If you were to list the top 10 priorities for health care organizations around the world in 2020, the COVID-19 pandemic would occupy each slot, and the next 10 as well. HITRUST Assistant General Counsel and Chief Privacy Officer Anne Kimbol CIPP/E, CIPP/US, CIPM, FIP, cites what she believes are the two biggest challenges facing the industry during this trying time.

First, there is the obvious task of treating COVID-19 patients and keeping staff safe. The second big issue is keeping staff on payroll. With a limit on elective procedures during the pandemic, health care organizations have had no choice but to lay off and furlough employees.

As the health care industry balances these two concerns, Kimbol said there is little time to focus on anything else, and that includes the privacy program. It is why the privacy and security certification organization announced it has made its HITRUST Assessment XChange third-party risk management solution free to health care organizations for the next two years.

The solution gives providers a portal where they can upload a list of all of their vendors that have privacy and cybersecurity requirements in their contracts. The list is sent to HITRUST via the portal, allowing it to communicate with those vendors to ensure they are meeting their requirements on the provider's behalf.

Should a vendor's requirements include obtaining a certification, they can receive a HITRUST certification through the solution. The health care organization is continuously informed about the vendors' status, and Kimbol said HITRUST added shorter risk questionnaires to help speed up a certification process that could take months to complete.

Kimbol believes the third-party risk management tool could be particularly useful during the COVID-19 pandemic as health care organizations interact with vendors they previously never encountered.

"Health care providers were not doing video conferencing near the level they are doing it now, both internally with staff and externally with patients," said Kimbol. "The exchange can help make sure that the companies that you are using to provide video services are doing what they say they are going to do. It also makes sure that what they say they are going to do is good enough for your risk management tolerance. These are vendors that hospitals and doctor’s offices haven’t really focused on largely because telehealth hasn’t been anywhere near this big."

Due to HITRUST's health care roots, Kimbol said the organization has observed that third-party risk management has been a challenge for the industry even under the best of circumstances, as few providers have the resources to properly audit and keep track of all of their vendors.

The COVID-19 pandemic throws a wrench into an already troubled area for health care.

Kimbol said HITRUST decided to offer the risk management solution for two years not only to match the time frame for a potential vaccine or for the pandemic to be somewhat under control, but also to help the industry get back on its feet as it recovers from this unprecedented disruption. 

She adds the U.S. Department of Health and Human Services Office for Civil Rights has aired towards enforcement leniency, particularly with telehealth. However, that is not going to last forever.

"Health care organizations are going to need more than six months to a year to be able to get back on their feet in such a way that they can focus on things like vendor risk management again," said Kimbol. "The idea behind giving it away for two years is acknowledging that health care entities are going through a hard time, and if there’s even a little thing we can do to help them keep track of their vendor risk management and take that particular headache off their shoulders, let's do it for them."

Kimbol believes internal resources should not be an issue for HITRUST if demand is high, but she acknowledged there will be a challenge determining whether the entities that seek the tool actually qualify as health care organizations.

"I expect that there’s going to be some entities that are on the line of whether they are health care or not. Obviously hospitals, doctor's offices and HIPAA Covered Entities are really straight forward, but we expect there are going to be some people in that line, and that’s something that will be a logistics issue as we move forward," said Kimbol. "We’ve got a team of people who will be reviewing applications for the free service and making sure that it matches what we are trying to do."

HITRUST started in health care before it eventually branched off to other industries. Kimbol said HITRUST wanted to help an industry that helped get it off the ground. Kimbol knows there's little a certification vendor can do to combat a pandemic, but it's a piece she believes HITRUST can handle.

"This doesn’t necessary help them address COVID-19 and its impact. This our way of saying thank you and our way of saying ‘this we can actually help with.’ We can’t make a vaccine. We can’t send you masks. There are a lot of the very immediate needs that hospitals have that we can’t help with," said Kimbol. "This is something we can do. We can take this on as a thank you to emergency responders and the health care industry for everything they do and for the loyalty they’ve show to us. Let us take this from you for the next two years and recognize the reality of where you are living right now."

Image courtesy of HITRUST