Third&Party&Risk&Management&Policy&

Similar documents
Standard Operating Procedure Information Security Compliance Requirements under the cabig Program

<COMPANY> P01 - Information Security Policy

HIPAA Compliance Calendar

Standards Activities and Meeting Schedules

Security Solutions for HIPAA Compliance

Sample Business Associate Agreement Provisions

HIPAA Privacy Overview

Nurse Aide Training. Enrollment Agreement

My Docs Online HIPAA Compliance

Client Security Risk Assessment Questionnaire

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Desktop Web Access Single Sign-On Configuration Guide

BUSINESS ASSOCIATE AGREEMENT

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Business Associate Agreement

Our Commitment to Information Security

Use Our FREE Tool to Scan for HIPAA and Meaningful Use Security Compliance Risks

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Department of Veterans Affairs VA DIRECTIVE 6601 REMOVEABLE STORAGE MEDIA

SSL VPN INSTALLATION, UPGRADE, USAGE INSTRUCTIONS Windows XP

CMS Operational Policy for VPN Access to 3-Zone Admin and Development /Validation Segments

Compliance & Data Protection in the Big Data Age - MongoDB Security Architecture

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Privacy and Security Awareness, Education and Training Policy

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

PRIVACY MANAGEMENT ACTIVITIES

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

Authentication, Access Control, Auditing and Non-Repudiation

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

troinet.com Why the HIPAA Police Woke Up, New Rules & 5 Things You Can Do To Protect Your Practice

Healthcare in the Crosshairs for Data Breaches. April 22, Deborah Hiser (512)

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA PRIVACY AND SECURITY AWARENESS

Document No.: VCSATSP Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Access Policy

Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

Which is the Right EMM: Enterprise Mobility Management. Craig Cohen - President & CEO Adam Karneboge - CTO

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

SCDA and SCDA Member Benefits Group

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

DATA USE AGREEMENT Minnesota Hospital Association

Using a simple crossover RJ45 cable, you can directly connect your Dexter to any computer.

Institutional Data Governance Policy

BUSINESS ASSOCIATE AGREEMENT

Bridging the HIPAA/HITECH Compliance Gap

AFLAC LEVEL 2 DENTAL INSURANCE POLICY NETWORK PARTICIPATION AGREEMENT

Your Archiving Service

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

This notice describes how psychological and medical information about you may be used and disclosed and how you can get access to this information.

WHITEPAPER. Compliance: what it means for databases

Incident Reporting Guidelines for Constituents (Public)

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

FirstCarolinaCare Insurance Company Business Associate Agreement

How To Use A Health Care Program At Upmc

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

CHAPTER 12 RIGHT TO AN AUDIT TRAIL OF CERTAIN DISCLOSURES OF PROTECTED HEALTH INFORMATION

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Design of Database Security Policy In Enterprise Systems

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

MEDICAL OFFICE COMPLIANCE TOOLKIT. The Complete Medical Practice Compliance Resource HIPAA HITECH OSHA CLIA

Transcription:

Third&Party&Risk&Management&Policy& Version( Approval(Date( Owner( 1.0 July28,2015 DanielWilt 1.Purpose& ThepurposeofthispolicyistoestablishthemethodsbywhichHealthShareExchangeof SoutheasternPennsylvania,Inc.(HSX)willmanagesecurityrisksthatareintroducedby thirdparties,includingcontractedvendorserviceprovidersandmembers/participants. TheintentistoensurethatthesecurityofHSX'sinformationandinformationassetsare notreducedwhensharinginformationwiththirdpartiesorbytheintroductionofthird partyproductsorservicesintothehsxenvironment. Thispolicyalsodescribeswhatprocessesmustbeinplacebeforeprotectedhealth information(phi)canbereleasedtobusinessassociates,andthemechanismfor developingandmaintainingcontractualagreementswithbusinessassociatesregarding theirresponsibilitiesunderhipaaregulations. 2.Scope& Thispolicyappliestoallthirdpartyarrangements,includingthosewithBusiness Associates. 3.Policy& HSXshallestablishthirdpartyriskmanagementfunctionswiththepurposeofgoverning securityrisksofthirdpartyorganizationsthathaveaccesstoenterprisedata,orprovide productsorservicesforhsx. Responsibilitiesforthethirdpartyriskmanagementfunctionshallinclude: o IdentifyingallHSXBusinessAssociates,accordingtotheHIPAASecurity andprivacyrules. o Vettingthesecuritycontrolsofthirdpartiesbeforeestablishingathird partycontractrelationship. o EnsuringanapprovedandupXtoXdateHSXBusinessAssociateAgreement (BAA)isinplaceandhasbeensignedbyeverythirdparty. Third Party Risk Management Policy FINAL v.1.0 5-13-2015.docx 1

o MaintainingacurrentandaccuratelistingofallHSXbusinessassociates. o MonitoringthirdpartiesforadherencetoprovisionswithinBAAs(where applicable),servicelevelagreements(slas),andcontractualsecurity requirements. o PerformingonXgoingorcontinuousreviewsofsecuritymeasures implementedbythirdpartyserviceproviders. o Ensuringtheadherencetoallotherprovisionswithinthispolicy. ThirdPartyRiskIdentification: ThepotentialriskstoHSXinformationassetsfrombusinessprocessesinvolving thirdpartiesshallbeidentified,andappropriatecontrolsshallbeimplementedto mitigatetheserisksbeforegrantingaccess. ThirdpartiesshallonlybegrantedaccesstoHSX sinformationassetsafterdue diligencehasbeenconducted,appropriatecontrolshavebeenimplemented,anda writtencontractdefiningthetermsofaccesshasbeensigned. DuediligencebyHSXtodetermineriskshallincludeinterviews,andreviewsof documents,checklists,andcertifications. ThirdPartySecurityRequirements: Ifappropriate,ariskassessmentshallbeconductedofthethirdpartytodetermine thespecificsecurityrequirementsnecessarytosecuretheirsystemstoalevelof riskacceptabletohsx. Allidentifiedthirdpartysecurityrequirementsshallbeaddressedandvalidated beforegrantingthirdpartyaccesstohsx'sinformationorinformationassets. ThirdPartyAgreements: Agreementswiththirdpartiesinvolvingaccessing,processing,communicatingor managinghsx'sinformationassets,oraddingproductsorservicestoinformation assetsmustcoverallrelevantsecurityrequirementsandshallincludeallrequired securityandprivacycontrolsinaccordancewithhsx ssecurityandprivacypolicies. Thespecificlimitationsofaccess,arrangementsforcomplianceauditing,penalties, andtherequirementfornotificationwithrespecttorelevantthirdpartypersonnel transfersandterminationsshallbeidentifiedinthethirdpartyagreements. AstandardBAAshallbedefined.ThestandardBAAshallbefoundontheHSX intranet. TheBAAshallincludeprovisionsforbreachnotificationandterminationupon breach. TheBAAshalldefinethedispositionofPHIonterminationoftheagreement. Third Party Risk Management Policy FINAL v.1.0 5-13-2015.docx 2

ThirdPartyAccessControlRequirements: HSXshallonlyallowthirdpartiestocreate,receive,maintain,ortransmitPHIonits behalfaftertheorganizationobtainssatisfactorywrittenassurancethatthethird partywillappropriatelymaintainandenforcetheprivacyandsecurityofthe enterprisedata,including,whererelevant,protectingphiviathestandardbaa. ThirdpartyaccessshallbebasedontheprinciplesofneedXtoXknowandleast privilege. Thirdpartyaccessshallbegrantedonlyforthedurationrequired. RemoteaccessconnectionsbetweenHSXandthirdpartiesmustbeencrypted. Remoteaccessconnectionswiththirdpartiesshallbemonitoredonanongoing basis. ThirdPartyServiceDelivery: HSXshallrequirethatthirdpartiesmeetindustrybestpracticesandregulatory requirementsforsecurityandprivacycontrolsandthattheyareimplemented, operatedandenforced. SLAs,orcontractswithanagreedservicearrangement,shalladdressliability, servicedefinitions,securitycontrols,andotheraspectsofservicesmanagement. HSXshalldevelop,disseminateandupdateatleastannuallyalistofcurrentservice providers. HSXshalladdressinformationsecurityandotherbusinessconsiderationswhen acquiringsystemsorservicesincludingmaintainingsecurityduringtransitionsand businesscontinuityfollowingafailureordisaster. ThirdPartyServiceProvidersMonitoringandReview: Theservices,reportsandrecordsprovidedbythethirdpartyServiceProvidershall bemonitoredandreviewedonanannualbasis,andauditsshallbecarriedoutto ensurecompliancewiththethirdpartyserviceprovideragreementsismaintained. TheresultsofmonitoringactivitiesofthirdpartyServiceProviderservicesshallbe comparedagainsttheslaorcontractsatleastannually. RegularprogressmeetingsshallbeconductedasrequiredbytheSLAorcontractto reviewreports,audittrails,securityevents,operationalissues,failuresand disruptions,andensureidentifiedissuesareinvestigatedandresolvedaccordingly. NetworkconnectionswiththirdpartyServiceProvidersshallbeperiodically auditedtoensurethattheyhaveimplementedanyrequiredsecurityfeaturesand meetallrequirementsagreedtowithhsx. ThirdPartyMemberandParticipantMonitoringandReview: Third Party Risk Management Policy FINAL v.1.0 5-13-2015.docx 3

HSXshallrequireMembersandParticipantstorespondtoaPrivacyandSecurity Statementpriortocontractexecutionandeligibilitytoexchangeinformationor accesstheexchange. HSXshallrevieweachprivacyandsecuritystatementforcompliancewithHSX requirements HSXshalldenymembershiporparticipationunlessMemberorParticipanthas resubmittedtheirprivacyandsecuritystatementreflectingremediationofall identifiedgaps MembersandParticipantsarerequiredtonotifyHSXintheeventthattheyhave identifiedanyareaofnonxcompliancewiththispolicy. HSXwillconductanannualPrivacyandSecuritysurveyforasubsetofthe Members/Participantsandreviewforcomplianceandtakeappropriateactions,if any,deemednecessary ThirdPartyChangeManagement: Changestotheprovisionofservices,includingmaintainingandimprovingexisting informationsecuritypolicies,proceduresandcontrols,shallbemanaged,takinginto accountthecriticalityofbusinesssystemsandprocessesinvolvedandrex assessmentofrisks. Thirdpartiesshallberequiredtocoordinate,manageandcommunicatechanges thatwillhaveanimpacttohsxinformation,systemsorprocesses. Thirdpartychangesshallbeevaluatedtoidentifythepotentialimpactsbefore implementation. 4.Enforcement& TheCISOandPrivacyOfficershallberesponsibleforenforcingcompliancewiththis policyunderthedirectionoftheexecutivedirector. TheMemberorParticipantshallberesponsibleforenforcingcompliancewiththis policyatminimumwithintheirorganization. 5.Definitions& Foracompletelistofdefinitions,refertotheGlossary. 6.References& RegulatoryReferences: Third Party Risk Management Policy FINAL v.1.0 5-13-2015.docx 4

HIPAARegulatoryReference:HIPAA 164.308(a)(3)(ii)(A),HIPAA 164.308(a)(4)(ii)(B),HIPAA 164.308(b)(1),HIPAA 164.308(b)(3),HIPAA 164.314(a)(1),HIPAA 164.314(a)(2)(i),HIPAA 164.314(a)(2)(ii),HIPAA 164.314(b)(1),HIPAA 164.314(b)(2)(i),HIPAA 164.314(b)(2)(ii),HIPAA 164.314(b)(2)(iii),HIPAA 164.314(b)(2)(iv),HIPAA 164.404(b),HIPAA 164.410(a)(1),HIPAA 164.410(a)(2),HIPAA 164.410(b),HIPAA 164.410(c)(1), HIPAA 164.410(c)(2),HIPAA 164.414(b) HITRUSTReference:05.iIdentificationofRisksRelatedtoExternalParties,05.j AddressingSecurityWhenDealingwithCustomers,05.kAddressingSecurityin ThirdPartyAgreements,09.eServiceDelivery,09.fMonitoringandReviewofThird PartyServices,09.gManagingChangestoThirdPartyServices PCIRegulatoryReference:PCIDSSv32.6,PCIDSSv312.8,PCIDSSv312.8.1,PCI DSSv312.8.2,PCIDSSv312.8.3,PCIDSSv312.8.4,PCIDSSv312.8.5,PCIDSSv3 12.9 PAeHealthReference:9.0.PatientAuditingandAccountingofDisclosures Policy(Owner( DanielWilt Contact( Daniel.wilt@hsxsepa.org Approved(By( Board Approval(Date( July28,2015 HSXManagement Team Date(Policy(In( Effect( 5X13X2015 Version(#( 1 Original(Issue(Date( 5X13X2015 Last(Review(Date(( Related( Documents( BusinessAssociateAgreementTemplate(BAA) Glossary ServiceLevelAgreementTemplate(SLA) Third Party Risk Management Policy FINAL v.1.0 5-13-2015.docx 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information