4.

Awareness and third-party risk management

• Data Protection Directive (DPD) is international responsibility of data controllers to manage third-party risk.
• Awareness and third-party risk management methodologies:
• Inventory third-party vendors that handle PHI
 Have an accurate, up-to-date list with valid contact information.
 Document the data categories and the data flow.
 Identify the inherent risk of various third parties.
 Know who the healthcare organization’s functional representative is for each contract.
• Perform a risk assessment
 Make sure the third party is compliant with relevant data privacy and security regulations.
 Make the effort to review any objective audit review and status
 Visit the third party’s facilities.
• Conduct due diligence
 Selecting a third party, including considering industry ratings and past performance.
 Compare with alternative third-party vendors.
 Financial position of the third party.
• Select connection controls
 Encryption is essentially mandatory.
 Secure transfer of information relies on a variety of technical controls.
4. Awareness and third-party risk management Continue…..

• Structure the contract

 Terms and conditions must reflect expectations for handling protected HI.
 Assess compliance with the contract terms.
 Risk assessment, service level agreements, satisfaction ratings
 Evaluate the adequacy of the vendor’s training to its employees.
 Conduct anonymous testing of the vendor’s service capabilities.
• Implement oversight
 As part of the contract, a right to review and audit should be present.
 Findings should be remediated at no additional cost to the third party.
 You should test the third-party vendor’s business contingency planning.
 Have periodic meetings with the vendor to review contract performance and operational issues.