Third Party Risk Management for Health Related Information
The Health Insurance Portability and Accountability Act (HIPAA) includes two intertwined rules that are relevant for the proper management of third-party risk in the health sector: a Security Rule and a Privacy Rule. Under the HIPAA Security Rule, organizations must ensure the confidentiality, integrity, and availability of all health information they have; protect against threats to security and integrity of health-related information they process; protect against unauthorized use or disclosure, and ensure workforce compliance. Under the HIPAA Privacy Rule, organizations must ensure the privacy of protected health information (PHI) by implementing appropriate safeguards, setting limits and conditions on use and disclosure, as well as facilitating the exercise of patient’s rights over their health information (including rights to examine and obtain a copy of their health records, and to request corrections). In short, The HIPAA Security Rule operationalizes the protections contained in the HIPAA Privacy Rule by addressing both technical and non-technical safeguards. HIPAA extends its scope to include management of contractors’ obligations.
HIPAA has its own term for vendors, which are known as “business associates.” Business associates are persons or entities that perform certain functions or activities involving the use or disclosure of protected health information on behalf of, or for the provision of services to, a covered entity (i.e., health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with any transaction covered in subchapter §160.103). The HIPAA Privacy Rule allows covered entities to disclose PHI to business associates if they execute a written agreement that stipulates the specific purposes for which the business associate will use the PHI, the safeguards to be implemented, and the means by which they will help the covered entity comply with its obligations under HIPAA.
Besides some specific elements that ought to be included in the written agreement, HIPAA provides a “flexibility of approach”. This means that under HIPAA, “[c]overed entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement” and manage its standards and specifications — i.e., it utilizes a risk-based approach that ought to be assessed by the parties involved. This risk-based approach is quite similar to the European approach found in the GDPR.
For additional details on HIPAA, click here.
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the collection, use, or disclosure of personal information in the course of a commercial activity which includes personal health information. PIPEDA applies 1) organizations that collect, use, or disclose personal information in the course of commercial activities; or 2) organizations that collect personal data of employees of, or applicants for employment, and which the organization uses or discloses in connection with the operation of a federal work, undertaking or business.
Although PIPEDA does not distinguish between general third-parties (e.g. individuals gaining access to data, processors, and vendors) in the strict sense (such as the GDPR does), there are several obligations that must be observed when the processing operations are carried out by third parties. According to Principle 1 (Accountability), the organization is responsible for personal information in its possession or custody, including information transferred to a third party. The organization must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. The contractual instrument governing the processing of personal data by third parties should include policies and practices required to operationalize the principles laid down in PIPEDA.
It should be noted that Agreements with vendors may vary in their requirements depending on the province. For example, Ontario has classifications for service providers (i.e., information network providers) and whether an agreement is required depends on that particular provider’s classification.
For additional details on PIPEDA, click here.
The Brazilian General Data Protection Law (‘lei geral e única de proteção de dados pessoais’ – “LGPD”) becomes effective on August 14, 2020, and is the first omnibus comprehensive Brazilian privacy legislation. The LGPD adopts a number of principles coming from the EU privacy laws. The LGPD aims to provide a strong uniform level of protection to the personal information of data subjects located in Brazil and to ensure implementation of safeguards for the processing and international transfers of personal data. Sensitive personal data is defined under this law to include health data and this data should be treated in a differentiated manner, with additional security layers, and with different lawful processing grounds.
The LGPD requires controllers to implement appropriate safeguards taking into account, among other things, the sensitivity of the personal data (i.e. health-related data is considered sensitive) and to set in motion an internal and external governance program. Thus, the LGPD requires for the controller to verify that the processor adheres to the controller’s data processing instructions and that the processor also follows the legal rules governing the specific processing operations.
For additional details on LGPD, click here.
General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) came into force on May 25, 2018. The GDPR offers a new framework for personal data protection with increased obligations for organisations as well as a far and wide reach. The regulation aims to strengthen and harmonise data protection law in the EU while providing strong new rights to data subjects located in the EU. Under the GDPR, health data, genetic data, and biometric data are classified as sensitive personal data. In addition, a key difference between the old European Data Protection Directive and the GDPR is that now the engagement of data processors is governed by a more stringent regulatory framework. One clear example of this is the number of times we find the word processor in the old Data Protection Directive (11 times) compared with the 238 references to a data processor in the GDPR. moreover, under the GDPR both controllers and processors are jointly liable for complying with data protection regulations. Therefore, it is critical to analyse vendor data transfers and contractual obligations with the same level of diligence as internal processing activities to have a defensible posture in the unfortunate event that a supplier or vendor has a breach.
The GDPR outlines vendor management responsibilities specifically in Articles 24, 28, 29, and 46. There is shared liability for companies using vendors to process data, and organisations should look to have the correct protections in place. In addition, the GDPR has an extraterritorial scope whereby controllers established in Europe (or abroad but who target data subjects in Europe) have to make sure that their processors are able to comply with all GDPR obligations, regardless of whether they (the processors) are located in the EU/EEA.
For additional details on GDPR, click here
South Africa Protection of Personal Information Act (POPIA)
South Africa signed the Protection of Personal Information Act (POPIA) into law on 19 November 2013. The purpose of the Act is to elevate the level of data protection and privacy standards in South Africa. The Act refers to special categories of data as “special personal information” which includes health data.
The law indicates that, by means of a binding contract, controllers must ensure that processors implement and maintain security measures. In addition, processors can only process personal data with the knowledge or authorisation of the controller, and such data ought to be treated confidentially. These obligations also have to be stipulated in a contract.
For additional details on POPIA, click here.
Singapore Personal Data Protection Act
The Singapore Personal Data Protection Act (PDPA) sets a baseline standard of protection for personal data across Singapore’s economy by complementing sector-specific legislative and regulatory frameworks. This means that organizations will have to comply with the PDPA as well as the common law and other relevant sector-specific laws when processing personal data in their possession. Personal health data is a subset of the personal data regulated by this law.
Although there is no explicit mention of the obligation of organizations (controllers) to engage their vendors with a legally binding instrument (e.g. a contract), Section 4.2 stipulates that data processors (“data intermediaries”) processing personal data on behalf of a controller are subject to observe security obligations (“protection obligation”) retention limitation obligation. The interpretation of this provision could be stretched understand that there is an implicit obligation of controllers to engage their vendors with a contract because if there is no contract the vendor could (e.g.) be regarded as a controller.
For additional details on Singapore’s PDPA, click here.
Hong Kong Personal Data Privacy Ordinance
In Hong Kong, the main legislation on data protection is the Personal Data Privacy Ordinance (PDPO). The PDPO regulates the collection, use and handling of personal data. The PDPO is a principle-based law. Schedule 1 of the PDPO sets out six data protection principles (“DPPs”), which govern the collection, use, processing, security, retention/destruction and access to personal data. Health-related data is regulated by this law and there are relevant safeguards in place in the form of obligations or exemptions (for when the application of the provisions in the law could result in harm to data subjects).
The third data protection principle (DPP3) addresses third-party risk. It covers how personal data is to be used and processed, including the criteria under which personal data can be transferred and disclosed to third parties. In essence the processing of health-related personal data by third parties must be for a purpose that is the same as, or directly related to, the purpose for which the data were to be used at the time of collection of the data by the data user and a program should be in place to ensure this is carried out.
For additional details on Hong Kong’s PDPO, click here.
The Privacy Act 1988 is the foundation of Australia’s national privacy regulatory regime as it regulates how personal information is handled. The Privacy Act 1988 includes thirteen Australian Privacy Principles (APPs), which apply to some private sector organizations, as well as most Australian Government agencies (collectively “APP entities”). The Privacy Act regulates a broad range of processing operations, including the processing of health-related data by health service providers.
When organizations outsource any of their processing operations to a third party (including to a cloud service provider), and they continue to control that information as it is defined under the act, they will still be subject to the restrictions laid down in the Privacy Act 1988. For this reason, it is important to conduct appropriate due diligence on the services to be provided (particularly data storage services such as cloud services) and to engage in the ongoing monitoring of vendors.
For additional details on the Australian Privacy Act 1988, click here.
How OneTrust Helps
OneTrust Vendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews.
Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrust Vendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions.
In addition, our vendor-chasing and ongoing monitoring systems allow controllers to regularly assess their vendors and any changes that they may include throughout their processing operations (such as sub-contracting their own vendors). In essence, our vendor risk management module allows businesses to automate the Vendor engagement lifecycle, from onboarding to offboarding with 360° third-party visibility.
For additional details on Vendorpedia, click here.
Third Party Risk Management for Health Related Information
Sector specific processing
A healthcare compliance program is an organization’s systematic approach to meeting the requirements of the health care laws that their organization is subject to. More specifically, a healthcare compliance program should include the policies, procedures, guidelines, resources, activities and controls employed in pursuit of that aim. This includes compliance with sector-specific privacy obligations for the protection, use and disclosure of health-related personal data.
An effective health compliance program requires skilled decision-making, documented policies and procedures, awareness and training, clear allocation of responsibilities and asset ownership, implementation risk assessments and response plans, incident management, and more. These requirements are closely related to third-party risk management in the health care sector because the more parties involved in the processing of health data the more complex it becomes to manage the risks involved.
Below we detail some of the most prominent laws governing third-party risk review and management within the healthcare sector. Please bear in mind that throughout this entry we use the terms “contractor”, “vendor” and “third party” interchangeably.
Last Updated: July 12, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.