When Vendors Drop the Ball: Governing Risk and Protecting Care in Behavioral Health

The Monday Morning Crisis

You arrive at 7:45 AM. Your EHR won’t load. The vendor sent an overnight email: “Experiencing technical difficulties.” Your first patient arrives in fifteen minutes. Your crisis line has been routing calls since midnight. Your billing queue holds $340,000 in pending claims.

This isn’t a hypothetical anymore.

In February 2024, the Change Healthcare cyberattack exposed what every behavioral health executive already suspected: the systems you depend on are controlled by vendors you cannot directly govern (House Energy & Commerce, 2024). When those systems fail, your organization faces the consequences—regulatory exposure, revenue disruption, and compromised patient care—regardless of where the breach originated.

The Problem: Control Is an Illusion

Behavioral health organizations operate within complex vendor ecosystems. EHR platforms document therapeutic progress. Clearinghouses process insurance claims. Cloud services store protected health information. Communication platforms coordinate care teams. Each dependency creates a potential point of failure.

The core challenge: How do you govern external risk without breaking therapeutic continuity or staff resilience? Vendor dependence is not a technology problem—it’s a governance problem disguised as an IT issue.

The Data: Quantifying the Vulnerability

The numbers reveal the scope of third-party risk in healthcare:

• Recovery Burden: 60% of hospitals reported needing two weeks to three months to resume normal operations after the Change Healthcare attack (AHA, 2024). Two weeks without claims processing. Two weeks of manual documentation. Two weeks of operational paralysis.
• Regulatory Foundation: The HIPAA Security Rule mandates continuous risk assessment and emergency-mode operation planning (HHS, 2024). Organizations must perform accurate and thorough assessments of potential risks to electronic protected health information. The emphasis belongs on “continuously,” not “occasionally.” Your compliance program is only as strong as your weakest vendor’s security posture.
• Proposed Strengthening: HHS proposed updates to the HIPAA Security Rule in 2025 requiring specific cybersecurity measures, including multi-factor authentication mandates, to increase resilience against modern attacks (Federal Register/HHS, 2025).
• Industry Standards: NIST cybersecurity supply chain risk management guidance emphasizes ongoing third-party risk assessment and tabletop testing as key resilience tools (NIST, 2024-2025). Organizations must identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels.

Executive Insights: Building Governance Without Bureaucracy

Vendor Control as Strategic Function

Third-party risk management transforms vendor relationships from trust exercises into measured partnerships. Begin with complete vendor inventory—not just obvious technology partners, but every entity touching protected health information or enabling critical business functions. Claims clearinghouses, billing services, EHR vendors, cloud storage providers, email platforms.

Tier vendors by risk exposure. Your EHR vendor and your office supply company do not carry equivalent risk profiles. NIST guidance recommends identifying specific risks in third-party relationships and determining acceptable risk levels (NIST, 2024-2025). Tiering allows proportional allocation of assessment resources.

Apply higher scrutiny to vendors handling PHI or enabling core functions. Quarterly reviews for high-risk vendors. Annual assessments for lower-risk relationships.

Contractual Controls That Scale

Business Associate Agreements under HIPAA provide legal foundation for vendor accountability. A written contract between covered entities and business associates must establish permitted uses of protected health information, require appropriate safeguards, and mandate reporting of unauthorized uses (HHS, 2017).

Most organizations have Business Associate Agreements; few have good ones that create real accountability. Strong BAAs include cybersecurity requirements that scale with vendor risk levels. Specify cyber insurance minimums. Define breach notification timelines. Establish audit rights. Create clear termination conditions when vendors fail security standards.

The contract provides leverage only if you use it. Organizations must implement procedures to regularly review records and periodically evaluate effectiveness of security measures (HHS, 2024). Business Associate Agreements should include cybersecurity and insurance requirements that scale with risk levels (AHA, 2024).

Tabletop Testing: Where Theory Meets Crisis

Governance structures collapse under pressure if never tested. Tabletop exercises simulate specific vendor failures relevant to your operations. What happens when your EHR goes offline for 24 hours? How do you maintain operations if your clearinghouse gets ransomwared?

Organizations need resilience built into infrastructure systems to protect patients during outages (HealthTech Magazine, 2025). This includes maintaining enough materials on-premises for continuity during extended disruptions.

Health systems need technology, business, and clinical continuity plans—then run simulations and update documents based on learnings (HealthTech Magazine, 2025). Start by simulating outages within single departments to test effectiveness. Tabletop exercises reveal gaps that paperwork never will—they expose dependencies you didn’t know existed.

Testing frequency should match risk tolerance. High-risk vendor scenarios deserve quarterly exercises. Annual testing provides baseline preparedness for lower-risk scenarios.

Clinician Insights: Operational Continuity as Patient-Centered Care

The Critical First Hour

The transition from digital to paper operations must happen within minutes, not hours. HIPAA’s Security Rule requires procedures for responding to emergencies that damage information systems, including plans for continuing critical business processes while operating in emergency mode (HHS, 2024).

Pre-printed downtime forms bridge the gap. These forms should capture essential information your EHR intake collects: client identification, presenting concerns, current medications, active treatment plans, crisis risk assessment. Forms need accessible locations at every workstation.

The most significant step to prevent or reduce downtime impact is implementing robust, cyber-specific recovery programs (HealthTech Magazine, 2025). Organizations often delay downtime procedures hoping systems restore quickly. This mistake costs productivity you never recover. The first hour of vendor outage determines whether the day is saved or lost—delay is disaster.

Staff need clear triggers for activating protocols. Who declares the system down? How is that status communicated? What specific actions does each role take? The emergency mode plan must ensure critical processes continue while maintaining PHI security during technical failures (HIPAA Journal, 2024).

Paper-to-EHR Reconciliation: Closing the Documentation Loop

Manual operations create documentation debt that can overwhelm staff if not managed systematically. Every intake form, progress note, medication record captured on paper flows back into the EHR once systems restore.

Assign dedicated reconciliation teams during recovery periods. Attempting to have frontline staff both resume normal operations and backfill documentation creates impossible competing priorities. Organizations with dedicated teams complete reconciliation in days rather than weeks.

Prioritize based on clinical urgency and regulatory requirements. Medication administration records, crisis assessments, treatment plan modifications require immediate entry. General progress notes follow less urgent timelines.

Quality checks during reconciliation catch errors before they become permanent problems. Second-staff spot-checks identify transcription errors, missing data, documentation conflicts.

Maintaining HIPAA Compliance During Downtime

Access controls matter even during paper operations. Paper records on desks or temporary storage create privacy risks. HIPAA mandates maintaining appropriate administrative, physical, and technical safeguards to protect electronic PHI (HHS, 2024).

Downtime procedures should specify secure storage for paper records generated during outages. Locked cabinets in supervised areas provide basic protection. Records should move from collection points to secure storage at defined intervals, not accumulate in unsecured locations.

Role-based access controls still apply. Physical record handling requires sign-out logs tracking who accessed which client records, when, and for what purpose.

The contingency plan requires backing up electronic PHI, restoring lost data, and continuing critical processes while protecting security during emergency operations (HHS, 2024). For behavioral health, this means maintaining patient-centered care regardless of vendor system status. Timely care in behavioral health isn’t optional—interruptions in services can put lives at risk.

Emerging Behavioral Health Trends 2025

Generative AI Adoption Accelerates

However, AI adoption introduces new vendor dependencies and data privacy considerations. Organizations must evaluate AI vendors with the same rigor as traditional technology partners. The ethical implications of AI in behavioral health demand attention to algorithmic bias, patient consent for AI-assisted documentation, and data security in AI processing environments.

Regulatory Clarification Strengthens Requirements

HHS proposed HIPAA Security Rule updates mandate specific cybersecurity measures, including multi-factor authentication requirements (Federal Register/HHS, 2025). These updates directly respond to vulnerabilities exposed by the Change Healthcare attack.

The proposed rules shift from principles-based guidance to specific technical requirements. Organizations must prepare for enhanced compliance obligations affecting vendor relationships, access controls, and security documentation. The regulatory floor is rising—what was considered best practice in 2024 becomes minimum requirement in 2025.

The Path Forward: Resilience as Continuous Preparedness

You cannot eliminate third-party risk. You can govern it.

Systematic vendor inventory. Risk-based tiering. Strong contractual controls. Technical access limitations. Regular tabletop testing. Updated downtime procedures. Staff training on manual operations. Quarterly downtime drills. Secure paper record protocols. Clear reconciliation processes.

The alternative is hoping the next Change Healthcare incident affects someone else’s vendor instead of yours. Hope makes terrible risk management strategy.

Disruption to care delivery occurs not only when organizations are attacked directly, but also when mission-critical third-party providers are compromised (AHA, 2024). Third-party vendor compromise creates wider-ranging disruption than direct attacks on your organization.

Resilience is not built through fear of outage—it’s built through continuous preparedness. Organizations that treat continuity planning as strategic investment rather than compliance checkbox protect both revenue flow and therapeutic continuity. They align operational resilience with risk intelligence, bridging leadership strategy and clinical reality.

Are You Ready for the Next Outage?

Are your vendor relationships governed by documentation or by chance? Xpio Health helps behavioral health organizations build practical third-party risk management programs that protect operations without creating bureaucratic overhead. We translate compliance mandates into workflows that safeguard both data integrity and patient safety.

---

Will your operations survive when your vendors fail? Contact us to assess your current vendor risk exposure, develop TPRM frameworks matching your actual risk profile, evaluate downtime procedures, create practical manual operation protocols, and train staff on operational resilience that works when technology doesn’t. Because therapeutic continuity shouldn’t depend on vendor uptime.

#BehavioralHealth #PeopleFirst #XpioHealth #Cybersecurity #RiskManagement #HIPAA #VendorManagement #OperationalResilience #PatientSafety #ThirdPartyRisk

---

References

1. American Hospital Association. Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field. AHA. 2024. https://www.aha.org/system/files/media/file/2025/02/Change-Healthcare-Cyberattack-Underscores-Urgent-Need-to-Strengthen-Cyber-Preparedness.pdf
2. U.S. House Committee on Energy and Commerce. What We Learned: Change Healthcare Cyber Attack. Energy and Commerce. 2024. https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack
3. U.S. Department of Health and Human Services. Summary of the HIPAA Security Rule. HHS.gov. 2024. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
4. U.S. Department of Health and Human Services. Business Associate Contracts: Sample Business Associate Agreement Provisions. HHS.gov. 2017. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
5. National Institute of Standards and Technology. Cybersecurity Supply Chain Risk Management. NIST. 2024-2025. https://csrc.nist.gov/projects/cyber-supply-chain-risk-management
6. McKinsey & Company. Generative AI in Healthcare: Current Trends and Future Outlook. McKinsey. 2025. https://www.mckinsey.com/industries/healthcare/our-insights/generative-ai-in-healthcare-current-trends-and-future-outlook
7. Federal Register/U.S. Department of Health and Human Services. HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. Federal Register. 2025. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
8. HealthTech Magazine. Key Elements of Business Continuity and Disaster Recovery for Healthcare. HealthTech Magazine. 2025. https://healthtechmagazine.net/article/2025/09/key-elements-business-continuity-and-disaster-recovery-healthcare
9. The HIPAA Journal. HIPAA Rules on Contingency Planning. HIPAA Journal. 2024. https://www.hipaajournal.com/hipaa-rules-on-contingency-planning/