Prevalent Vendor Assess evaluates third-party vendors’ HIPAA compliance
by Chris Apgar, CISSP
Much of today’s healthcare industry is reliant on third-party vendors. If you haven’t asked your vendors whether they are compliant with HIPAA and have implemented sound information privacy and security programs, you are likely facing unknown?and possibly significant?risks. Covered entities (CE) and business associates (BA) are required by HIPAA to exercise due diligence when it comes to their BAs and BA subcontractors. Assessing the risk of those vendors is necessary, especially if those vendors support critical functions in support of CE operations.
Prevalent offers Vendor Assess: a software as a service-based tool that can automate a large part of third-party vendor assessments. Its third-party risk management solution can help CEs and BAs manage the risks associated with BAs and BA subcontractors. And Vendor Assess provides the information and tools necessary to require vendors to address risks that could have an adverse impact on business and clinical operations.
Vendor Assess is a subscription-based service which uses industry best practices to efficiently support CEs and BAs to conduct third-party assessments without the need for additional staff or resources. Prevalent Vendor Assess leverages Prevalent’s Vendor Risk Manager platform to generate focused third-party risk assessments and store the results in an easily accessible web portal. Also, Prevalent’s Vendor Threat Monitor is available to support the collection of real-time vendor threat intelligence information. THe subscription includes a single assessment, threat intelligence monitoring, reporting, and assessment recommendations by Prevalent.
Vendor Assess uses predeveloped third-party security questionnaires to identify CE and BA vendor risks. The questionnaires sent to vendors are customized to address areas of risk that are associated with each vendor versus a static set of questions that are not necessarily suited for each vendor. Because risks vary depending on the vendors and the services provided, the customization is an added bonus?especially when evaluating critical vendor information security risk to CEs and BAs.
The tool can be used to electronically generate questionnaires that can be distributed to vendors and takes a lot less time than manually generating, addressing, and sending questionnaires that are geared to identify risks that vendors pose to their CE and BA clients. The tool creates a centralized repository that can be used to track vendor risk management activities and questionnaire returns and create a baseline of vendor risk that can be used for future Vendor Assess assessments.
In addition to providing a sound solution to assess vendor risk, Prevalent’s offerings include the Prevalent Vendor Risk Maturity Assessment. The Vendor Risk Maturity Assessment was created to help CEs and BAs understand the maturity of their vendor risk management program, review specific actions for maturity improvement, and benchmark overall maturity with other Prevalent clients.
The Vendor Risk Maturity Assessment identifies CEs’ and BAs’ vendor risk management program maturity. The assessment involves a question and answer session with the staff responsible for vendor risk management. A Prevalent analyst reviews the data, identifies areas for improvement, develops a specific action plan for improving maturity across all the CE’s BAs and BA subcontractors and creates an executive presentation to show how an entity’s vendor risk assessment program compares to other Prevalent clients.
Pricing for Prevalent services fits the budget of most small and large CEs and BAs. Pricing is, for the most part, tiered by the number of vendors CEs and BAs will be sending questionnaires out to. Prevalent offers a concierge package of services that has, per Prevalent, appealed to smaller CEs and BAs. More information is available from Prevalent at www.prevalent.net.
Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. Opinions expressed are that of the author and do not represent HCPro or ACDIS. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Nicole Votta at firstname.lastname@example.org.