I forgot to mention that some of these vendors already have industry-accepted certifications. For example, most insurance providers (Anthem, The Blues, etc.) will have a HITRUST certification or other types that are comprehensive in the testing of their compliance/security controls, policies, procedures, and their implementation. I would request those and leverage those as the "due diligence."
Any benefit plan that is considered a HIPAA covered entity; 1) health plan, healthcare clearinghouse, or 3) healthcare provider is governed under the strict HIPAA standards. I would recommend that you use your Business Associate Agreement with the provider as evidence of your due diligence and point to the HIPAA regulations.
Other benefit plans such as a 401K saving plan are governed under Gramm-Leach-Bliley Act which has its own audit and compliance standards that the service provider must meet. I suggest checking your Service Agreements or asking these providers to provide certification that they are covered under GLBA.
Others such as agencies used to conduct applicant background screening are governed under the Fair Credit Reporting Act and along similar lines, I would ask those to certify that they are in compliance with FCRA.
Would you consider AFLAC as a benefit provider and should be risk rated either Critical or GLBA due to the vendor having access to NPPI? This is one of our Inherent Risk rating questions and I'm struggling with how the question was answered by the vendor owner. They are currently rated as a Low-Risk Vendor with the last answer being selected:
Does the vendor have access to confidential consumer data (NPPI)?<o:p></o:p>
We have been audited on this recently. Our auditors determined that there was not sufficient due diligence conducted and for insurance providers, there should be a Privacy Addendum that accompanies the contract. I imagine when the 401 vendor and other such vendors come up for renewal, we will do the same.