be a third party assessor.
06:15
See the business associate
06:16
or D the primary entity
06:28
That's d the primary entity.
06:33
True or false?
06:35
Employee background checks should be included in third party agreements.
06:47
Once again, that answer is true.
06:53
So in summary, what recovered
06:55
We're relationship management
06:57
and comprehending compliance requirements.
07:00
Stay tuned for the next video

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor