Considerations for healthcare vendor management plans

In 2024, Change Healthcare was responsible for the largest data breach in U.S. history. In fact, more than half of 2024’s affected individuals were victims of this business associate breach. If nothing else, the Change Healthcare attack shows the importance of handling and assessing all vendors.

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards that safeguard the privacy and security of individuals’ protected health information (PHI). The legislation applies to healthcare organizations and their business associates, also called vendors, that sometimes handle PHI on behalf of providers. HIPAA compliance is a legal requirement that protects patients’ privacy and ultimately lets organizations focus on patient care.

One aspect of HIPAA compliance is finding and working with vendors that value and follow the legislation. To do this, each healthcare organization should create and follow a vendor management plan.

More info: What can we learn from the Change Healthcare data breach?

What is a healthcare business associate?

HIPAA defines a business associate as an individual or entity that performs specific functions and/or provides services on behalf of a covered entity. Healthcare organizations collaborate with different types of third-party companies to enhance their health operations. These companies directly engage with healthcare organizations to ensure smooth business operations. Undertakings of these business associates range from billing and IT support to medical equipment and software and include the following types of roles:

1. Third-party administrators (e.g., claims processors)
2. Email providers (such as Paubox Email Suite)
3. IT service providers
4. Cloud storage providers
5. Telehealth platforms
6. Electronic health record (EHR) providers
7. Insurance companies
8. Appointment scheduling software companies
9. Marketing and website providers
10. Billing companies
11. Medical transcriptionists
12. Data analytics companies
13. Lawyers, consultants, and accountants

Given these frontline duties, these companies may have to create, receive, transmit, or maintain PHI. If this is the case, they are then legally obligated to safeguard it under HIPAA. Sharing sensitive patient data with anyone can pose significant risks if proper security measures aren’t in place on both sides. Ultimately, healthcare organizations must seek out companies that are HIPAA compliant so that they will properly handle PHI.

When does a vendor need to be HIPAA compliant?

Before choosing a healthcare vendor, the following questions should be asked of them to see if they are business associates that can work with PHI.

Do they provide services or perform functions for healthcare providers, health plans, or healthcare clearinghouses?

Are their services or functions integral to a covered entity’s operations?

Do they have a contractual agreement or arrangement with a covered entity to provide these services?

If the answer to these questions is yes, the vendor qualifies as a business associate and should adhere to HIPAA’s regulations. Thus, the vendor has a responsibility to follow the HIPAA Privacy, Security, and Breach Notification Rules. HIPAA compliant vendors must implement a layered approach to security with physical, administrative, and technical safeguards. These measures should include security incident response, disaster recovery, and backup plans.

HIPAA compliant vendors also guarantee their security by signing a business associate agreement (BAA). The BAA outlines the permissible uses and disclosures of PHI and ensures that vendors are held accountable for safeguarding patient data. In general, healthcare organizations should recognize that any business that they work with, even those that don’t handle PHI should be HIPAA compliant.

A healthcare vendor management plan

Healthcare vendor management is the process of working with and handling healthcare vendors. That means selecting, evaluating, and organizing vendors to guarantee their HIPAA compliance. A comprehensive healthcare vendor management plan, therefore, provides the backbone to oversee business associate relationships.

A strong plan allows an organization to proactively manage third-party risks by establishing legal agreements, assessing regulatory compliance, and safeguarding PHI. Moreover, it spells out how to monitor vendors and when and how to conclude a relationship. Such a plan should use HIPAA’s guidelines to create a strong framework to properly supervise vendors along with the patient information shared with them, including when and how to share.

A proper vendor management plan starts with vendor selection and is followed by expectations, monitoring, and relationship management. It should include information on patient rights and consent and the use and disclosure of PHI, as well as proper administrative, physical, and technical safeguards. It should present clear collaborative terms that keep both an organization and its patients’ information secure.

A proactive vendor management plan is instrumental in preventing vendor compromise.

The risk of no vendor management plan

Without a vendor management plan, an organization opens itself up to the poor supervision of its business associates and ultimately, vendor compromise. A vendor compromise occurs when cyberattackers access PHI through a third-party organization, as occurred in the Change Healthcare breach. That attack even delayed insurance claim processing, causing financial strain to affected providers.

Threat actors target healthcare organizations through vendors because of the valuable data these institutions hold from multiple organizations. Once an attacker gains access to a third party's systems, they can easily penetrate a provider’s infrastructure. If an organization had utilized a plan to manage a vendor, such an attack could have been avoided.

In fact, other risks could be avoided, including possible legal and financial penalties and reputation damage. Conducting due diligence when selecting and keeping vendors and regularly reviewing their security practices helps organizations mitigate potential problems.

Questions to ask when creating a vendor management plan

Like all aspects of healthcare, vendors need to be properly vetted and researched. Organizations should ask themselves the following questions, among others, to create a comprehensive vendor management plan to effectively manage vendors.

What are your vendor needs and what services do you require?

What vendors do you currently use and for what?

How do you plan to screen, monitor, evaluate, and audit your vendors?

How do you plan to communicate clearly with your vendors about your needs?

What PHI do you plan to share with different vendors and how?

What type of security do you insist your vendors use?

What do you plan to do about vendor noncompliance and vendor breaches?

How often do you plan to update your management plan?

What are your terms of contract termination?

What does a HIPAA compliant vendor look like?

By properly overseeing vendors with a solid management plan, organizations can effectively work with vendors that:

• Will sign a BAA and mention HIPAA compliance
• Understand and can answer questions about HIPAA
• Have HIPAA-related policies and procedures available
• Provide reviews, testimonials, and case studies from other healthcare organizations
• Utilize security measures that comply with the Security Rule’s technical, physical, and administrative safeguards
• Deliver staff training on HIPAA and PHI security
• Show that they continuously update their security based on new laws and new issues

In the event of noncompliance, covered entities need to address the issue directly with the vendor using their already-defined process. It may be necessary to terminate the business relationship. Through constant monitoring with a strong management plan, healthcare organizations can ensure that vendors meet an organization’s standards and protect patient information.

Related: HIPAA compliant email: The definitive guide

FAQs

How must a business associate secure PHI?

Business associates must implement a multifaceted approach with physical, administrative, and technical safeguards to secure PHI:

• Physical safeguards involve controlling physical access to data storage
• Administrative safeguards include robust policies and procedures
• Technical safeguards employ encryption, access controls, and secure technologies to prevent unauthorized access or disclosure

What access should vendors have to patient data?

Vendors should only have access to patient data that is necessary for their specific service provision, following the principle of least privilege.

What happens if there is a PHI breach involving a business associate?

Business associates must act swiftly in the event of a PHI breach. They must report the breach to the covered entity and depending on the severity and scale of the breach, notifications to affected individuals and the U.S. Department of Health and Human Serivces’ Office for Civil Rights are required.

What rights do patients have regarding business associates handling their PHI?

Patients retain significant rights concerning their PHI. These rights include accessing their information, requesting amendments, and filing complaints if they believe their privacy rights have been violated by business associates. Business associates must respect and safeguard these rights.

What happens if a business associate breaches the BAA?

The BAA defines breach notification processes and potential consequences, including termination, corrective action plans, and financial penalties.

Are business associates directly liable for HIPAA violations, or does liability solely rest with covered entities?

Yes, business associates can be directly held responsible for violating HIPAA rules. Changes in HIPAA regulations mean that business associates have individual accountability for compliance, facing penalties independently of covered entities. This is why business associates must implement robust privacy and security measures, recognizing their direct obligation to adhere to HIPAA standards and the potential consequences of noncompliance.