Sharing Patient Data with Vendors? A Robust Vendor Management Program is Imperative

Nixon Peabody is a CHEF Platinum Sponsor

By: Valerie Breslin Montague, JD, CIPP/US

Health plans, health systems, clinicians and other health care organizations receive large volumes of oftentimes highly sensitive patient data.  Even organizations with the most robust resources need to turn to outside vendors to perform services that may involve receiving or accessing some of this sensitive data.  When outsourcing functions that involve patient data, a robust vendor management program protects the interests of the organization and the data at issue.

Health care organizations have a number of reasons to ensure that they are protecting patient data, the primary of which is compliance with applicable laws and regulations.  Many of these laws, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Food, Drug and Cosmetic Act and certain state laws, also require the organization to provide oversight over its vendors who handle patient data.  In addition, the organization may have contractual obligations that require vendor management, not to mention the risk management and liability protection that comes from such management (remembering that vendors were involved in many recent high-profile data breaches, such as those impacting Target and Home Depot).

When developing or updating a vendor management program, a health care organization should articulate what it is trying to achieve with this program.  It also should identify its risk areas.  Understanding that most organizations do not have unlimited funds to allocate to these types of programs, the organization should classify its vendors based on the risk that they pose.  That said, an organization should keep in mind that a small vendor or a small project does not necessarily equate to less diligence; a very small project may involve “specially-protected” patient information, such as information related to genetic testing or mental health.  As to the timing, an organization should not wait on a vendor management program, or a process for a particular vendor, until it has identified a specific vendor.  Instead, it can include key questions on information privacy and security in the request for proposal process.

A comprehensive vendor management program can be broken down into six elements, outlined below and referencing a few key best practices for each element:

1. Documentation of vendor management policies and procedures helps to ensure that the expectations, roles and requirements are outlined for the entire organization.  The organization should consider whether an external vendor and the services it provides needs to be built into any of the organization’s existing policies, such as the organization’s HIPAA security risk assessment or incident response plan.  When analyzing the organization’s policies regarding training of employees, the organization should consider whether to incorporate a vendor into certain training related to data protection and data security.
2. Vendor Selection Process. Depending on the size of the organization and the scope of a project, the organization may consider conducting an initial screening of vendors prior to consideration of more detailed due diligence on the vendor.  One size does not fit all in this process, and an organization should set thresholds for different levels of review, identifying certain items that will trigger a deeper inspection (such as specially-regulated patient data).

Vendor Tip: Understand the data security protections that your organization provides, as well as those provided by any of your subcontractors.  It may be helpful to have a brief summary prepared that can be used in the initial discussions with a potential client.

3. Due Diligence. For large organizations in particular, it is helpful to create a system or program to track vendor due diligence, both to build efficiencies and to have a starting point if a vendor presents in the future or for another project.  It also is helpful to view vendor due diligence with a divide-and-conquer methodology, sharing the responsibilities and review with various stakeholders within the organization, such as the Privacy Officer, Chief Information Officer, Chief Financial Officer, etc.

Vendor Tip: Health care vendors asked to share proprietary or confidential information in a due diligence or RFP process should consider requesting that their client or potential client sign a confidentiality or nondisclosure agreement.  In the alternative, the vendor can suggest a compromise to simply turning over documentation, such as allowing the client to view the information but not retain it, or offering the client an interview with the vendor’s key employees to discuss the requested information.

4. Contractual Expectations. When preparing or modifying vendor agreements that govern arrangements in which patient data will be transferred or accessed, health care organizations should focus on a number of key provisions, including the limitation of liability, indemnification, insurance coverage, legal compliance and termination provisions.  They also should specify, in the underlying agreement or a HIPAA Business Associate Agreement, as applicable, how the vendor is permitted to use and disclose patient data, including whether the vendor is permitted to aggregate or de-identify such data.  Finally, the vendor agreement should clearly address data incidents and data breaches, detailing the vendor’s reporting requirements, any cooperation requested and the notification process if an incident triggers notification to individuals, the government or the media.
5. Contract Management System. Beyond just a system to store agreements, a health care organization should consider establishing a system or process that helps it manage various provisions in vendor contracts.  For example, if it has negotiated particular terms in its template vendor agreement or corresponding Business Associate Agreement with various vendors, having a system that tracks any differing provisions will allow the organization to have a clear sense of any unique contractual obligations and will prevent a detailed review of these agreements at a later date if an issue is identified.
6. Audits and Vendor Management During the Relationship. There are a variety of ways that a health care organization can monitor a vendor after the arrangement commences.  For example, the organization can request that the vendor complete a data privacy/security questionnaire or it can conduct a desktop or in-person audit.  If the vendor submits to evaluations by a third party for other purposes and they are willing to share the results, this would be an efficient shortcut to get a sense of the vendor’s structure and operations (depending on the content of the third-party review).

As a health care organization implements or updates a vendor management program, it should ensure that it does not go overboard in monitoring its vendors.  For example, if a vendor is an individual serving as an independent contractor, the organization should take care to structure the arrangement in a way that the Internal Revenue Service would not construe the vendor to be an employee of the organization.  In addition, while the health care organization desires to be informed regarding the vendor’s protection of its sensitive data, it should not overreach in a way that could be deemed to be controlling the provision of the vendor’s services in order to avoid the vendor being considered an agent of the organization.

A thoughtful, detailed vendor management program can be key to a health care organization’s legal and contractual compliance efforts, particularly when it comes to data privacy and security.  These programs are not one-size-fits-all, and the elements discussed above can be tailored both for the health care organization, as well as for the vendor at issue.