This message was posted by a user wishing to remain anonymous
Hi,
With the exception of HIPAA risk assessments, where I could see there being some sensitive and confidential information, I'm surprised you're encountering issues. Would receiving the policies, procedures and / or training materials via encrypted email be an option? Do you know the particular reasoning behind not using the platform?
While I know it can be a pain, I usually just try to work with the third party to see what they're comfortable with. Of course, if they're concerned about the platform's security or if it's too cumbersome of a process for them to upload, see how you can work around it based on what their specific problem is. As for the risk assessments which are pretty confidential, I think the webex route would be acceptable. Sometimes companies just don't want to share things, though, and in a "worst case" scenario (meaning if you're not backed by the contract), I always ask for an attestation.
Original Message:
Sent: 05-12-2020 10:35 AM
From: Anonymous Member
Subject: HIPAA Reviews
This message was posted by a user wishing to remain anonymous
Hello all,
How is everyone handling HIPAA reviews with third parties who will not share their HIPAA documentation via your TPM Portal? With current state, onsite reviews aren't happening. Also, using WebEx isn't practical due to time involved with reviewing. We typically want to review the following:
- HIPAA Policies
- HIPAA Procedures (includes procedures on both HIPAA Privacy and Security Rules)
- HIPAA Training
- Most recent HIPAA Risk Assessment (conducted in accordance with standards published by the Department of Health and Human Services) and results
I know VDR applications like Box, DropBox, Accellion and others would work, but best if Third Party owns and manages access, etc.
Thank you.