Gerry Blass on Healthcare Vendor Risk Management (Podcast)

Posted by Ken Reiher

Podcast By: Adam Turteltaub, The Compliance and Ethics Blog

ComplyAssistant’s Gerry Blass joins Adam Turteltaub for The Compliance and Ethics Blog Podcast. To view the entire podcast, please visit The Compliance and Ethics Blog website.

Healthcare risk doesn’t stop at the facility’s door. Covered entities have countless business associates (BA), each of which poses risks of its own. That, in and of itself, is a challenge, but Gerry Blass, President and CEO of ComplyAssistant observes in this podcast that many covered entities aren’t even sure of their complete list of vendors, let alone the risks that can reside in them.

To get a handle on this situation he recommends creating an inventory of your BAs and then dividing them into high, medium and low inherent risk. That involves looking at what each vendor does and the relative risks involved on a granular level. For example, an electronic medical record (EMR) vendor with a cloud-based solution is going to be inherently high risk. A vendor that transfers but does not store data may be just a medium-level risk.

With reports indicating that approximately 60% of breaches occurred at the vendor level, getting a handle on this risk is critical.

Of course, preliminary scoring of the risk level is only the first step. From there the organization needs to get more detailed information to ensure that there are adequate mitigation measures.

He recommends putting together a detailed list of questions both to ask during the onboarding process and later as a part of ongoing auditing and monitoring of the BA. Checking in periodically is essential because situations do change. The work being done by the vendor may have evolved, and so may the vendor’s internal risk management efforts.

He also advises looking at the BA’s own business associates. A given vendor may rely on 10 others.  As a result, it’s important to understand how the risk of the BA’s own BA’s are being managed.

Finally, he also addresses the need to reassess risk as organizations return to the workplace, including how remote access is handled.

Listened in to learn more about how to improve your healthcare vendor risk management processes.