Extending HIPAA to Third Parties

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires healthcare providers that attest to meaningful use of electronic health records to have performed a HIPAA security risk assessment based on National Institute of Standards and Technology (NIST) guidelines. HIPAA covered entities, including healthcare providers, insurers and their third parties handling Personal Health Information (PHI), must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the health information. Third parties and their subcontractors are held to the same standards for protecting PHI as HIPAA covered entities. The penalties for non-compliance are based on the level of negligence, with a maximum penalty of $1.5 million per violation.

Compliance Made Easy

Hiperos 3PM Information Security helps health plans, health care providers and health clearing houses simplify and streamline the management of third party HIPAA compliance by automatically:

  • Identifying third parties with HIPAA risks
  • Assessing the specific risks that need to be controlled
  • Determining the controls necessary to mitigate those risks
  • Managing the risks (i.e.- Training) and documenting control effectiveness
  • Tracking agreed upon remediations through completion
  • Maintaining a continuously updated risk register on every third party
  • Storing all information as reportable, actionable data across the enterprise