Healthcare Organizations Move to Streamline Third-Party Assessment Process | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Healthcare Organizations Move to Streamline Third-Party Assessment Process

May 8, 2013
by John DeGaspari
| Reprints
Third parties continue to pose significant risks and challenges associated with safeguarding health information

The Frisco, Texas-based Health Information Trust Alliance (HITRUST) has announced that several healthcare organizations will require their business associates to participate in the HITRUST Common Security Framework (CSF) Assurance Program and submit CSF assessment reports as part of their information protection programs.

According to HITRUST’s analysis of U.S. healthcare data breaches, business associates accounted for 58 percent of the records breached, and they were implicated in 21 percent of the breaches. The organization also notes that business associates and suppliers struggle with the need to address a multitude of assessment processes utilized by the many healthcare organizations they service, resulting in significant complexities and inefficiencies that can impact the effectiveness of a security program. These redundant assessment processes also increase costs for covered entities, their business associates and the healthcare system as a whole, it says.

In an effort to standardize those proceses, HITRUST says several healthcare organizations, including CVS Caremark, Health Care Services Corp., Highmark, Humana, United Health Group and WellPoint, are announcing their commitment to leverage the CSF Assurance Program in their business associate information compliance programs and require the submission of the CSF assessment reports as part of those programs. Many healthcare organizations currently accept the CSF assessment reports, but have not required them. These organizations will now phase in the requirement for the CSF assessment and communicate the new reporting obligations to their business partners, according to HITRUST.

“We accept the CSF assessment reports from our business partners as well as maintain the capability to support our own approach to conducting third party risk assessments,” said Roy Mellinger, vice president and chief information security officer, WellPoint, in a statement.  “Unfortunately, we’ve found that managing and coordinating two separate approaches adds costs and inefficiencies for us and our partners. What we need is a single integrated approach—such as provided by a CSF assessment, which we can achieve with the right leadership to help coordinate and advance adoption across the healthcare industry, covered entities and business associates alike.”

A business associate or partner can receive hundreds of unique requests a year for some form of information protection assessment or attestation of their security controls, which requires considerable resources in trained personnel and operational dollars. Additionally, the entity requesting the assessment or attestation is burdened with ensuring that the reports are consistent, accurate and timely. More information on the CSF Assurance Program can be found at HITRUSTalliance.net/assurance.

Last month, HITRUST released new guidance for healthcare organizations to assess cybersecurity preparedness that identifies a subset of controls within the HITRUST CSF that are most directly related to detecting and thwarting cyber-related breaches.

Topics

News

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.

Humana Develops Medication Management Tool

A new tool developed by Humana enables the company’s members to keep a list of their medications in one place.

Four Hospitals Piloting OurNotes Initiative in 2018

Beginning in January, four academic hospitals—Beth Israel Deaconess Medical Center in Boston, University of Washington in Seattle, Dartmouth-Hitchcock Medical Center in Lebanon, New Hampshire and University of Colorado in Boulder—will begin piloting a new digital tool called OurNotes that enables patients to contribute to their clinical notes.