You can do everything possible to keep data secure, such as invest in tighter security controls, adhere to the highest standards, diligently train staff—and yet you can still be vulnerable. Once PHI crosses from the medical organization into the hands of a third-party medical support organization, it’s now the dual responsibility of covered entities as well as these third-party vendors to ensure its safety.
Bottom Line: You’re only as strong as your weakest link.
What is a medical support organization?
Simply put, a medical support organization is any third-party healthcare management or medical services organization, which provides administrative or medical support services to individual physicians and group practices.
One of the primary purposes of an MSO is to relieve physicians of daily business functions beyond medical necessities, so they can focus on the clinical aspects of their organizations. These organizations can range from contracting providers to information technology, medical support staff, transportation and so many more.
3 Challenges That Arise with MSO’s?
Even with the growing demand for medical support organizations to be compliant under HIPPA, many organizations are uneducated or unaware of their responsibilities regarding personal health security.
As covered entities expand into new markets and diversify their business, many have begun to work with a broad range of third parties. As a result, it becomes increasingly overwhelming and resource-intensive to manage and monitor these third parties, or even know who to target and how much. Unlike one's employees, third parties have to be managed indirectly – which makes it all that more difficult.
If the assessment results are not centralized and consolidated across different levels, they could result in redundancies and double the effort where it simply isn’t needed. For example, different departments managing different third-party functions for the same company. So, for instance, the same third-party vendor may be subject to due diligence assessments by the purchasing department, inventory personnel, and the manufacturing department.
Third-party governance, risk assessments, and compliance monitoring involve extremely high volumes of data. It becomes increasingly difficult to make sense of this data and transform it into meaningful insights. Many times, companies are unable to uncover third-party issues or trends in a timely manner because they don't have visibility into these areas of concern. All they have is a mountain of data but no way to derive actionable information that can drive decision-making accordingly.
3 Steps to Strengthen Third-Party Awareness:
As companies strive to overcome the challenges of third-party due diligence, here are a few important steps that can be taken:
Companies that take the time to conduct proper background checks on each third party set themselves up to build a reputable and trustworthy relationship. They typically collect and analyze data on third-party executives, reputation, government dealings, past convictions, payment accounts, anti-corruption policies, and other critical areas.
Codes of conduct and policies help third parties understand a company's rules and boundaries for ethical behavior and regulatory compliance. What is important, is the way this content is communicated. Comprehensive training sessions supplemented with refresher courses are ideal. The key is to focus on what behavior is expected of third parties.
Third parties are responsible for establishing and monitoring their own compliance controls. But the companies who hire them are also required to implement preventive, detective, and corrective controls to keep third-party risks and compliance violations in check. Controls need to be monitored, measured and tested at regular intervals through appropriate due diligence measures. Often times, covered entities turn to a Business Associates Agreement to uphold secure access to personal health information (PHI). Click here, to read about the current trends and concerns regarding BAA in our area.
For further information on how to better collaborate with third parties and gain greater visibility into risks, HIPPA violations, and PHI issues, please call us at 871-7040.
LACyber is a division of Lincoln Archives providing comprehensive Data Breach Defense Services. Lincoln Archives and LACyber are proud to be a part of Lincoln Family of Companies serving the Western New York Community since 1914.