Data Security Concerns for Health Care Providers: A two-part series

By HunterMaclean Attorneys
Originally published by HealthITSecurity.comUsed by Permission.

Part one: Prioritizing patient data security in health care IT contracts

It is no wonder that data security concerns keep both corporate directors and company general counsel up at night, as reported by the 2013 Law in the Boardroom study by Corporate Board Member and FTI Consulting. While there is no such thing as perfect health data security, a properly-implemented data security program and contract should provide health care executives with enough peace of mind to at least get a good night’s sleep.

A data security program should be a significant priority for any health care organization and should include, at a minimum, employee screening and training, security policies and procedures that are regularly assessed and updated, breach response plans and appropriate insurance. There are specific contractual protections that a health care organization should negotiate in its contracts with third-party vendors that will store, or have access to, its data. Additionally, appropriate due diligence is a crucial prerequisite to every good contract and should include investigation and assessment of potential vendors’ data security practices.

To read the full article, click here.

 

Part two: A health care vendor contract’s required security policies

By HunterMaclean Attorneys
Originally published by HealthITSecurity.comUsed by Permission.

Last week, I delved into areas of a health care vendor contract that a health care organization should pay special attention to, such as federal compliance, confidentiality and patient data security. But there are more considerations for these organizations as they wade through the volumes upon volumes of paperwork that go along with a vendor contract. In Part 2 below, I list more provisions and policies that should be in place to best secure your patients’ data while ensuring that vendors are equally responsible for potential health data breaches.

Policies and procedures – Your organization also should already have its own security program, including security policies and procedures. Typical security policies and procedures will, for instance, limit physical facility access (if applicable), limit local and remote access to computer networks, require virus scans before connection to computer networks, etc… Your contract with vendors should provide that you will give a copy of your applicable policies and procedures to the vendor from time to time and that the vendor will comply with them.

To read the full article, click here.