HIPAA Survival Guide September 2019 Newsletter

Webinar Title: A Deeper Dive into 42 CFR Part 2 (Redux) 
Description: Brought back by popular demand. This webinar will review salient aspects of CFR 42 Part 2  2017 & 2018 HHS Rule Making with an emphasis on HIPAA harmonization (or lack thereof).
Date:   September 19, 2019
Time 2:00 - 3:30 p.m. EST


Business Partner Vetting Challenges



Business Partner Vetting ("BPV") is a process designed to help your organization get "satisfactory assurances" from business partners ("Partners") pursuant to the state of compliance of their cybersecurity programs. The overarching purpose is to ensure that your sensitive data is being protected as expected and required. Many compliance regimes mandate that certain data be protected by your Partners (e.g. GDPR with Processors, HIPAA with Business Associates (including Business Associates of Business Associates), and Part 2 with Lawful Holders). However, even if there is no Regime mandate, ensuring that Partners adequately protect your sensitive data is mission-critical and therefore a "must do" and not a "nice to do." Given the significant fines that are now routinely imposed and the reputation damage that ensues, it would be cybersecurity malpractice not to have a BPV process in place. 

BPV is a systematic process through which your organization acquires satisfactory assurances that your Partners are doing the right things with your data from a cybersecurity perspective. If we were to discuss BPV within a continuum of options, it would be more than having a contract in place with stringent cybersecurity conditions and less than an actual onsite inspection and audit.
That said, the discrete items within this continuum are not unrelated. You should have stringent cybersecurity terms in your Partner contracts, including their willingness to participate in your BPV process and conversations pursuant to the Vetting Questionnaire that may lead to an onsite visit and/or full-blown audit depending on many factors. These factors include but not limited to the sensitivity of the data and the strategic importance of the Partner. The Vetting Questionnaire is designed as an interactive form where your Partners provide responses to questions based on the Ten (10) Essential Controls. The latter is a consolidation of the must have controls that we believe every compliance regime should have in place. Of course, you could choose to design a questionnaire for each Regime, but we believe that is overkill. For example, our Ten (10) Essential Controls encompass, in an aggregated form, nearly all GDPR/HIPAA controls.

The Vetting Questionnaire allows you to "dig deeper" where warranted depending on the responses ("Reponses") provided by each Partner. Our BPV scorecard ("Scorecard") enables you to assign Partners a subjective, but meaningful, score based on their Responses. The Scorecard allows you to track a Partner's progress (or lack thereof) over time. In short, a BPV process enables you to obtain satisfactory assurances from your Partners that your sensitive data is properly protected, and at the same time meeting your own regulatory requirement(s) where applicable. Our Vetting process questions are primarily based on NIST's methodology for conducting Risk Assessments, a methodology that is widely adopted across industries and Regimes. It is also based on our decade-long experience "on the ground" with HIPAA, GDPR, and other Regimes. 

The mechanics of the BPV process itself is straight-forward. You simply email your Vetting Questionnaire to your Partners and they complete it by answering the questions, signing and returning it to you. The real work lies in taking their Responses and assigning a subjective score to each Partner response based on your Scorecard.  Remember this is a subjective internal score that is intended to allow you to track your Partner's progress over time and to internally report Partner status. The guiding principle for scoring should be consistency, so that you can perform an apples-to-apples comparison over time for a specific Partner, and across Partners.  

We suggest that you develop a Cover Letter to suit your organization's needs and send it with the Vetting Questionnaire to potential Partners you wish to vet. The Cover Letter provides a brief explanation of the rationale that underpins BPV and how to complete the Questionnaire. The Questionnaire is an interactive PDF; a Partner checks those questions to which they have either completed or partial answers and leaves the rest blank. After each set of questions, space is provided to allow the Partner to enter free-form text elaborating on the answers provided and/or pointing to an additional document that allows an expanded response and a better follow-up conversation.
Once a Partner completes the Questionnaire, they sign it and return it to you for scoring. That's it. Well, not exactly. The BPV process is more akin to an ongoing conversation that you need to have with each Partner concerning their respective compliance programs. If there is one consistent narrative that has emerged over time is that compliance is not a "set and forget" type of process. It is ongoing; it never ends. Full compliance, whatever that means in practice, is likely nothing more than an aspirational objective that is sought but never reached. 

The applications now deployed by your Partners rival, if not exceed in complexity, your own. In the "outsourced economy" this is the way things work. Each player in the value chain performs the business function that encompasses their unique value proposition. Although there are tremendous benefits to this approach, there are also significant risks. When it comes to your compliance data you can't simply allow your Partners to "do their thing." You must vet and monitor what they do with your data to ensure that you get "satisfactory assurances" that they are doing the right thing (i.e. protecting your data in a manner required by applicable law).