The North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA) has published a Vendor Management Policy Template to help covered entities address the privacy and security challenges of managing multiple vendors with varying degrees of access to sensitive health information.
The template was developed by NCHICA’s Privacy and Security Officials Workgroup in recognition that vendors have different security and privacy risk profiles. Under the original HIPAA Security and Privacy Rules, all covered entities were required to execute a Business Associate Agreement with any vendor, regardless of the level of risk. The template’s management framework defines standard tiers based on vendor risk and establishes a minimum set of oversight controls based on preset risk categories. This is particularly important as covered entities seek to comply with the more stringent business associate requirements contained in the national Health Information Technology for Economic and Clinical Health (HITECH) Act.
“We believe this template will be of great benefit to both covered entities and vendors by streamlining the BAA process,” said Holt Anderson, Executive Director of NCHICA. “It is our hope the vendor management approach will be widely adopted by the healthcare industry, which will help align covered entity and vendor expectations based on the services to be provided. By setting consistent expectations across the healthcare industry, we can reduce audit and compliance costs.”
While the template has been targeted for the healthcare industry, the principles included should have broad appeal in many other verticals, including manufacturing, financial, services, auditing, software development, marketing or any other domain where either regulated or sensitive intellectual property is created, hosted or processed by a third party.
The template can be downloaded for $50 from the NCHICA website. For further information, visit www.nchica.org.