Third Party Relationships

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello, and welcome to
00:00
the HCISPP certification course
00:00
with Cybrary, third-party relationships.
00:00
I'm your instructor for today.
00:00
My name is Schlaine Hutchins.
00:00
Today we'll discuss third-party relationships,
00:00
get a basic understanding of
00:00
the requirements for third-party agreements,
00:00
and understand the regulatory requirements
00:00
for third-party relationships.
00:00
This information may seem simple,
00:00
and yet it is very
00:00
foundational to the remainder of the course.
00:00
Much of the complexity within
00:00
the health care industry arises
00:00
due to the nature of the relationships
00:00
and services that are being provided.
00:00
Let's talk about covered entities.
00:00
Covered entity is any organization or
00:00
corporation that directly handles
00:00
PHI or personal health records.
00:00
Such as your health insurance plans, Medicare,
00:00
Medicaid, Blue Cross Blue Shield,
00:00
Anthem, and the like.
00:00
Your providers of services,
00:00
meaning your doctors, laboratories,
00:00
radiologists, hospitals, pharmacies,
00:00
or health information clearing houses.
00:00
They translate claims information from
00:00
non-standard formats to a standard format
00:00
on behalf of a provider.
00:00
Understanding who is a covered entity and who is not
00:00
a covered entity is
00:00
important when there's a breach of information.
00:00
When an organization receives
00:00
patient information from a non-covered entity,
00:00
that information is not subjected to
00:00
the protections under HIPAA or HITECH.
00:00
While the information is still needs to be secure,
00:00
the regulatory fines and penalties would not
00:00
apply should the data be compromised or breached.
00:00
Let's discuss the different parties.
00:00
The first-party is the patient,
00:00
parent, or person responsible for the bill.
00:00
The second party is the physician,
00:00
the clinic, hospital, or whomever is providing care.
00:00
The third party is the uninvolved vendor,
00:00
business partner, or other data-sharing associates.
00:00
Uninvolved means not involved in the treatment,
00:00
payment or operations of providing care to the patient.
00:00
There are also fourth and fifth parties and so on,
00:00
also known as downstream entities.
00:00
These are entities that perform services on behalf of
00:00
the previous entity and have
00:00
access to that patient information.
00:00
A vendor provides services
00:00
to the health care organizations.
00:00
When vendors have access to PHI data,
00:00
that data becomes subject to the protections under HIPAA.
00:00
A vendor will become a business associate
00:00
or may be required to sign
00:00
a business associate agreement if they have
00:00
access to that protected health information.
00:00
Once access to that information is established,
00:00
then the agreements must
00:00
>> have the following requirements.
00:00
>> The permitted and require use of PHI,
00:00
meaning what's allowed and what's
00:00
not allowed in the use of that data.
00:00
No disclosure other than what's permitted.
00:00
You cannot share the information unless it's
00:00
specifically documented
00:00
in your business associate agreement.
00:00
The appropriate safeguards to prevent
00:00
use or disclosure other than what's in the contract.
00:00
Meaning, you must use encryption,
00:00
you must backup the data,
00:00
you must have access controls in place,
00:00
you must perform backup and
00:00
recovery or do a disaster recovery.
00:00
All those security controls must be outlined
00:00
and designated in the business associate agreements.
00:00
The regulatory requirements for
00:00
third-party relationships are HIPAA and HITECH.
00:00
HIPAA, the Health Insurance Portability and
00:00
Accountability Act of 1996,
00:00
has two rules,
00:00
the privacy rule and the security rule.
00:00
The main goal of the privacy rule is to
00:00
ensure that data is protected while allowing
00:00
the flow of health information needed to promote
00:00
quality care and to protect
00:00
the public's health and well-being.
00:00
The security rule establishes the standards to
00:00
protect electronic health information that's created,
00:00
received, used, and or maintain by a covered entity.
00:00
The HITECH Act, also known as
00:00
the American Recovery and Reinvestment Act,
00:00
supports the concept of
00:00
the electronic health records meaningful use.
00:00
Meaning you don't use the information for
00:00
purposes outside of treatment,
00:00
payment or operations to provide
00:00
care when the data is being transmitted electronically.
00:00
Meaningful use states that at a minimum,
00:00
an eligible provider must have
00:00
at least one formulary that can be queried.
00:00
A drug formulary is a list of drugs covered by
00:00
a health plan to provide the greatest value.
00:00
In summary, we've discussed third-party relationships,
00:00
the requirements for those third-party agreements,
00:00
and the regulatory requirements
00:00
for those third-party relationships.
00:00
I'll see you in the next video.
Up Next