Video Activity

Third Party Risk Management

Video Transcript

Hello again and welcome to the HCISPP Certification course with Cybrary, Third-Party Risk Management. My name is Charlene Hutchins. Today we're going to talk about primary entity, third party, and accountability. As we've discussed throughout this course, health care involves a variety of stakeholders, each of whom has a responsibility to safeguard the sensitive data that is entrusted to it.

If you will recall from earlier in the course, the entity that has direct relationship with the patient is referred to as the primary entity. That could be a doctor, a hospital, a pharmacy, or health insurance company or payer. Any entity in which the primary entity sources a function or multiple functions, is considered a third party vendor. The expectation for the third-party vendors who create, access, store, or process health information is that they must protect the information at the same level or greater than the primary entity.

Though this does not absolve the primary entity of any responsibility for due diligence. Vendors in the healthcare space can be as varied as a company that performs hardware destruction to one that handles medical claims processing, billing, or collections. Just as in other industries, vendor arrangements can vary and each of them comes with a certain level of risk, such as the location of the services. Either on site at the primary entities facility, for example, nurses provided by a temporary agency. Off-site at the third-party vendors facility, or within the primary entities country, or in a foreign country, often referred to as offshore, or the service offerings. Business process outsourcing, for example, medical transcription services or information technology outsourcing, for example, systems development and maintenance.

Or even Cloud services, such as Software as a service, Infrastructure as a service, and Platform as a service. As mentioned previously, because sharing information is vital to ensuring that health care delivery provides for the needs of the individual, security and privacy of health care data poses some unique challenges. For example, the government of a health insurer or payer requires information to be able to pay for the delivery of care. Providers must be capable of securely sharing patient information. Coordination among providers is required to give individuals the appropriate level of care. Although the data needs to be protected, care depends on some level of openness to the data to be efficient and effective.

At each step along the health care continuum, there are risks that must be anticipated and medicated. When third parties are added to the mix, additional risk is introduced. It is precisely that risk which the HCISPP professional can help to identify, communicate, and manage. The accountability for protection of health information ultimately lies with the primary entity. However regulators are becoming more aware of the risks posed by downstream vendors. There are countless examples in the media of vendors who have caused data leakage or data breaches. It's important for a primary entity to ensure that its third-party vendors understand the laws and regulations to which the entity is held and to which compliance is expected of the vendor.

Those regulations vary by country, state, or province. Many regulations impose harsher penalties if there is negligence. It's important to keep a close watch over issues identified at a vendor to ensure they are corrected in an appropriate and timely manner. The organization that collected the PHI originally is responsible for it even after it passed on to a third party. Time for a knowledge check. Third parties can either a, introduce additional risks to an organization, if not properly assessed and monitored. Or b, alleviate an organization of responsibility during a protected health information breach. Or c, not outsource, processing, storage, or transmission of sensitive PHI regardless of contract requirements. Or d, only operate in countries where the original party resides, which is the best answer? [NOISE] Did you guess a? Third parties can introduce additional risk. In summary, we talked about primary entities, third parties, and accountability. See you in the next video.

Course link:
As our healthcare industry grows, so do the risks associated with keeping health information secure. The HCISPP certification is ideal for security professionals responsible for safeguarding protected health information (PHI). Take this HCISPP training course to prepare to manage and implement security controls for healthcare information.
Instructed by
Schlaine Hutchins

I currently hold the CISA, CISSP and HCISPP. My experience includes a Bachelors Degree in Electronics Engineering with 20+ years in Information Technology / Cyber Security and over 10+ years in the health care industry.