HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the H C I s P p certification course with Sai Buri, our party risk management.
00:08
My name is Charlene Hutchins.
00:12
Today
00:14
we're gonna talk about Primary Entity,
00:17
third Party
00:18
and accountability,
00:23
as we've discussed throughout this course, healthcare involves a variety of stakeholders, each of whom has a responsibility to safeguard the sensitive data
00:33
that it's entrusted to it.
00:35
If you will recall from earlier in the course the entity that has direct relationship with the patient
00:42
is referred to as the primary entity
00:45
that could be a doctor.
00:47
Ah, hospital, a pharmacy or health insurance company, or payer
00:53
any entity in which the primary entity's sources a function or multiple functions is considered a third party vendor.
01:03
The expectation for the third party vendors who create
01:07
access, store or process health information is that they must protect the information at the same level or greater than the primary entity.
01:19
That this does not absolve the primary entity of any responsibility for due diligence.
01:30
Vendors and healthcare space can be as varied as a company that performs hardware destruction toe one that handles medical claims, processing, billing or collections
01:42
just a zone. Other industries bender Arrangements can vary, and each of them comes with a certain level of risk,
01:51
such as the location of the services
01:55
either on site at the primary entities facility. For example, nurses provided by a temporary agency
02:04
offsite at the third Party vendors facility
02:07
or within the primary entities country
02:10
or in a foreign country often referred to as offshore
02:15
or the service offerings.
02:17
Business process outsourcing, for example, medical transcription services
02:23
or information technology outsourcing, for example, systems development and maintenance
02:30
or even cloud services such as Softwares of service
02:36
infrastructure as a service
02:38
and platform, as a service
02:45
has mentioned previously. Because sharing information is vital to ensuring that healthcare delivery provides for the needs of the individual,
02:53
security and privacy of healthcare data poses some unique challenges.
02:59
For example, the government of a health insurer, or payer, requires information to be able to pay for the delivery of care.
03:07
Providers must be capable of securely sharing patient information.
03:13
Coordination among providers is required to give individuals the appropriate appropriate level of care.
03:21
Although the data needs to be protected, care depends on some level of openness to the data to be efficient and effective
03:30
at each step along the healthcare continuum. There are risks that must be anticipated and medicated.
03:38
When third parties air added to the mix, additional risk is introduced.
03:43
It is precisely that risk which the Hcs PP professional can help toe identify, communicate and manage
03:53
the accountability for protection of health information ultimately lies with the primary entity. However, regulators air become more aware of the risks posed by downstream vendors. There are countless examples in the media of vendors who have caused data leakage or data breaches.
04:12
It's important for a primary entity to ensure that its third party vendors understand the laws and regulations to which the entity is held and to which compliance is expected of the vendor
04:26
bills. Regulations vary by country, state or province.
04:30
Many regulations imposed harsher penalties if there is negligence. So it's important to keep a close watch over issues identified at a vendor to ensure their corrected in an appropriate and timely manner.
04:45
The organization that collected the Ph I original is responsible for it even after it passed on to a third party
04:59
time for a knowledge check.
05:02
Third parties can
05:04
either a introduce additional risk to an organization, if not properly assessed and monitored. Or be
05:14
alleviate. An organization of responsibility during the protected Health Information Breach,
05:20
or C not outsource processing, storage or transmission of sensitive pH. I, regardless of contract requirements
05:30
or D
05:31
Onley operating countries where the original party resigns,
05:35
which is the best answer.
05:45
Did you get a
05:46
third? Parties can introduce additional risk.
05:54
So in summary, we talked about
05:56
primary entities,
05:59
third parties and accountability. See you in the next video.

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor