HITRUST Policies - Third-Party Assurance Procedure
HITRUST Policies - Third-Party Assurance Procedure
HITRUST Policies - Third-Party Assurance Procedure
INTENDED AUDIENCE:
Entire workforce
PROCEDURE:
In accordance with the standards set forth under federal and state statutory requirements (hereafter
referred to as regulatory requirements), Cone Health is committed to ensuring the confidentiality,
integrity, and availability of all protected health information (PHI/ePHI), sensitive, and confidential data
(hereafter referred to as covered information) it creates, receives, maintains, and/or transmits.
The purpose of this procedure is to define roles, responsibilities, and processes for assuring third pa rty
entities (e.g., vendors, consultants, contractors, service providers, etc.) comply with Cone Health’s
internal governance requirements for safeguarding covered information and applicable regulatory
requirements.
Responsibilities:
Chief Information Security Officer (CISO):
The CISO is responsible for, but not limited to. the following activities:
• Revisions, implementation, workforce education, interpretation, and enforcement of this
procedure.
• Perform third party risk assessments on entities that will or could have access to covered
information, prior to agreeing to signing any contractual agreements and engaging in any
business activities that involve covered information.
• Work with the chief privacy officer to ensure that third parties who have access to covered
information are being periodically audited to verify that the required security controls have
been implemented.
5575 Page 1 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.
Guideline: ITS Third-Party Assurance Procedure
• Annually review third party relationships that have or could have access to ePHI/PHI to ensure a
current BAA have been executed.
Procurement/Contracting:
Procurement is responsible for, but not limited to, the following activities:
• Responsible for developing, disseminating, and annually reviewing and updating a list of current
service providers and other third-party relationships (including a description of services
provided).
• Periodically monitoring third party entities performance against what is required by their
contract or agreement.
• Identifying third party relationships that are considered business associates and engage the
CISO and chief privacy officer prior to signing any contractual agreements.
• Ensure that all third parties fully understand all contract/agreement language and
requirements.
General Requirements:
Third party entities or BAs, will not be provided access (physical and logical) to Cone Health’s covered
information and systems until a risk assessment has been performed by the CISO and he/she can
evaluate the entity’s information security program to ensure the appropriate administrative, physical,
and technical controls to safeguard covered information (see Third Party Risk Assessment below).
Access provided is based on minimum necessary. The chief privacy officer will ensure that he/she has a
signed BAA for those entities defined as BAs. BAs who do not sign a BAA or cannot comply with Cone
Health’s security/privacy requirements will not be allowed access to covered information or Cone
Health’s systems.
5575 Page 2 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.
Guideline: ITS Third-Party Assurance Procedure
If a third-party entity is already in the process of contract negotiation and development, the provisions
of the BAA (as defined by chief privacy officer and Legal Services) may be incorporated into the
contract as an option (i.e., separate BAA not required).
5575 Page 3 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.
Guideline: ITS Third-Party Assurance Procedure
20. Requirement to report to Cone Health any use or disclosure of the information not authorized
under their contract, including incidents that could constitute a breach of covered information
as well as other suspected or known privacy and security incidents.
21. Requirement to disclose covered information as specified in its contract to satisfy Cone Health’s
obligation to individuals’ requests for copies of their information (i.e., PHI/ePHI) as well as make
available covered information (i.e., PHI/ePHI) for amendments (and incorporate any
amendments, if required) and accountings.
22. Requirement to make available to Cone Health and/or HHS, its internal practices, books, and
records relating to the use and disclosure of PHI/ePHI received from, or created, or received by
the BA on behalf of Cone Health for purposes of HHS determining Cone Health’s compliance
with the HIPAA Privacy Rule.
23. Requirement to inform Cone Health’s CISO within one business day if any transfers or
terminations take place with third party personnel working at Cone Health’s facilities that have
organizational credentials, badges, or information system privileges.
24. Requirement to return all covered information it received from or created on behalf of Cone
Health, upon termination of their agreement/contract. Include a statement that if the return of
covered information is not feasible that they are required to return it when it is no longer
needed or destroy the information and provide a detailed (i.e., itemized) document of
destruction to Cone Health.
25. Requirement for subcontractors to agree to the same restrictions and conditions outlined in the
agreement that the third-party entity has with Cone Health.
26. Requirement to undergo an annual security risk assessment by a third-party assessor and
provide the results of the assessment or attestation letter to Cone Health.
27. Requirement to undergo an annual internal/external vulnerability assessment.
28. Requirement to coordinate, manage, and communicate changes to services provided to Cone
Health through an approved change management process, providing allowance for Cone Health
to evaluate proposed changes to identify the potential impacts before implementation.
29. Responsibilities for hardware and software installation, system maintenance, maintenance
support, and/or spare parts for key information system components, configuration
management, patch management, disaster recovery, data backup, etc. (i.e., ITS service
providers).
30. Address service continuity requirements, including measures for availability, security, integrity,
and reliability, including fallback arrangements for alternative technical services, such as
information processing and communications facilities in accordance with the organization's
business priorities.
31. Establishment of an escalation process for problem resolution.
32. Right of Cone Health to monitor and revoke any activity related to the Cone Health’s services
and assets.
33. Right to audit requirements outlined in the agreement/contract, to include contracting a third-
party auditor to perform the audit.
34. Penalties exacted in the event of any failure of contractual obligations.
35. Authorization to terminate the contract if the entity or its subcontractors violate a material
term of the contract.
36. Conditions surrounding the renegotiation/termination of agreements.
37. An indemnity clause.
5575 Page 4 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.
Guideline: ITS Third-Party Assurance Procedure
38. Requirement and name of who is responsible for conducting background investigations for
individuals that will be granted access to covered information or other sensitive organizational
systems, providing results to Cone Health if requested, as well notification procedures to follow
if screening has not been completed, or if the results give cause for doubt or concern, and the
agreement with the third party clearly specifies all responsibilities and notification procedures
for screening. (also refer to requirements in the Personnel Security Management procedure).
39. If applicable, restrictions on the physical locations used to store, process, or transmit covered
information.
40. For relationships that involve electronic commerce transactions, the following terms must be
defined:
a. Determining the requirements for confidentiality, integrity, proof of dispatch, and
receipt of key documents, and the non-repudiation of contracts (e.g., associated with
tendering and contract processes).
b. Authorization processes associated with who may set prices and issue or sign key
trading documents.
c. The level of confidence each party requires in each other's claimed identity (e.g.,
through authentication).
d. Ensuring that all the parties involved are fully informed of their authorizations.
e. The level of trust required for the integrity of advertised price lists.
f. The degree of verification appropriate to check payment information supplied by a
customer.
g. Insurance requirements.
h. Liability associated with any fraudulent transactions.
i. Selecting the settlement form of payments to guard against fraud.
BAAs will include all mandatory language required by chief privacy officer and Legal Services.
whether to engage in a business relationship with the third party. The security risk assessment will take
the following into consideration:
1. The information asset(s) being accessed.
2. Type of access needed, such as:
• Physical access (e.g., to offices, computer rooms, filing cabinets).
• Logical access (e.g., to an organization’s databases, information systems).
• Network connectivity between the organization's and the external party's network(s) (e.g.,
permanent connection, remote access).
• Whether access to covered information will only be onsite or if covered information will be
stored off-site.
3. The value, sensitivity, and criticality of the information.
4. Accessibility needs of the third party.
5. Legal and regulatory requirements and other contractual obligations.
Third party entities will provide the following information in support of the secur ity risk assessment:
1. Completed Third Party Security Risk Assessment Questionnaire.
2. Copies of their most recent information security risk assessment and vulnerability assessments.
3. Information security policies and procedures designed to detect, prevent, and mitigate risk.
4. Disaster recovery and business continuity plans,
Third party entities will not be allowed to access PHI/ePHI or organizational systems until:
• The CISO completes the security risk assessment and has analyzed the information to
determine if risks are acceptable. Depending on the scope of the relationship, designated
approving authority (see Information Security Risk Management procedure) review and
approval may be required.
• The remediation of all risks (findings) that are determined to be unacceptable.
• Completion of background investigations for third party personnel who will be accessing
covered information and/or information systems.
• Third party personnel have read the organization’s information security policies and procedures
and signed the Access Terms and Conditions agreement.
For those third-party entities that are already doing business with Cone Health, they will be asked to
provide a current information security risk assessment as soon as possible, otherwise face possible
termination of their agreement/contract. The risk assessment must be performed by an independent
assessor.
5575 Page 6 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.
Guideline: ITS Third-Party Assurance Procedure
Documentation Retention:
Records related to security incidents, risk analysis, and breach decisions will be retained for a period of
no less than 6 years from the date of the documentation.
Exception Management:
Exceptions to this procedure will be evaluated in accordance with Cone Health’s Information Security
Exception Management procedure.
Applicability:
All employees, volunteers, trainees, consultants, contractors, and other persons (i.e., workforce)
whose conduct, in the performance of work for Cone Health, is under the direct control of Cone
Health, whether or not they are compensated by Cone Health.
Compliance:
Workforce members are required to comply with all information security policies/procedures as a
condition of employment/contract with Cone Health. Workforce members who fail to abide by
requirements outlined in information security policies/procedures are subject to disciplinary action up
to and including termination of employment/contract.
5575 Page 7 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.
Guideline: ITS Third-Party Assurance Procedure
Appendix 1
EXAMPLES OF BUSINESS ARRANGEMENTS THAT MAY INVOLVE DISCLOSURE OF PHI/ePHI (list is
not all inclusive)
Accrediting/Licensing Agencies (JCAHO) Pathology Services Contracts
Accounting Consultants/Vendors Paper Recycling Contracts
Actuarial Consultants/Vendors Patient Satisfaction Survey Contracts
Agents/Contractors Accessing PHI (Consultants) Payer-Provider Contracts (Provider for Health
Application Service Providers (i.e., prescription Plan)
mgmt.) Physician Billing Services
Attorneys/Legal Counsel Physician Contracts
Auditors Practice Management Consultants/Vendors
Benchmarking Organizations Professional Services Contracts
Benefit Management Organizations Quality Assurance Consultants/Vendors
Claims Processing/Clearinghouse Agency Radiology Services Contracts
Contracts Record Copying Service Vendor Contracts
Coding Vendor Contracts Record Storage Vendors
Collection Agency Contracts Release of Information Service Vendor Contracts
Computer Hardware Contracts Repair Contractors of Devices Containing PHI
Computer Software Contracts Revenue Enhancement/DRG Optimization
Consultants/Consulting Firms Contracts
Data Analysis Consultants/Vendors Risk Management Consulting Vendor Contracts
Data Warehouse Contracts Shared Service/Joint Venture Contracts with
Emergency Physician Services Contracts Other Healthcare Organizations
Hospitalist Contracts Statement Outsource Vendors
Insurance Contracts (Coverage for Risk, Telemedicine Program contracts
Malpractice, etc.) Third Party Administrators
Interpreter Services Contracts Transcription Vendor Contracts
Information Technology Service Providers Waste Disposal Contracts (Hauling, Shredding)
Legal Services Contracts Health Plan Relationships:
Medical Staff Credentialing Software Contracts • Pharmaceutical Benefits Management
Microfilming Vendor Contracts Contracts
Optical Disc Conversion Contracts • Preauthorization Management Contracts
• Case Management Contracts
• Third Party Administrator (TPA) Contracts
• Wellness Promotion Contracts
Appendix 1 Resource: HIPAA COW Business Associate Agreement Policy/Procedure, v5, 6/30/16
5575 Page 8 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.
Guideline: ITS Third-Party Assurance Procedure
Appendix 2
EXAMPLES OF ARRANGEMENTS THAT ARE NOT BUSINESS ASSOCIATE RELATIONSHIPS AND DO
NOT REQUIRE BA AGREEMENTS (list is not all-inclusive)
Banks Processing Credit Card Payments Members of the Organization’s Workforce
Blood Bank/Red Cross (Provider) Organ Procurement Organizations
Clinics (Provider Relationships) Nursing Homes
Courier Services Delivering Specimens Quality Improvement Organization –Agent of CMS
Device Manufacturers Require PHI to Produce (e.g., MetaStar)
Pacemakers, hearing aids, glasses, etc. Rental Employee Agencies (No PHI Shared –
(Treatment) Employees Need Privacy Training)
Cleaning/Janitorial Services (Incidental Repair Contractors (Maintenance, Copy Machine,
exposure only) Plumbing, Electricity, etc. – No PHI involved)
DME for Equipment for Treatment Purposes School Health Nurses
Educational/School Programs (Student Privacy Supply Services
Education Required as Workforce Member) Support Services Agreements for Supplies/Tax
Health Plans Contracting with Network Purposes
Providers (Covered Entity to Covered Tissue Banks
Entity) U.S. Post Office and Other Couriers
Health Plans for Purposes of Payment Volunteers (Board Members, Ethics Committee
Hospitals Members, IRB Members, etc.)
Housekeeping/Environmental Services
(Incidental exposure only)
Infusion Provider for Treatment
Law Enforcement Agencies
Members of an Affiliated Covered Entity
Members of the Organization’s Organized
Health Care Arrangement (OHCA)
Pharmacy (Healthcare Provider/Treatment)
Providers (Involved in Care and Treatment of
Patient)
Appendix 2 Resource: HIPAA COW Business Associate Agreement Policy/Procedure, v5, 6/30/16
5575 Page 9 of 9
Printed copies are for reference only. Please refer to the electronic copy for the latest version.