How to Use a Gap Analysis to Build Your ROI Roadmap

How to Use a Gap Analysis to Build Your ROI Roadmap

Feb 27, 2023 | Blog, Release of Information

One of the best tools for ensuring organization-wide ROI compliance is a gap analysis. A gap analysis looks at the entire disclosure management process to give you a sense of where you are today versus where you need to be to achieve and maintain compliance. In addition to compliance, the benefits of a gap analysis include a full accounting of disclosures, improved productivity, reduced paper processing, increased electronic release, improved turn-around time, and improved requestor satisfaction. This is an especially relevant topic given Information Blocking and the upcoming proposed changes to HIPAA, which are presumed to go into effect this spring.

To begin a gap analysis, you must first assess your current state. We can break this down into six steps.

  1. Determine where the ROI flows into departments, practices, clinics, hospitals, etc.
  2. Layout a flowchart of all “on ramps.”
  3. Document the handling of all requests to include how many people touch a request. For example, does HIM forward a copy to radiology, the business office, sleep center, etc.?
  4. Analyze access to systems. Include all steps required to obtain access and what effort is needed to capture all pertinent information.
  5. Review current delivery method options (print, package, mail, email, fax, etc.)
  6. Determine current turn-around time. Start with the actual received date and remember that the TAT clock doesn’t stop and restart every time a request is forwarded to another department or location.

Once you’ve assessed your current state, it’s time to develop an action plan.

Working with a vendor partner who can automate this process will make this step much easier. Your action plan should involve a committee of location leaders or decision makers. You can use the “on ramp” flowchart from the previous step to make decisions on centralizing intake. Then provide access to all source systems to HIM or one centralized group. To reduce the number of patients wanting to review in-person, expand your delivery method options through automated technology like Verisma Request App®. Finally, establish a one-touch process to accomplish an accurate TAT.

The most difficult part of this process is building a unified ROI plan. Change projects are always challenging, especially within complex health systems, but your gap analysis will help as you move forward. Follow these five steps to build and implement your plan.

 

  1. Recognize the need for change. Get internal support and lay out your business case with benefits. HIM leadership should usually handle this step.
  2. Craft a vision. Your vendor partner can help you strategize for success.
  3. Implement change.
  4. Embed changes in your culture and practices. Make sure old ways aren’t creeping back in.
  5. Review your progress and analyze the results.

If you’d like to learn more about how Verisma can help you conduct a gap analysis and build an ROI roadmap, contact us.

Learn more about the gap analysis process and earn an AHIMA CEU through Verisma Academy. 
View On-Demand Course
Verisma Academy
Advancing Information Sharing: Understanding EHI

Advancing Information Sharing: Understanding EHI

Dec 20, 2022 | Blog, Compliance & Regulations, Information Sharing, Release of Information

This blog summarizes the content from Verisma’s ROI Roundtable Webinar. The full recording and slidse are available.
Get Recording & Slides
The information blocking definition of electronic health information (EHI) includes the entire scope of electronic protected health information (ePHI) that is or would be in a Designated Record Set (DRS). Prior to October 6, 2022, the definition of information blocking was focused only on the subset of EHI that is represented by elements in the United States Core Data for Interoperability (USCDI) v1. As of October 6, 2022, all EHI falls within the scope of the information blocking definition. 

What is and what is not EHI for purposes of information blocking regulations?  In Verisma’s Nov 2022 ROI Roundtable Webinar we heard from two experts with the ONC – Rachel Nelson JD, Branch Chief, Compliance and Administration Branch, and Dan Healy, Policy Coordinator, Compliance and Administration Branch on what EHI is and how its definition relates to but differs from the definition of ePHI under the HIPAA Rules. The speakers provided important facts related to current information blocking policy and what healthcare organizations and providers should bear in mind specific to information blocking regulations as they review and update their technical capabilities and workflows in context of their DRS (Designated Record Set) to ensure they are sharing EHI consistent with all applicable laws. Some highlights from their presentation follow.

What is EHI as defined by the information blocking regulation?  According to ONC, EHI is as follows:

  • “Electronic Health Information (EHI) means electronic protected health information (ePHI) to the extent that the ePHI would be included in a designated record set as these terms are defined for HIPAA.”

The scope of EHI is relayed was shared in the following ONC graphic that can be found at HealthIT.gov:

The expansion is “only” PHI that is in an electronic format. Noted in the webinar is that EHI is “electronic health information (ePHI) to the extent that it would be included in a designated record set.” Further explained during the webinar was that EHI “is individually identifiable health information, that is maintained in electronic media or transmitted by electronic media.” If the ePHI is included in any of the following records and not in the exclusions such as psychotherapy notes, then it would be considered EHI:

  • Medical records and billing records of a provider about an individual
  • Enrollment, payment, claim adjudication, and case or medical management record systems maintained by or for a health plan.
  • Records used in whole or in part to make decisions about individuals

What is not EHI was explained as well. For example, such things like psychotherapy notes, information complied in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, employment records health information, and de-identified protected health information. EHI is not limited by when the information was generated.

Organizations should be looking at what they now include in their designated record set policy and revise if necessary, to ensure the that their policy includes the full scope of EHI that is now in effect as of the October 6, 2022 expansion of the EHI definition beyond the current USCDI v.1 definition.  Working with your Release of Information vendor is important as well, so they are aware of exactly what ePHI is defined in your designated record set and how to access all the ePHI for disclosure purposes. Many resources such as an EHI Fact Sheet, recorded Webinars, and an Infographic are available on https://www.healthit.gov/.

Dan and Rachel also spent time going over the Information Blocking definition and explaining how that relates directly to the exchange of ePHI. More details and explanation of the Information Blocking Regulation was shared with the attendees. Points that have caused some questions from health care providers and others in the health IT field were clarified. Information Blocking applies to “actors.” Actors are:

  • Health Care Providers
  • Health It Developers of Certified Health IT
  • Health Information Networks (HINs)
  • Health Information Exchanges (HIEs)

Exceptions to the Information Blocking Rule, which have caused a lot of questions from “actors,” in particular the “Content and Manner Exception” where it is not considered information blocking if the actor does not have all the requested EHI in their possession, cannot be shared using the technology requested, or where it must be “withheld due to laws or is permissible to be withheld, such as under the Preventing Har or Privacy exceptions.” One example would be if it would be impossible for an actor to segment out psychotherapy notes from the EHI. Another would be the cost to comply would be prohibitive. Other examples were given as well as resource information available on ONC’s Cures Act Final Rule website.  For more in-depth information on Information Blocking, resources can be found at https://www.healthit.gov/ where there are fact sheets, Webinars, and FAQs. 

Health Information Management leaders should be reviewing all the policies and procedures related to release of ePHI, especially their designated record set policy to ensure they are following the updated requirements that went into effect on October 6, 2022 and working closely to ensure their ROI vendor is up to date on all the requirements to ensure there are no risks of information blocking.

 

 

 

 

 

AHIMA22 Overview and Takeaways

AHIMA22 Overview and Takeaways

Oct 26, 2022 | Blog, Health Information Solutions, Information Sharing, Operational Outcomes, Release of Information

AHIMA22 brought us to Columbus this year, the capital and heart of Ohio. It’s been three years since we’ve all been together and there was so much catching up to do! The American Health Information Management Association (AHIMA) is the leading voice and authority in health information where the associated experts work at the intersection of healthcare, technology, and business. Today more than ever, in an era where technology drives change and efficiencies on one hand and on the other hand increases the risk of interfering with privacy and security, managing the complexity of patient’s information is critical. Healthcare professionals must ensure that sensitive health stories remain accurate, accessible, protected, and complete at all times.

We all know the tremendous effects COVID had on our healthcare and the gaps it highlighted in our systems. It changed the workforce landscape with an increased need for healthcare professionals and the reality that jobs require more technical skills than ever before. AHIMA22 highlighted the emerging changes and responsibilities that healthcare information management professionals face today.

The conference kicked off with sessions on “Design Thinking for Innovation in Healthcare” and “What Does it Take to Become a Revenue Cycle Executive” and a marching band performance! There were over 40 in-person sessions led by health data experts and visionaries, new product tech demos in the exhibit hall, networking opportunities, and social events with over 3,00 attendees. Thinking back on all that I heard and witnessed at this convention, there are a few key takeaways I’d like to share:

Design Thinking for Innovation in Healthcare

This workshop kicked off the conference and set the tone for the rest of the week. Design thinking process is a theory that many startups and innovative companies use to solve real end user problems and it’s one of my favorite methods to use to develop user centric products. Design thinking is taught at top universities like Harvard and is adopted by brand name companies such as Apple, Google, and Samsung. It’s a 5-part problem solving approach you can apply in both your organization and your daily life. It centers around end user challenges and how to put aside limiting beliefs and our own perspectives to solve a problem based on observation and thinking outside the box.

“Healthcare requires continuous innovation to meet the needs of patients and providers,” says Mary Ann Sullivan, MA, CCMP, senior director, professional development and education operations and innovation at AHIMA. But important stakeholders are not always considered when new interventions or processes are designed. This can lead to products and services that do little more than gather dust, while the underlying issues remain unaddressed. “Design thinking,” Sullivan says, “can be used to improve clinician-patient workflows, healthcare spaces, customer service, and community programs.” In a healthcare landscape where there are so many silos, this methodology can be useful to bridge the gap and deliver real solutions that bring back the patient to the center of care.

Privacy and Security

AHIMA22 had top experts on information blocking, electronic health record vendor efforts to protect privacy and achieve interoperability, cyberthreats, and risks associated with the Internet of Medical Things (IoMT). There is an ongoing responsibility to understand and comply with laws that govern the privacy and security of health information. It’s important to learn unique security gaps and how to mitigate the IoMT risk as healthcare increases its use of devices that interact directly with patients. Furthermore, understanding the current drive to achieve an interoperable landscape requires heightened privacy and security.

Consumerism

The last several years was a turning point in healthcare with consumers finally empowered to make more informed decisions about their health. AHIMA22 included a focus on consumerism with sessions that offered incredible insight for health leaders to learn about new and emerging technologies and roles in health information that place the patient at the center of it all. Returning consumers to the center of patient care will impact healthcare for generations to come. Healthcare professionals can be both patient advocates and liaisons to help patients better understand the ever-changing environment. The pandemic has accelerated patients’ usage of health-related digital devices, which can provide more productivity, but also isolates the patient from human care. Healthcare professionals need to understand technology and find ways to humanize the experience.

Data

There were many lectures and vendor demos of products related to data. Because we use the science of collected information to have predictable results in a complex system, more data can lead to more informative decision making. This is vital because health data, including population health information, must be accurate and trusted as many strategic and patient care decisions rely on it. Also, health data and data models have a significant impact on business intelligence and initiatives. It can shed light on gaps in the systems or reasons for failure in the workflows and showcase and inefficiencies. Data governance is the yellow brick road to health data integrity and must be followed to ensure the reliability of the data. Organizations seek to improve patient care and outcomes through the collection of Social Determinants of Health data. Health data lies at the center of interoperability and interoperability is the key to getting the right information at the right time to the right person. Here at Verisma, we have a leading data and analytics tool, that is easy to use and all the reports related to Release of Information can be customized in a easy to understand format to drive real engagement with the process of providing real and accurate health records.

It was interesting to flow between so many fascinating topics while acknowledging how much the role of Health Information Managers is changing. That’s why Verisma is changing ROI for a changing world. I look forward to showing you the new products and services we’re developing to support you!

If you or your colleagues plan to attend AHIMA’s virtual conference in November, don’t miss Verisma’s session on the top disclosure management trends.

 

AHIMA 22 Verisma Team
Using Technology to Achieve Centralized ROI

Using Technology to Achieve Centralized ROI

Sep 30, 2022 | Blog, Compliance & Regulations, Release of Information

By Barbara Carr, RHIA

I have spoken often about how urgent it is to centralize your release of information (ROI) processes. COVID, hybrid workforces, Information Blocking requirements, as well as the upcoming anticipated HIPAA changes with a reduced turnaround time to 15 days, have put more pressure on healthcare organizations to move to a streamlined unified process to manage requests for healthcare information that are flowing into their organizations and landing in various locations.

Having disparate processes and various policies sets your organization up for compliance risks in addition to redundant and costly processing. Are all incoming requests making it to your ROI team in a timely way or are they sitting on fax machines, or desks waiting days to be entered into the system? We need to ask ourselves; can we truly account for all disclosures of protected health information taking place across our entire organizations?

Without a centralized intake process, the answer is probably no.

Once you make the commitment to centralize your ROI process, you will need the right technology to make it work. Some questions you may have include:

  • How will various requests get into a centralized system?
  • How will you be able to ascertain and prioritize the types of requests that are coming in across your system?
  • How will you know where the requests are coming from and what, if any, backlogs may be creeping in?
  • How will you be able to manage the input of requests?
  • How can you report on the success of centralized process?

All these questions can be answered by utilizing the right technology and partnering with the right ROI vendor. Of course, you will need sound policies and procedures, but without the technology, it just doesn’t work.

The Verisma Release Manager® (VRM®) platform with its powerful Verisma Inbox™ technology can help your organization centralize and streamline the request intake process and aid in reducing redundancy, improving productivity and turnaround time, and providing metrics and visibility into your ROI operations. Here’s how:

  • Utilizes smart barcode technology that automates the entire request intake by healthcare facility, giving you 100% visibility.
  • Centralizes and automatically categorizes all requests based on rules you specify. This helps effectively prioritize the time sensitive requests so they can be worked on first.
  • Requests can be received from multiple sources with duplicate requests flagged to reduce multiple releases of the same record to the same requestor.
  • Everything visible on one page enables faster processing of each request. The actual request/authorization images, its current status, who in production the request is assigned to, and any important instructions/notes regarding the request is all visible on one page.
  • Built in retrieval protocols available to the ROI workflow specialist so they know where to go across your disparate record sources for each record type being requested supported by built-in policies and procedures specific to your organization. No need to search elsewhere for this information.
  • Comprehensive analytics that produce metrics on volume, productivity, turn-around-times, workflow compliance, and financials by multiple data levels including by facility, employee, request types, delivery methods, etc., make managing a centralized process a more efficient and manageable process than ever before.

Examples of how the right technology can be an invaluable asset in the management, compliance, and overall efficiency of an enterprise-wide disclosure management process include a large, complex, multi-hospital health system who discovered, and quickly resolved, a significant request back-log challenge that was due to their previous decentralized ROI approach. Within weeks of implementing the Verisma Inbox tool, this organization is now realizing the benefits of one centralized solution to processing ROI requests. They now have immediate visibility into their volume and turnaround time metrics across all sites, greatly reducing the risk of future backlogs.

Utilizing advanced technology along with well thought out policies, procedures, and staff training, can make managing a centralized approach to ROI across your enterprise a highly achievable objective.

3 Reasons You Miss Turnaround Times (and what to do about it)

3 Reasons You Miss Turnaround Times (and what to do about it)

Sep 13, 2022 | Blog, Compliance & Regulations, Information Sharing, Release of Information

It’s 4:45 pm and your shift is about to end. You take one final glance at the queue of new patient record requests and unbelievably, it’s at zero. “Great!” you think, “My team has visibility on everything that needs to be processed and is well on their way to responding within 30 days. Even if we only had 15 days, we could handle this!”

Now let’s be honest – this is a fantastical scenario. Most, if not all, healthcare organizations have a backlog of requests they’re aware of but haven’t processed. Thankfully, if you track the date those requests entered your system, reaching the HIPAA-required turnaround time should be doable, right?

Not always. Here’s three reasons why:

1. Your backlog is bigger than you think

If you manage turnaround times based on your intake queue, you need 100% certainty that record requests make it to the queue on day one. Are there requests sitting on the fax machine? Are there several sitting in someone’s email inbox? Are they on vacation?

There’s risk in what you can’t see. If your organization has multiple locations with a decentralized ROI process, this problem compounds.

To confidently say your organization meets required turnaround times, you need 100% visibility across the intake process.

2. Your backlog is smaller than you think

We all know it’s unavoidable – duplicate requests. Whether by accident or due to impatience, this redundancy is an inefficient use of time and resources.

3. You’re not prioritizing effectively

First in first out isn’t always the best process. If all record requests in your system look the same, how do you know which are from patients vs attorneys? How many are for continuity of care?

COVID, hybrid workforces, Information Backlog requirements, and the upcoming anticipated HIPAA changes with a reduced turnaround time to 15 days have put more pressure on healthcare organizations to move to a streamlined unified process.

Verisma’s disclosure management experts are here to guide you through the process. Well-orchestrated policies and procedures paired with leading technology designed for ROI workflows are the key to achieving improved productivity, enhanced patient/requestor experience, and actionable metrics on your ROI operations success.

Specifically, the Verisma® advanced Release Management (VRM®) platform with its powerful Verisma Inbox™ technology:

  • Utilizes smart barcode technology that automates the entire request intake by healthcare facility, giving you 100% visibility
  • Flags duplicate requests to reduce multiple releases of the same record to the same requestor
  • Centralizes and automatically categorizes all requests based on rules you specify so you can prioritize effectively

Verisma Inbox™ technology is the first of its kind and continues to offer more automation capabilities at no extra cost to our clients. Come see our latest innovations at AHIMA 22 booth #411.

Not going to AHIMA? Request a demo any time here.

Webinar Recap: Software Supply Chain Risk – Effective Third-Party, “Nth”-Party Management

Webinar Recap: Software Supply Chain Risk – Effective Third-Party, “Nth”-Party Management

Sep 7, 2022 | Blog, Compliance & Regulations, Operational Outcomes

On August 10th Verisma hosted a webinar where Verisma’s Chief Information Security Officer, Jim Staley, provided the HIM community with vital information on how to protect Protected Health Information (PHI) from third-party cyberattacks. This topic is not only timely, but something all of us need to be aware of and take steps for in order to protect our critical PHI.

The top 2 enforcement actions by the Department of Health and Human Services and OCR in 2021 were: 1) Patient Right of Access to their medical information and 2) ransomware attacks. In 2021 there was a 21% increase in cyberattacks in the Healthcare Industry. Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. The proliferation of third-party, patient-facing technologies makes healthcare organizations more vulnerable. When a single organization has multiple apps or technologies integrated into its systems, any of these technologies could be the weak link and act as a point of entry.

Jim explained that third-party attacks leverage trust between two or more organizations, making them difficult to defend against. Third-party attacks allow attackers to breach multiple targets at once, providing attackers with both scale and efficiency. A traditional cyberattack targets a person, organization, etc. which then gives the attacker access into that one organization’s data or systems. Phishing emails are the most common way used to gain access.

Third-party attacks work a bit differently in that an attacker will try to compromise a vendor. Once the vendor is successfully compromised the attacker then leverages the trust relationship between the vendor and ALL the vendor’s customers to (potentially) compromise all the customers’ systems and data. The initial attack takes the same amount of effort for the attacker, but the payoff is orders of magnitude higher.

Types of third-party attacks:

  • True third-party attacks: one of your vendors is attacked and the attacker then uses that to get to you. (Ex. Target in 2013 where Target’s HVAC vendor was compromised)
  • “Nth”-party attacks: one of your vendor’s vendors is attacked and then the attacker pivots to get to your vendor and then to you. (Ex. The law firm that your vendor uses is attacked, leading to an attack on your vendor, and then from the vendor to you. Law firms are a very popular target right now because of this leverage!)
  • Software supply chain attacks: some piece of commonly used software is attacked, usually by inserting malicious code into the patch cycle (Ex. Solar Winds attack in 2021). When the patch is pushed to all the vendor’s customers, all the customers get infected as soon as they apply the patch.
    • Note: this type of attack is rare and requires a high level of sophistication. DO NOT be hesitant about deploying patches. Unpatched environments create a much higher level of risk!

As a covered entity or business associate who engages a vendor, it is your responsibility to understand the completeness of the vendor’s security control environment. One tool we use to do this is leveraging established and accepted security frameworks that provide either guidance or tools to ensure security. There are many widely accepted security frameworks that describe the controls (“safeguards” under HIPAA) that are appliable to a given type of business or situation. These frameworks are designed to provide “commercially reasonable assurance” that the vendor is meeting the minimum legal requirements for security controls. It is important to understand the different frameworks and the types of assurance they offer.

Before diving into the different frameworks and some of the differences between them, let’s take a look at the three types of controls that are measured by the frameworks:

  • Administrative Controls – these are typically policy (what to do or not to do) and procedure documents (how things are to be done).
  • Technical Controls – firewalls, anti-virus software, and encryption are all examples of technical controls
  • Physical Controls – examples include having designated secure areas for people, data, and systems with locked doors and secure badge entry systems

One way to differentiate between the types of security frameworks is to look at those that are externally certified by an auditor vs. those that may not be. It is important for HIM leaders to be aware of these frameworks so that they can adequately evaluate a vendor and the vendor’s security prior to signing a contract for service from them.

Risk management frameworks that don’t necessarily provide external validation and certification include:

  • NIST – National Institute of Standards and Technologies (nist.gov): This is required by law for all Federal agencies and many State agencies and for companies wanting to do business with those companies. Highly flexible because the same framework has to be applied to agencies as different as NASA and your local Parks & Rec department. Because of this it can be highly complex to implement. Because it is issued by the Federal Government, it is considered the “gold standard” from a legal perspective.
  • CIS Critical ControlsCenter for Internet Security (cisecurity.org): Widely used commercially for performing rapid assessments of the most critical controls. Very simple and flexible and is easily customized to any type and size of business. Focuses highly on the technical controls that have been proven to be the most effective in stopping real-world attacks.
  • HIPAA Security Rules: HIPAA is also a type of framework that provides both required and “addressable” safeguards (i.e., controls) that covered entities and business associates must follow. One of HIPAA’s safeguards is that it requires detailed Business Associate Agreements (BAAs) to be in place not only for all contracts between covered entities, and between a BA and their vendors. But it’s important to note that just having a Business Associate Agreement that requires the vendor to be HIPAA compliant does not in itself necessarily constitute due diligence on the part of the covered entity; additional due diligence is often required. Another important but often overlooked HIPAA safeguard is that all covered entities and business associates are required to perform an annual HIPAA-centric security risk assessment, and these assessments (or the lack of them) are often used by OCR to determine the severity of penalties. Make sure that you and all of your vendors are doing these!

Risk management frameworks that do provide required external auditing, verification, and certification include:

  • SOC 2 – American Institute of Certified Public Accountants (aicpa.org)
    • There are other types of “SOC” audit reports, but “SOC 2” is the one that applies to a company’s security controls
    • Annual audit performed by an accredited CPA firm
    • Can be Type I (“point in time”) or Type II (“over a period of time”)
    • Failing any of the Trust Criteria can result in a “qualified” report, at auditor’s discretion
    • Not as prescriptive as some other frameworks because the company has the flexibility to write its own control statements
    • Should be done every year, but “Bridge Letters” may be issued by the company if they don’t do a SOC 2 within a given year. The Bridge Letter is the company’s official statement that there have been no significant changes in their control environment.
    • Typically, 75 to 150 controls that are audited
  • HITRUST r2 Validated Assessment – (hitrustalliance.net)
    • There are several HITRUST assessments that provide varying levels of assurance; the R2 validated assessment provides the highest
    • Full audit every other year, with “interim” assessments in the off years
    • Failing any of the 19 domains results in failing the certification
    • Very prescriptive, controls are provided based on scoping, and then scored based on the completeness of policy and procedure documentation plus evidence that the control has been implemented.
    • Typically, 300 audited controls, and can be over a thousand depending on the scoping
    • Leverages NIST and provides a report that shows how the company is doing against the relevant NIST standards.
  • ISO-27000 – International Standards Organization (iso.org)
    • An internationally recognized standard that provides an externally audited certification that is accepted around the world, not just in the US. In healthcare this is typically used by medical device manufacturers who sell in multiple countries, and by larger international law firms.

As HIM leaders are charged with protecting PHI, we should be looking for vendors who are leveraging security frameworks that provide some level of externally validated certification. We don’t have to be experts in all the details of cyber security, but we need to understand what these various certifications mean when evaluating a vendor. Understand not just your third-party, but also your “Nth”-party risks, all the way down to your entire vendor supply chain. Require ALL vendors who provide software or who have any kind of direct access to your systems to have at the very least a SOC 2 Type II report that is renewed annually. HITRST is a high bar for small vendors but is rapidly becoming the standard in healthcare especially for larger technology vendors who deal with large volumes of PHI, such as Verisma. Any certification requirements should be written into your Business Associate Agreements. Ask the vendor to supply a SOC 2 or HITRUST r2 certification report. Read reports and ask questions about findings and corrective action plans. It is possible for your vendor to be certified but still have gaps. Understanding any relevant gaps is key to understanding and managing your risk, so read the reports carefully! Do an annual inventory of your vendors and identify what they have access to and assess whether the access they have is the minimum required for them to do their job.

In conclusion, protecting PHI from cyberattacks is not just the job of the IT Department, but it is also the responsibility of Healthcare Leaders to ensure the many vendors we deal with and who have access to our PHI are certified to protect our most valuable information.