Third-party risk management (TPRM) as the next HIPAA compliance frontier

Healthcare providers often rely on third-party vendors for a myriad of services, from billing and IT support to medical equipment and software. However, sharing sensitive patient data with vendors via email and other channels can pose significant risks if proper security measures aren't in place. What started as an email security challenge has evolved into a comprehensive third-party risk management imperative that extends far beyond communication protocols.

As Lee Kim, senior principal of cybersecurity and privacy at HIMSS, emphasizes, "Regarding breaches due to third parties, the fundamental thing that needs to be done is setting up a robust third-party risk management program. There are no shortcuts."

Academic research published in World Journal of Advanced Research and Reviews confirms that "third-party vendors can be potential points of vulnerability, exposing organizations to data breaches, cyber-attacks, and compliance failures."

Learn more: Best practices for healthcare organizations when partnering with vendors

The expanding risks of third-party vendor relationships

While email communications represent a vulnerability vector, the risks of sharing PHI with third-party vendors extend across the entire relationship lifecycle. Unsecured communications can lead to data breaches, HIPAA violations, and reputational damage, but these represent just the tip of the iceberg.

Modern healthcare organizations engage vendors for Electronic Health Record (EHR) systems, cloud hosting, telehealth platforms, medical device management, billing services, and specialized clinical support. Each relationship introduces potential vulnerabilities that cybercriminals can exploit to access sensitive patient data.

The research above identifies several categories of third-party risks: "data breaches, supply chain attacks, and compliance failures, each with its own set of implications for organizational security and operational integrity." These risks compound when vendors have access to multiple organizational systems or when vendor security measures don't align with healthcare organization standards.

Learning from recent breaches

Recent incidents demonstrate the consequences of inadequate third-party risk management. In May 2025, Harbin Clinic was forced to notify over 210,000 individuals that their PHI was compromised due to a breach at debt collection vendor Nationwide Recovery Services (NRS). The vendor discovered the breach in July 2024 but didn't inform Harbin Clinic until February 2025, over seven months later.

Similarly, Radiology Chartered faced a breach affecting over 12,600 individuals from the same vendor incident. Most concerning, Radiology Chartered stated they were "unaware that data previously provided to NRS was still in NRS's possession," showing gaps in data governance and vendor oversight.

These cases exemplify what the academic research above identifies as systemic vulnerabilities. The authors note, "The impact of these risks on organizations can be significant. Beyond immediate financial and reputational costs, organizations may also face operational disruptions, loss of customer trust, and legal liabilities."

The importance of business associate agreements (BAAs)

A BAA remains a legal requirement under HIPAA when sharing PHI with third-party vendors, but modern healthcare organizations need agreements that extend beyond basic compliance. These contracts must establish comprehensive security frameworks that address the full spectrum of third-party risks.

Without a BAA, your organization could be held liable for HIPAA violations. However, ensuring the vendor signs a BAA is just the beginning. The World Journal of Advanced Research and Reviews study emphasizes that "clear contractual agreements are essential for mitigating third-party vendor risks. Contracts should clearly outline the security requirements that vendors must adhere to, including data protection measures, incident response procedures, and breach notification requirements."

Enhanced BAA requirements for comprehensive risk management

Modern BAAs must address:

• Communication security protocols: Specify that all email communications containing PHI must be encrypted using HIPAA compliant solutions, define acceptable methods for PHI transmission beyond email, establish protocols for secure file sharing, and require vendors to verify recipient identity before sending PHI.
• Incident response and notification: Mandate immediate breach notification (within 24-48 hours of discovery), define specific communication channels and responsible parties, establish coordinated incident response procedures, and require regular security incident reporting.
• Data governance and lifecycle management: Clearly define what data vendors can retain and for how long, establish procedures for data return or destruction upon contract termination, require regular data inventory audits, and mandate secure data disposal according to NIST guidelines.
• Ongoing security requirements: Require regular security assessments and certifications, mandate compliance with specific security frameworks (HITRUST, SOC 2), establish audit rights and periodic security reviews, and define consequences for non-compliance.

Comprehensive vendor security verification

While email encryption remains critical when sharing PHI with vendors, comprehensive security verification must encompass the vendor's entire security posture. Use a HIPAA compliant email solution like Paubox to automatically encrypt all outgoing emails, but also ensure vendors can receive and decrypt encrypted emails without additional steps.

However, email security represents just one component of vendor verification. Organizations must assess vendors' overall cybersecurity frameworks, including:

• Technical safeguards assessment: Encryption methods for data in transit and at rest, access controls and authentication mechanisms, multi-factor authentication capabilities, vulnerability management programs, data backup and recovery procedures, and incident response capabilities.
• Administrative safeguards review: Security policies and procedures documentation, employee security training programs, business continuity and disaster recovery plans, vendor management and subcontractor oversight, and regulatory compliance programs.
• Physical safeguards evaluation: Data center security measures, workstation and device security controls, media handling and disposal procedures, and facility access controls.

Read more: Creating an effective email security policy

Due diligence and continuous monitoring

The academic research above supports a systematic approach to vendor evaluation.The authors recommend "conducting thorough risk assessment to identify the critical vendors and the potential risks associated with their services," considering factors like data sensitivity, access privileges, and security practices.

Before sharing PHI with a vendor, verify that they have strong security practices in place through:

• Independent certifications: Look for HITRUST CSF certification, SOC 2 Type II reports, ISO 27001 certification, and other recognized security standards. The absence of such certifications should prompt additional scrutiny.
• Security questionnaires: Use standardized security assessments based on recognized frameworks like the NIST Cybersecurity Framework and HIPAA Security Rule requirements.
• Reference checks: Research the vendor's reputation and breach history to understand their track record in protecting sensitive information.
• On-site or virtual assessments: When appropriate, conduct detailed security assessments of vendor facilities and systems.

Training Staff on vendor risk management

While staff training must continue emphasizing secure vendor communications, the scope must expand to encompass comprehensive third-party risk management. Your staff plays a major role in securing all vendor relationships, not just email communications.

• Risk recognition: Train staff to identify potential vendor risks beyond email security, understand the broader implications of vendor relationships, recognize signs of vendor security compromise, and know when to escalate vendor-related concerns.
• Communication security: Emphasize the importance of verifying recipient email addresses and attachments, provide clear guidelines for sharing PHI with vendors through various channels, teach recognition of phishing emails and other threats from vendor communications, and establish protocols for secure file sharing when email isn't appropriate.
• Vendor relationship management: Educate staff on proper vendor onboarding procedures, establish clear protocols for engaging new vendors, define roles and responsibilities in vendor oversight, and create reporting mechanisms for vendor-related issues.
• Incident response: Train staff on their roles in vendor-related incident response, establish clear escalation procedures, define communication protocols during vendor incidents, and conduct regular tabletop exercises, including vendor scenarios.

Authors in the research above stress the importance of "training and raising awareness among employees about the risks associated with third-party vendors and the importance of following security protocols."

Conduct regular refresher courses to reinforce learning as threats evolve, establish feedback mechanisms for staff to report vendor concerns, recognize and reward staff who identify potential vendor risks, and integrate vendor risk awareness into overall security culture initiatives.

Go deeper: The importance of training for email security

Documentation and compliance auditing

A paper published in Finance & Accounting Research Journal mentions the importance of "maintaining comprehensive documentation of all aspects of third-party relationships, including risk assessments, compliance audits, and incident response plans."

Regularly audit vendor relationships to ensure compliance with HIPAA and internal policies, maintain detailed records of all vendor interactions and security assessments, document vendor security improvements and corrective actions, and address any vulnerabilities or breaches promptly to prevent further damage.

Related: HIPAA compliance in communication

Developing incident response for vendor-related breaches

Even with strong safeguards, breaches can still occur. Having a comprehensive incident response plan ensures your organization can respond quickly and effectively to vendor-related incidents, extending far beyond the original scope of vendor email breaches.

• Immediate response: Include vendor-related breaches in your incident response plan with specific procedures for vendor incidents, establish clear communication channels with vendors during incidents, define roles and responsibilities for both organization and vendor personnel, and implement immediate containment procedures to limit breach scope.
• Investigation and assessment: Outline steps for investigating vendor-related incidents, establish procedures for coordinating with vendor investigation efforts, define requirements for vendor cooperation and transparency, and implement methods for assessing the full scope and impact of vendor breaches.
• Notification and communication: Establish accelerated notification timelines for vendor-related breaches, define communication protocols with regulatory bodies and affected patients, create template communications for various vendor incident scenarios, and maintain coordinated public communications strategies.
• Recovery and lessons learned: Develop procedures for restoring services after vendor incidents, establish vendor relationship review processes post-incident, implement corrective action requirements for vendors, and conduct post-incident reviews to improve future response.

Business continuity and vendor transitions

Researchers of the Finance & Accounting Research Journal paper go on to note the importance of "evaluating the business continuity and contingency plans of third-party vendors" and developing "comprehensive transition plans that outline the steps to be taken in the event of terminating a relationship with a third-party vendor."

According to the researchers, healthcare organizations must thoroughly assess vendors' ability to maintain operations during disruptions such as cyberattacks, natural disasters, and system failures, while simultaneously preparing detailed exit strategies that ensure seamless data migration, service continuity, and regulatory compliance during vendor transitions. The researchers stress that these plans should include contractual exit clauses, collaborative transition management protocols, and regular testing through simulation exercises to identify potential weaknesses before actual disruptions occur. 

By leveraging emerging technologies such as cloud-based solutions and advanced communication tools, healthcare organizations can enhance their resilience and ensure that vendor relationship changes, whether planned or emergency-driven, do not compromise patient care or data security. As the researchers conclude, comprehensive business continuity and transition planning "stand as strategic imperatives for healthcare organizations navigating the complexities of today's operational landscape," enabling them to "fortify their resilience against unforeseen disruptions" while maintaining continuous protection of patient data and care quality throughout any vendor relationship lifecycle.