On February 4, 2019, Thora Johnson spoke on the panel "Cutting through the Noise: Determining Whether Your Vendor’s Security Incident Is a Breach."
Former OCR regulators and experienced healthcare counsel looked beneath the surface of your vendor’s security incident report to determine if there is a reportable breach. The presentation also addressed the questions below through the discussion of several scenarios, through a HIPAA lens and other health information privacy rules.
- Who is responsible for determining if there is a lurking reportable breach caused by your vendor’s security incident?
- Who should you involve at your healthcare organization? The roles your privacy, compliance, and security professionals, in-house counsel, and outside consultants and advisers should play. And when and if they should get involved.
- What questions need to be asked to identify the root cause of the incident? How to determine the extent of information needed to assess the risk of data compromise. How to view the vendor’s own assessment critically.
- How to determine whether to terminate the vendor relationship. Whether it is terminated or salvaged, what are the next steps with the vendor. Tips to manage vendor relationships to minimize future security incidents and breaches.