SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Best Practices for Managing Your Third-Party HIPAA Risks

Healthcare Assessments | HIPAA

Successfully managing your HIPAA risk means accounting for those introduced by your vendors that are supplementing existing business processes in different ways. Vendors can make you vulnerable in a variety of ways, which means a variety of solutions becomes necessary.

By “third parties” we mean those companies that support your organization and often have access to, share, or maintain data critical to business operations—any company whose employees or systems have access to your systems or data is considered a third party. And because failure to comply with HIPAA can mean serious fallout and penalties, it’s in your best interest to keep an eye on all your risks.

That’s why, in this article, we’re going to provide the ways you can do that—we’ll address the different kinds of risks vendors introduce to your environment before getting into best practices for mitigating such risks.

As experienced HIPAA assessors, we’ve seen many organizations fall victim to gaps where their third-party providers are concerned, but with the information to follow, you’ll be less likely to suffer the same fate.

 

Common Vendor Risks That Affect Your HIPAA Compliance

So, when do you have risks from your third-party and vendor relationships? The answer is always. When you work with third-party vendors, their risks are your risks, and they come in many forms, including:

  • Operational Risks: On average, organizations experience about six outages each year related to critical business systems including patient care systems.
  • Security Risks: Thousands of users can connect to a third-party vendor and sometimes they can have full access to your network with shared credentials. Security risk is one of the biggest concerns when doing business with third parties. Security breaches of a vendor’s systems can result in damage to an organization’s own information technology systems and result in disruptions in business processes. 
  • Financial and Reputational Risks: The global average cost of a data breach is millions of dollars. If a third-party vendor has a violation, an organization can be fined, have operational limitations, and face civil and criminal liabilities.
  • Compliance and Regulatory Risks: Under HIPAA, organizations are responsible for securing vendors with access to regulated data. The inability to adequately assess and understand the risks that vendors pose is becoming incredibly costly to healthcare providers.

 

How to Manage Your Third-Party HIPAA Risk

How do you keep your data safe with the growing number of third-party vendors that organizations of all sizes now use for day-to-day operations? Here are a few recommendations you can put into action today to help protect yourself at every stage of your vendor relationships:

Area

What to Do

Procurement

During your vendor procurement processes, complete security due diligence and initial vendor security assessments and approvals—vet your vendors before signing contracts with them by asking to see SOC reports, risk assessments, results of penetration testing, and make site visits if necessary. 

Contracting

When negotiating with a vendor, ensure baseline security controls are included in the contract, including:

  • Safeguards your third-party vendors use to prevent unauthorized use or disclosure of ePHI; and
  • A clear understanding of what happens to your data when your contract ends—is it destroyed or returned to you?

Onboarding

When onboarding a new vendor, ensure the third party only gets access to the data needed for related tasks and securely set up that access. Use access controls to limit access to your network and data.

Vendor Inventory

Develop an inventory of all your third-party providers using data from multiple systems and sources to ensure it’s complete and accurate.

Once you’ve established a comprehensive inventory of all vendors with whom information is shared, it’ll be more manageable to track who has access to sensitive data and how many of these parties are sharing this data with others—this inventory is the first step toward classifying vendors from highest risk to lowest risk based on the systems, networks, and data they access.

Individual Risk Calculation

Using the inventory, prioritize vendors based on the level of access they have and the amount and type of data they require. Then, assign a security risk rating for each vendor based on that access.

Once you know who your vendors are, it’s important to take the information gathered during the risk rating process to understand what data and networks they can access. Not all third parties are created equal and not all pose the same risks—vendors that handle critical business processes will be a bigger threat than smaller contractors who may work with a single department.

Service Delivery

Conduct routine audits to ensure your vendors are meeting the requirements set forth in your agreements and contracts. Use this as an opportunity to identify and mitigate risks before a breach may occur.

Rebids/Renewals

If you are looking to continue your relationship with an existing vendor, be sure to re-evaluate each vendor’s security posture before renewing. Remember, no vendor, regardless of how long you have worked together, is static—there will be changes. Regularly assessing vendors is important in verifying that the vendor continues to meet and maintain the necessary security standards.

Offboarding

But if and when your contract comes to an end, ensure that both parties understand what their responsibilities are for off-boarding and ensure your data is returned or destroyed—whichever was documented in your pre-determined conditions during the contract stage. Plan exit criteria and communicate them clearly—do not let a third-party vendor leave with access to your data, and certifications from them confirming they have either returned or destroyed all the data they had access to per the contract.

*Also keep in mind that termination of relationships with third parties is especially important and often a focus for regulators.

To ensure you maintain the same measures, even as time passes and things change, develop formal third-party vendor and business associate policies and procedures that document these actions. At the very least, the policies should explain at a high level how vendors and the risks they pose will be managed.

For more details on how you can better manage your third-party HIPAA risk, check out our article here.

Next Steps for Your HIPAA Compliance

Managing your HIPAA risk is a complex process, and many organizations often fall into common pitfalls. Your third-party vendor represents just part of the more comprehensive HIPAA risk management requirements, though you do stand to lose a lot—more than just your compliant status—if you fail to properly secure them.

But now that you understand some best practices that will help you shore up that aspect of your HIPAA initiatives, check out our other articles that will help you solidify other aspects as well:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.