How Mature Third-Party Risk Eases the Transition to Electronic Health Records

We’ve all been there, at the doctor’s office, when a frustrated nurse or technician irritatingly clicks and waits while inputting data into their system and apologizes for the long wait. You often hear, “We’re migrating systems and I have to go back and forth from our old one to this new one to get information” or “Our new system is taking forever.” And, while that can be frustrating, it’s even more frustrating when we want or expect the medical process to run smoothly and be “up-to-date” with modern technology, and it’s just not. Just last month, I had to physically pick up a copy of a negative COVID-19 test to provide it to my child’s school because the clinic wasn’t able to email confirmation.

Why Healthcare Is the Last Major Industry to Successfully Transfer to Electronic Systems

There are two primary reasons why:

1. Regulations: For starters, medical information is heavily regulated. Despite government incentives to facilitate the move to the IOMT (Internet of Medical Things), and then some, sometimes, the red tape is just too cumbersome to cut through.
2. Limited resources: There’s seldom the appropriate support staff in place to translate guidance, plan and support the project, assure information security throughout and manage changes at all phases without disruption to services and care.

The Woes of Electronic Health Records (EHRs) System Migration

Choosing a provider for electronic health records is a major decision. The software that’s used to manage health records for any health center, large or small, will completely change the ebb and flow of day-to-day life, not only for all employees, but for patients too. Here are four examples:

• Disconnect from executive level: Unfortunately, these decisions are often made at the top, without taking time to understand the full impact on the end user.
• Highly valuable data: Healthcare data is lucrative for bad actors. This is why data breaches of healthcare technology are all too common and on the rise.
• Unclear guidelines: Sometimes, the hardest parts of vendor management are knowing what’s required and then knowing where to start. Unlike regulatory guidance for financial institutions, Health Insurance Portability and Accountability Act (HIPAA) guidelines for managing business associates lay out what must be done, without too much insight on how it should be done.
• Vendor risk: Given the necessary heightened sensitivity on healthcare information and practices, even less attention is given to those “other” third-party relationships which may also pose risk.

How Vendor Management Can Help

The answer is simple. A basic knowledge and practice around third-party risk management, when applied consistently, can provide the proper “triage” needed to adequately implement new technologies, services and vendor relationships while minimizing the risks involved.

Here’s a broad outline of 4 stages of the third-party risk management lifecycle as these show the importance of TPRM in healthcare:

Step 1 – Inherent Risk and Criticality Assessment: Begin the vendor engagement with an understanding of the inherent risk and criticality. This step determines the highest amount of risk that your organization could be exposed to. Inherent risk is the risk that is present before any controls are put in place and criticality refers to the significance of the vendor’s impact to your organization.

Step 2 – Due diligence and Residual Risk Determination: Based on what you’ve learned, do what you can to understand how risks are being managed and mitigated. Then, determine if the remaining risk is acceptable enough to move forward. When it comes to EHR software, special consideration should be given to their information security, particularly on how systems are integrated, how data is transferred, what happens to data after it’s in the system, who will be able to access it and how, etc.

Step 3 – Vendor selection and Contract Management: Be sure you’re selecting the best vendor for the job, negotiate a good contract and manage them appropriately. A well-written contract saves money and time while also keeping contract terms in check. And, don’t forget to include service level agreements (SLAs) within this step. Due to their sensitive nature and access to PHI, a Business Associated Agreement should be executed with EHRs and managed as such, with clear terms to assure HIPAA compliance.

Step 4 – Ongoing monitoring: Keep a close watch on the relationship through ongoing monitoring, periodic risk assessments and regular reporting. This will allow you to stay informed of any new risks and quickly address any issues like unmet SLA terms.

Remember that the goal of Health Information Trust Alliance (HITRUST) is twofold – we want to make sure our data is protected and information is secure, but the whole point behind the push to EHRs is so that we can use these technologies to improve the patient experience and allow for technological advances to facilitate better health and wellbeing. If the technology doesn’t fulfill that purpose by being too cumbersome, then our efforts are moot. By putting more effort into the onboarding process and utilizing some tried-and-true vendor management practices, we’ll be better suited to reach that goal.

Ensuring your third-party risk management program is running smoothly and is adequate is key when transitioning to electronic health records. Check out this infographic to learn more.