How vigilant are your vendors?

Vendor and Third-Party Compliance Management

Healthcare organizations face constant regulatory pressure at the federal and state levels. The Health Insurance Portability and Accountability Act’s (HIPAA) rules relating to safeguarding protected health information (PHI) have a significant bearing on the ways organizations collect, store, and transmit their patients’ medical data. Failure to comply with these regulations can have a considerable impact on HIPAA-covered entities.

Maintaining HIPAA-compliant standards within an organization is challenging. But ensuring the confidentiality, integrity, and availability of your PHI when it leaves the security of your organizational system is a whole new level of challenge. When third-party vendors — data storage services, IT service providers, document disposal services — collect, store or transmit healthcare data, organizations assume the burden of ensuring these third parties are HIPAA compliant as well.

HIPAA says any third party that comes into contact with PHI through the work it undertakes on behalf of the covered entity is a Business Associate (BA). Before granting a vendor access to PHI or ePHI, both parties must enter into a Business Associate Agreement (BAA).

Failure to comply with this process can pave the way for significant financial and reputational damage, and covered entities should take precautions to guard against potential breaches caused by third-party vendors. Data breaches involving the release of PHI by Business Associates are commonplace, as indicated on OCR’s infamous Wall of Shame. In fact, releasing PHI to a trusted third party without a BAA in place is considered a data breach.

Demonstrated commitment to HIPAA compliance

If a BAA does not exist between both parties, you may not disclose PHI to them. When a vendor provides services that result in the handling of PHI, seek assurance that they understand their responsibilities as a BA. Formally request evidence of their HIPAA compliance and administrative capabilities. Review their HIPAA policies and procedures, a recent risk analysis and evidence of employee training. If the BA cannot produce the evidence you request, consider an audit of their security and compliance postures.

Understand how your BAs protect and store PHI

Learn what steps your BAs take when they collect, store, process, and transfer PHI. Determine whether the BA has a designated HIPAA privacy or security officer, and interview them to learn how the organization handles security incidents and breach notifications. If that organization outsources the handling or processing of your PHI to a third party, ensure they have a signed BAA with that third party to maintain the chain of responsibility for the data.

The fine print

A reliable, fully-compliant vendor will not hesitate to sign a BAA. Be sure all the terms required by HIPAA are present in the BAA, and take notice of any additional terms and conditions that are permitted but not required by HIPAA. Note that some entities come into contact with PHI but cannot access it directly (e.g., internet providers, the U.S. Postal Service and other couriers). Since these entities are simply conduits of information, no BAA is required. Practically every other type of company that handles PHI will be required to sign a BAA.


Protect your patient’s healthcare information and your organization’s finances and reputation by ensuring your organization only works with vendors who demonstrate a strong security posture and are committed to regulatory compliance.