Healthcare providers often rely on third-party vendors for a myriad of services, from billing and IT support to medical equipment and software. However, sharing sensitive patient data with vendors via email and other channels can pose significant risks if proper security measures aren't in place. What started as an email security challenge has evolved into a comprehensive third-party risk management imperative that extends far beyond communication protocols.
As Lee Kim, senior principal of cybersecurity and privacy at HIMSS, emphasizes, "Regarding breaches due to third parties, the fundamental thing that needs to be done is setting up a robust third-party risk management program. There are no shortcuts."
Academic research published in World Journal of Advanced Research and Reviews confirms that "third-party vendors can be potential points of vulnerability, exposing organizations to data breaches, cyber-attacks, and compliance failures."
Learn more: Best practices for healthcare organizations when partnering with vendors
While email communications represent a vulnerability vector, the risks of sharing PHI with third-party vendors extend across the entire relationship lifecycle. Unsecured communications can lead to data breaches, HIPAA violations, and reputational damage, but these represent just the tip of the iceberg.
Modern healthcare organizations engage vendors for Electronic Health Record (EHR) systems, cloud hosting, telehealth platforms, medical device management, billing services, and specialized clinical support. Each relationship introduces potential vulnerabilities that cybercriminals can exploit to access sensitive patient data.
The research above identifies several categories of third-party risks: "data breaches, supply chain attacks, and compliance failures, each with its own set of implications for organizational security and operational integrity." These risks compound when vendors have access to multiple organizational systems or when vendor security measures don't align with healthcare organization standards.
Recent incidents demonstrate the consequences of inadequate third-party risk management. In May 2025, Harbin Clinic was forced to notify over 210,000 individuals that their PHI was compromised due to a breach at debt collection vendor Nationwide Recovery Services (NRS). The vendor discovered the breach in July 2024 but didn't inform Harbin Clinic until February 2025, over seven months later.
Similarly, Radiology Chartered faced a breach affecting over 12,600 individuals from the same vendor incident. Most concerning, Radiology Chartered stated they were "unaware that data previously provided to NRS was still in NRS's possession," showing gaps in data governance and vendor oversight.
These cases exemplify what the academic research above identifies as systemic vulnerabilities. The authors note, "The impact of these risks on organizations can be significant. Beyond immediate financial and reputational costs, organizations may also face operational disruptions, loss of customer trust, and legal liabilities."
A BAA remains a legal requirement under HIPAA when sharing PHI with third-party vendors, but modern healthcare organizations need agreements that extend beyond basic compliance. These contracts must establish comprehensive security frameworks that address the full spectrum of third-party risks.
Without a BAA, your organization could be held liable for HIPAA violations. However, ensuring the vendor signs a BAA is just the beginning. The World Journal of Advanced Research and Reviews study emphasizes that "clear contractual agreements are essential for mitigating third-party vendor risks. Contracts should clearly outline the security requirements that vendors must adhere to, including data protection measures, incident response procedures, and breach notification requirements."
Modern BAAs must address:
While email encryption remains critical when sharing PHI with vendors, comprehensive security verification must encompass the vendor's entire security posture. Use a HIPAA compliant email solution like Paubox to automatically encrypt all outgoing emails, but also ensure vendors can receive and decrypt encrypted emails without additional steps.
However, email security represents just one component of vendor verification. Organizations must assess vendors' overall cybersecurity frameworks, including:
Read more: Creating an effective email security policy
The academic research above supports a systematic approach to vendor evaluation.The authors recommend "conducting thorough risk assessment to identify the critical vendors and the potential risks associated with their services," considering factors like data sensitivity, access privileges, and security practices.
Before sharing PHI with a vendor, verify that they have strong security practices in place through:
While staff training must continue emphasizing secure vendor communications, the scope must expand to encompass comprehensive third-party risk management. Your staff plays a major role in securing all vendor relationships, not just email communications.
Authors in the research above stress the importance of "training and raising awareness among employees about the risks associated with third-party vendors and the importance of following security protocols."
Conduct regular refresher courses to reinforce learning as threats evolve, establish feedback mechanisms for staff to report vendor concerns, recognize and reward staff who identify potential vendor risks, and integrate vendor risk awareness into overall security culture initiatives.
Go deeper: The importance of training for email security
A paper published in Finance & Accounting Research Journal mentions the importance of "maintaining comprehensive documentation of all aspects of third-party relationships, including risk assessments, compliance audits, and incident response plans."
Regularly audit vendor relationships to ensure compliance with HIPAA and internal policies, maintain detailed records of all vendor interactions and security assessments, document vendor security improvements and corrective actions, and address any vulnerabilities or breaches promptly to prevent further damage.
Related: HIPAA compliance in communication
Even with strong safeguards, breaches can still occur. Having a comprehensive incident response plan ensures your organization can respond quickly and effectively to vendor-related incidents, extending far beyond the original scope of vendor email breaches.
Researchers of the Finance & Accounting Research Journal paper go on to note the importance of "evaluating the business continuity and contingency plans of third-party vendors" and developing "comprehensive transition plans that outline the steps to be taken in the event of terminating a relationship with a third-party vendor."
According to the researchers, healthcare organizations must thoroughly assess vendors' ability to maintain operations during disruptions such as cyberattacks, natural disasters, and system failures, while simultaneously preparing detailed exit strategies that ensure seamless data migration, service continuity, and regulatory compliance during vendor transitions. The researchers stress that these plans should include contractual exit clauses, collaborative transition management protocols, and regular testing through simulation exercises to identify potential weaknesses before actual disruptions occur.
By leveraging emerging technologies such as cloud-based solutions and advanced communication tools, healthcare organizations can enhance their resilience and ensure that vendor relationship changes, whether planned or emergency-driven, do not compromise patient care or data security. As the researchers conclude, comprehensive business continuity and transition planning "stand as strategic imperatives for healthcare organizations navigating the complexities of today's operational landscape," enabling them to "fortify their resilience against unforeseen disruptions" while maintaining continuous protection of patient data and care quality throughout any vendor relationship lifecycle.