• Data Protection Directive (DPD) is international responsibility of data controllers to manage third-party risk. • Awareness and third-party risk management methodologies: • Inventory third-party vendors that handle PHI Have an accurate, up-to-date list with valid contact information. Document the data categories and the data flow. Identify the inherent risk of various third parties. Know who the healthcare organization’s functional representative is for each contract. • Perform a risk assessment Make sure the third party is compliant with relevant data privacy and security regulations. Make the effort to review any objective audit review and status Visit the third party’s facilities. • Conduct due diligence Selecting a third party, including considering industry ratings and past performance. Compare with alternative third-party vendors. Financial position of the third party. • Select connection controls Encryption is essentially mandatory. Secure transfer of information relies on a variety of technical controls. 4. Awareness and third-party risk management Continue…..
• Structure the contract
Terms and conditions must reflect expectations for handling protected HI. Assess compliance with the contract terms. Risk assessment, service level agreements, satisfaction ratings Evaluate the adequacy of the vendor’s training to its employees. Conduct anonymous testing of the vendor’s service capabilities. • Implement oversight As part of the contract, a right to review and audit should be present. Findings should be remediated at no additional cost to the third party. You should test the third-party vendor’s business contingency planning. Have periodic meetings with the vendor to review contract performance and operational issues.