Due Diligence and Ongoing Monitoring

Good Morning.  I have discovered we use a PBM in Puerto Rico but I am unable to find out what due diligence has been done or is done on an annual basis. They handle PHI and PII as part of a Pharmacy Benefits Manager (PBM) relationship in a U.S. territory which places them under U.S. HIPAA law. My question is if anyone is willing to share what process is followed in regards to this type of third party?  Obviously Information Security must be a part of it due to the data, but what other specific details should be reviewed for a PBM?

Thank you,
Jeff

Hi Jeff,

Sounds like you have your hands full with this PBM.  Accepting the fact that there is no "visible" due diligence at this point in time, I would suggest treating them as a new vendor to start, then working your way into full HIPAA compliance.

Service Provider Required Documentation

The following is a list of items that you will need to be obtained to perform the required regulatory due diligence on any proposed or existing third-party service provider relationship:

1. Executed Vendor Non-disclosure Agreement 
2. Secretary of State Check -  Articles of Incorporation or Business License
3. Tax ID #
4. Audited Financials \ Annual financial statements \ Most recent financial statements
5. SOC1, SOC2 or SOC 3 audits and any other Information Technology related audit (If available)
6. A list of any significant complaints or litigation against the company
7. Business resumption and contingency plans in detail. A summary will be accepted at first.
8. Liability insurance coverage \ Statement of Insurance
9. Listing of ALL subcontractors or other parties that have access to data or information provided by <your organization>.
10. A listing of any subcontractor or third party utilized by the company that resides outside of the United States of America.
11. Copies of contracts or Confidentiality Agreements/Non-disclosure Agreements of all subcontractors utilized who will be viewing or working with ANY Bank data.
12. OFAC Check
13. Negative News Search
14. D&B Report

Any proposed or existing vendor must agree to annually provide all the above-mentioned information.

As you develop your vendor profile for this vendor, keep in mind they will have to have some sort of framework they comply with. I like the HITRUST for health care.  HITRUST will give you an idea of how they handle PHI.

I know this can be a challenge, so feel free to reach out any time.

I would like to know if anyone else has something to add. I always want to learn something new and community interaction is certainly a great way to do that!

Original Message:
Sent: 12-15-2020 12:24 PM
From: Jeff Bater
Subject: Due diligence on a Pharmacy Benefit Manager (PBM)

Good Morning.  I have discovered we use a PBM in Puerto Rico but I am unable to find out what due diligence has been done or is done on an annual basis. They handle PHI and PII as part of a Pharmacy Benefits Manager (PBM) relationship in a U.S. territory which places them under U.S. HIPAA law. My question is if anyone is willing to share what process is followed in regards to this type of third party?  Obviously Information Security must be a part of it due to the data, but what other specific details should be reviewed for a PBM?

Thank you,
Jeff