Rebekah Johnson, CIPP/US, is the Senior Compliance Manager for West Notifications, Inc.
When Edward Snowden shed light on the National Security Administration’s surveillance programs, Americans were left asking many questions. Questions ranging from “How can the government do this?” to “What information are they gathering?” became conversation topics for many Americans. In the healthcare world, these revelations have made both patients and healthcare providers concerned over how secure information is in the hands of third-party vendors. These vendors, which providers rely on for many things, are being scrutinized for their attention to detail, data storage and potential for breach.
The impact Snowden’s whistleblowing has had on healthcare providers and third-party vendors across America is far reaching. People are closely examining privacy policies now, whereas signing privacy forms at a doctor’s office used to be just an afterthought. It has forced businesses that rely on American third-party vendors to ask if their data is being protected, and at what level. The NSA surveillance program brought awareness to the word privacy and the actions and steps that are, or aren’t, taken by providers and their vendors to keep information protected.
Healthcare providers cannot afford to take security and privacy for granted and assume that their patients’ information is being adequately protected. Patients will hold their healthcare providers accountable if there is a breach. Therefore, to truly ensure data is protected, it is the job of providers to ask vendors the appropriate questions to ensure that the proper security and privacy policies are in place to lessen the risk of a security breach. And beyond asking tough questions, the emphasis on proper due diligence to vet accurate answers and understand processes has never been greater. There are two key focus areas: security and privacy. It is important to remember that you can have security without privacy, but you cannot have privacy without security. In a world where our information can and has been looked at by our government, making information both private and secure is vitally important. Finding a third-party vendor that ensures the information is private and secure has to be a top priority.
When you pick a third-party vendor, make sure they are held to the same standard that you require at your practice. Unless you evaluate your vendors’ privacy policies and procedures, you cannot assume they are taking the necessary steps to protect your data. There are distinct actions they need to take to protect privacy.
Many healthcare providers know what security measures are in place with their third-party vendors, but do not necessarily know what privacy standards are in place. When examining third-party vendors, ensure the control standards your company has are met. You should expect a third-party vendor to meet, or exceed, the standards that you hold. Additionally, when choosing a third-party vendor, asking the following privacy-specific questions can differentiate one company from another:
- Is there a process to inform an individual that he/she is responsible for informing the organization of needed corrections to his/her personal information?
- Is there a process to ensure the personal information provided by an individual is limited for the purposes described in the organization’s privacy notice?
- Are employees, contractors, volunteers (and other parties, as appropriate) regularly monitored for privacy compliance?
- Are third-party service providers regularly monitored for privacy compliance?
- Are appropriate sanctions applied to employees, contractors, volunteers (and other parties, as appropriate) who violate privacy policies?
- Is there a process for employees, contractors, volunteers (and other parties, as appropriate) to notify privacy compliance personnel of an actual or suspected privacy breach?
When ensuring the third-party vendor you select meets the compliance standards you hold, training should also be considered. Training must be at the very top of the list when looking at privacy within your company, and within third-party vendor companies. Many companies have a standard privacy compliance form—which may be included in a packet employees sign on their first day at work—that discusses privacy policies. This is not enough—just as a sign posted in a healthcare provider’s office is not necessarily enough to guarantee people read it.
So, although the proper policies may be in place, you have to ensure employees know how to protect data on the privacy level expected, which only happens through reoccurring training. Training should occur at least yearly, and additional training is necessary any time rules and regulations change.
While the realization that the government has access to our data through the NSA surveillance programs worries many Americans, the good news is that it has put more focus on the need for stricter privacy and security standards. When using third-party vendors, demand that they maintain security and privacy policies that meet or exceed the standards that your company holds.
Rebekah Johnson, CIPP/US, is the Senior Compliance Manager for West Notifications, Inc. In this role, she develops and maintains compliance operations concerning the privacy and security of client information, including Personally Identifiable Information (PII), PHI, sensitive and financial data. Rebekah’s experience also includes managing European Union Safe Harbor certification.