HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome to the H C I S P P certification course with Sai Buri for party relationships.
00:07
I'm your instructor for today. My name is Shalane Passions.
00:13
Today we'll discuss third party relationships, get a basic understanding of the requirements for third party agreements and understand the regulatory requirements for third party relationships.
00:25
This information may seem simple, and yet it is very foundational to the remainder of the course.
00:31
Much of the complexity within the health care industry arises due to the nature of the relationships and services that are being provided.
00:42
Let's talk about covered entities.
00:44
Covered Entity is an organization, any organization or corporation that directly handles pH. I or personal health records such as your health insurance plans, Medicare, Medicaid, Blue Cross Blue Shield anthem and the like.
01:00
Your providers of services, meaning your doctors, laboratories, radiologists, hospitals, pharmacies
01:07
or health information clearing houses. They translate claims information from non standard formats toe a standard format on behalf of a provider.
01:18
Understanding who is a covered into teat and who is not a covered entity is important when there is a breach of information.
01:26
When an organization receives patient information from a non covered entity. That information is not subjected to the protections under hip or high tech. While the information still needs to be secure, the regulatory fines and penalties would not apply should that they to be compromised or breached.
01:48
Let's discuss the different parties.
01:49
The first party is the patient,
01:53
parent or person responsible for the bill.
01:57
The second party is the physician, the clinic, hospital or whomever is providing care.
02:05
The third party is the UN involved vendor, business partner or other data sharing associates. Uninvolved means not involved in the treatment, payment or operations of providing care to the patient.
02:20
They're also 4th and 5th parties and so on. Also known as downstream entities.
02:25
These air entities that perform services on behalf of the previous entity and have access to that patient information.
02:37
A vendor provides services to the healthcare organizations
02:42
vendors. When vendors have access to Ph. I data, that data becomes subject to the protections under HIPPA,
02:49
and a vendor will become a business associate or may be required to sign a business associate agreement if they have access to that protected health information
03:00
and once access to that information is established than the agreements must have the following requirements. The permitted and required use of pH I, meaning what's allowed and what's not allowed in the use of that data.
03:17
No disclosure other than what's permitted. You cannot share the information unless it specifically documented in your business associate Agreement
03:28
the appropriate safeguards to prevent use or disclosure other than what's in the contract, meaning you must use encryption. You must back up the data. You must have access controls in place. You must perform backup and recovery or do a disaster recovery. All those security controls must be outlined
03:46
and designated
03:47
in the business associate agreements.
03:54
The regulatory requirements for third party relationships are HIPPA and high tech.
04:00
HIPPA. The Health Insurance Portability and Accountability Act of 1996 has two rules. The privacy rule and the security rule. The main goal of the privacy rule is to ensure that data is protected while allowing the flow of health information needed to promote quality care
04:18
and to protect the public's health
04:20
and well being.
04:21
The security rules establishes the standards to protect electronic health information that's created, received, used and or maintain by a covered entity.
04:38
The high tech,
04:40
also known as Thea American Recovery and Reinvestment Act supports the concept of the electronic health records meaningful use. I mean, you don't use the information for purposes outside of treatment, payment or operations to provide care when the data is being transmitted electronically.
04:58
Meaningful use states that, at a minimum, an eligible provider must have at least one formulary that can be queried. A drug formulary is a list of drugs covered by health plan to provide the greatest value.
05:15
So in summary, we've discussed third party relationships, the requirements for those third party agreements and the requirements the regulatory requirements for those third party relationships I'll see in the next video.

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor