Third-Party Risk: Beyond the BAA

Abstract

Of all the ways to apply risk-based cybersecurity principles, analyzing risks to ePHI related to engaging third parties is very important. Failing to evaluate cyber risk at service providers is dangerous, and recent examples, such as the breach reported by Anthem in August of 2017, and risks to ePHI resulting from these relationships must be included on the risk register as well. In terms of patient data, business associates (BAs) are entities that perform services on behalf of covered entities and have access to ePHI. Business associates also engage third parties, establishing downstream BA arrangements. Regulations require that business associate agreements (BAAs) be executed for all such arrangements, establishing requirements for BAs to operate under. Included are permissible uses and disclosures of PHI and the expectation to protect PHI by adhering to safeguards required under the HIPAA Security Rule. BAAs also include provisions for notification when breaches occur. BAAs, however, should not be relied on for due diligence and information protection assurance. Managing third-party risk is not the sexiest aspect of cybersecurity; however, mismanaging third-party risk can be very damaging and lead to headlines. It is understood that BAAs are obtained any time a third party has access to, or is in possession of, ePHI. The focus of this chapter is to analyze and either accept or address the cyber risks to ePHI, prior to executing a business agreement and in addition to obtaining the signed BAA.