Third-Party Cybersecurity and Privacy Risk Management in an Increasingly Interconnected and Digital Healthcare Ecosystem: You Are Only as Strong as Your Weakest Link

Sam Khan

Feb 719 min read

Several healthcare providers and business people working together

Overview

Working with vendors is vital for most healthcare organizations, but each new partnership carries its own set of risks. And any organization is only as strong as its weakest link. It’s not personal. It's a cost of doing business. Think of it as trusting your neighbors (maybe not all of them) but still locking your doors at night. It is a necessary caution that ensures your organization's integrity and security.

In today's rapidly evolving healthcare sector, the interconnectedness of healthcare delivery has become a cornerstone for achieving better patient outcomes and operational efficiency. This interconnectedness is characterized by the collaboration of various organizations, including hospitals, clinics, insurers, and organizations offering clinical support services, all working together to provide quality patient care. While this collaborative approach has many benefits, significant privacy and security concerns must be addressed to protect patients.

Third-party risk management, or Vendor Risk Management (VRM), identifies, assesses, and mitigates risks with third-party vendors. It secures sensitive data, preserves reputation, prevents financial losses, and ensures legal compliance. A "vendor" provides goods or services. Examples include janitorial staff, messengers, event planners, and technology platforms such as for healthcare delivery, patient management, marketing, and human resources. Depending upon the jurisdiction, the organization that determines the purposes and means of processing personal data is the business or controller. In healthcare, it’s the Covered Entity (CE). Depending on the contract and services, vendors that process personal data on behalf of the business are processors, service providers, or contractors. In healthcare, they are Business Associates (BAs).

One objective of an established VRM function is to restrict vendor data to the minimum necessary amount, providing access only to what is needed, nothing more. Another objective is to only do business with vendors that maintain an adequate security and privacy posture, making it sensible from a risk perspective. Now, of course, whether it makes sense to engage a vendor will also depend on a variety of business considerations, including the nature of the service(s) or product(s), the vendor's market share, and the organization’s needs.

VRM involves conducting due diligence on vendors before onboarding, periodically reviewing vendor performance and compliance status, and establishing clear roles and responsibilities to coordinate vendor oversight and ensure adequate internal controls and reporting mechanisms. The VRM process encapsulates the complete lifecycle of a business-vendor relationship, from initial vetting to the sunset phase when the relationship ends. It is often integrated into the internal contract review process, ensuring that all engagements with third-party vendors are thoroughly vetted from the beginning. This integration ensures that any organization looking to engage a particular vendor follows an established, consistent, and reliable process. Organizations should consider designating a responsible individual or team to manage third-party relationships.

Whenever you share information externally, you risk losing control over how that data is handled. Even a single vendor’s mistake can reflect poorly on an organization, potentially causing significant harm. So naturally, adequately investing in VRM is in an organization's best interest. Effective VRM is essential for maintaining strong cybersecurity governance, particularly for healthcare organizations that rely heavily on external vendors, including for data storage and processing services. The sensitivity of healthcare data and the increasing number of third-party relationships demand stringent oversight to ensure that vendors adhere to adequate privacy and security standards. Organizations often underestimate the negative consequences of a third-party vendor breach. But a vendor breach can be devasting.

Regarding data privacy and protection, VRM generally involves implementing policies and procedures to protect the confidentiality, integrity, and availability of data or information shared with or accessed by vendors. Not only is ensuring data protection generally considered a best practice for organizations, but it is also required by law in many jurisdictions. Federal laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require managing such risks. There has also been a notable emergence of U.S. state privacy laws, which include requirements for contracts with third-party vendors. These laws include provisions for how organizations must address third-party vendor relationships. They only dictate the substance, not the form of these contracts, so parties can address the requirements using a data processing addendum (DPA), a separate agreement, or addendum to a contract. Alternatively, they could incorporate the requirements into the underlying contract like a master service agreement (MSA). However, remember that VRM is not only mandated by many laws but also represents a sound business practice that can help organizations avoid breach-related costs while enhancing their efficiency, quality, and customer satisfaction.

This Article outlines general considerations for an effective VRM program from inception to termination, including onboarding vendors, implementing ongoing oversight, and offboarding vendors. In particular, it provides an in-depth look at conducting HIPAA due diligence and discusses the recently proposed HIPAA Security Rule’s implications for VRM. By the end, you will have a roadmap for working with vendors to safeguard sensitive data, generally comply with regulatory requirements, and minimize third-party risk. You will also have an idea of what to expect in light of new developments. Let’s dive in.

The Fundamentals of Third-Party Risk Management

Big Picture

Immediately below are the foundational concepts that form the core of any robust VRM approach and set the stage for the more specific considerations that follow. Here’s the big picture. Think broadly about common risks all vendors present, then focus on specific legal or sector requirements, especially in healthcare. Keep a comprehensive list of all vendors, continuously monitor risk levels, and track contract expiration dates or updates. Work with your organization’s legal/compliance advisors and IT experts to build a practical plan. Regularly revisit your approach as needed and as technology and regulations evolve.

An effective approach is to categorize each vendor by potential risk level. For example, a vendor handling patient records poses a higher risk than someone delivering office supplies. Start by forming a comprehensive list of every external company or individual your organization works with. Then, gather details about each vendor’s experience and any past security issues. Investigate their security and vetting procedures for all relevant staff, systems, and processes, including those of any subcontractors. Tailor this investigation to the data's sensitivity. Review their security policies, paying attention to safeguards like encryption and strong passwords. Check their business continuity and disaster recovery plans, including policies and procedures, to ensure they can manage data breaches or major outages and confirm they meet relevant privacy requirements. Limit vendor access to only what is essential for their tasks. Under HIPAA, this is a requirement per the minimum necessary rule, which requires disclosing internally and externally only the amount needed to perform a task. Ensure they provide routine security and privacy training to their personnel so they can effectively identify, report, and prevent or mitigate data breaches and other related risks.

Access controls are key. Restrict access to your sensitive data and control how vendors use it, depending on the data’s sensitivity. Verify if such data is segregated from that of other clients. Make sure you can retrieve your data at any time. Authentication and access measures should generally and roughly match the level of risk.

Address security measures. Confirm implementation of appropriate administrative, physical, and technical safeguards and know the vendor’s incident response process. Consider establishing restrictions on further data transfers as appropriate. Prohibit unauthorized transfers to control which laws apply. Address responsibility for your vendors' subcontractors. If subcontracting is allowed, ensure the primary service provider remains liable for any breaches by its subcontractors. In healthcare, many of these considerations are outlined in Business Associate Agreements (BAAs).

For cloud computing contracts, look at the service levels for each vendor. Define specific service levels for data input, updates, archiving, and deletion. Include remedies if these levels aren’t met and address liability coverage. Make sure liability limits are set if security obligations are breached.

Parties should clearly delineate their understandings on the deletion and back-up of data. What does it mean to clarify back-up and deletion procedures? It means to contractually set responsibilities, duties, and consequences of breach. This includes things like if individual users can delete data and determine how that affects others. Contracts should require regular back-ups of important data. Return of data on termination is a crucial consideration. Agree on how and when you’ll get your data back when the contract ends. Ensure data is destroyed or returned to you, then securely deleted, with proof of deletion provided (discussed in more detail below).

Don’t forget ownership of intellectual property. We’re talkin’ “who owns what.” This has both business and legal implications. Regarding the former, data is an asset. Ensure it stays an asset if that is the intention. Legally, a cloud provider may store your data, but as long as it’s your data, you will likely remain at least partially if not fully responsible for privacy law compliance. For compliance, retain audit rights and consider recognized certifications like ISO 27001 or SOC.

Ongoing Oversight

Ongoing oversight, monitoring, and audits are mission critical. Even a thorough initial screening isn’t enough. Consider scheduling regular check-ins and updating each vendor’s risk rating at least annually. Agree on a plan for reporting and handling incidents so everyone knows what to do if a problem arises.

Once a vendor has been vetted and engaged, the relationship enters a critical phase of routine monitoring. This is essential to ensure the vendor remains compliant with the BAA and other relevant agreements. This involves regular audits, reviewing vendor practices, and responding swiftly to security or privacy incidents. Given the heightened level of oversight required by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and the increasing cyber threats targeting the healthcare industry, healthcare organizations should prioritize certain vendors based on factors like the amount of Protected Health Information (PHI) [1] they access, the criticality of their functions, and any known deficiencies in their security program.

Healthcare organizations should integrate vendor oversight into their overall HIPAA compliance plan. For example, the HIPAA Security Rule requires entities to implement access controls to ensure that only authorized users are permitted access to systems containing PHI and to regularly review information system activity, such as audit logs and access reports. VRM should be incorporated into these practices. Before contracting with a vendor with access to a medium containing PHI, CEs should consider how their authentication controls and system activity reports can be extended to cover the vendor. It’s important to determine whether the CE will be able to track the vendor’s access to and use of the system. If the vendor maintains its own server or network containing the CE’s PHI, the CE should request and review the vendor’s access reports and audit logs. Integrating vendors into the compliance plan helps identify and mitigate risk factors associated with vendor operations.

Transparency in reporting data breaches is critical when working with third-party vendors. Every BAA should clearly outline immediate notification of cyber events. Importantly, a CE that becomes aware of a BA’s breach of HIPAA obligations but fails to take corrective action, such as ending the breach or terminating the contract, if necessary, could be in violation of HIPAA. OCR may impose penalties if it’s revealed that the CE was aware or should have been aware of deficiencies in a vendor’s cybersecurity practices but continued using that vendor for PHI functions.

As discussed, some healthcare organizations may require vendors to provide written attestations regarding their security programs or to sign separate security compliance agreements. Others adopt more stringent measures, including on-site reviews and periodic (e.g., annual) attestations/assurances. Either way, third-party vendors are important to every organization’s risk profile. They should be treated with the same seriousness and scrutiny as internal operations.

Leveraging Vendor Relationships in Crises

At the end of the day, let’s not forget that this, too, involves maintaining good relationships. Vendor relationships can be particularly valuable during crises, such as ransomware attacks. When a hospital’s EHR system is compromised, for example, the vendor’s systems may contain the only accessible records of upcoming patient appointments, procedures, and other critical healthcare activities. So, having strong communication channels and rapport with vendors is key in such situations. Among other things, vendors should be prepared to assist with data extraction to ensure continuity of care. Doing this effectively means having good working relationships with all the organization’s vendors. So yes, invest in maintaining at least minimally functional relationships. This will help not only with ongoing oversight and monitoring but also with tackling a security incident. Timely coordination will likely be the difference between an effective and ineffective incident response. The person or team responsible for VRM should have the contact information of at least one authorized vendor representative of each vendor on “speed dial.” It helps if they respect you enough to timely respond and cooperate when it matters most.

While the process described above is critical for managing relationships involving PHI, healthcare organizations should also consider the privacy and protection of other types of sensitive data. A similar vetting process should be in place for any third-party vendor relationship that involves sensitive data other than PHI. Although the overall process would be very similar, it may involve certain differences, such as establishing non-disclosure agreements (NDAs) or other contractual obligations to sufficiently protect sensitive information. Vendors’ compliance with privacy and security standards ultimately affects healthcare organizations' overall privacy and security posture.

A well-established and comprehensive VRM process should include a structured sunset phase in addition to initial vetting, routine monitoring, and incident response processes.

The Sunset Phase

The sunset phase is when the relationship with a third-party vendor is ending. This phase is as crucial as initial vetting and ongoing oversight. Upon termination, healthcare organizations should ensure that all PHI and other sensitive data is either returned or destroyed in accordance with applicable laws and regulations and as outlined in relevant contracts like BAAs.

The HIPAA Security Rule requires that CEs implement policies and procedures to address the final disposal of electronic PHI and the hardware or electronic media on which it is stored. One recommended approach is clearing PHI by using software or hardware to overwrite media with non-sensitive data. Other options are to ensure the return or destruction of PHI upon termination of a vendor relationship. When permanently deleting files from a network, remember to address all backups, including those stored on the cloud, servers, and off-site. It’s good practice to obtain a certificate of destruction or other assurances that the data has been appropriately destroyed or returned. The sunset phase should include a formal review to confirm that the vendor has complied with all requirements, mitigating the risk of data breaches or unauthorized access once the relationship ends.

General Privacy and Security Third-Party Due Diligence

Don’t overlook the need to take appropriate privacy and cybersecurity administrative steps to ensure that each vendor has proper policies and procedures in place. Make sure contracts clearly state how data will be shared, stored, and protected. Establish written policies that dictate how to handle data and ensure procedures are followed. Here are some considerations:

Types of non-PHI data collected (financial, payment card info, etc.)
Methods used to collect such data (in person, website, etc.)
Additional information security policies beyond those for PHI
Acceptance of payment cards and related compliance documentation (PCI DSS)
The company’s website privacy policy
Procedures for destroying/deleting personal information no longer needed

Cybersecurity Due Diligence Requests

This questionnaire is designed to help you evaluate prospective vendors from a general cybersecurity perspective. The specifics will likely vary based on the exact situation at hand, including your organization, the intended business relationship, and the vendor type. This is not a comprehensive or tailored list but contains many of the general considerations that might apply.

Category	Questions
Governance	Who oversees information and cybersecurity management in your organization? When was the last time the board reviewed information security, cybersecurity, and cybercrime risk?
Security Policies and Procedures	Could you please provide a copy of your information security and/or cybersecurity policy if available? How do you ensure physical security of your premises and processing areas (entry controls, etc.)? How do you manage the security and maintenance of equipment? How do you handle password and access controls, including: Enforcing a password policy Assigning individual accounts to each staff member Using multi-factor authentication (MFA) for remote IT connections and cloud systems Documenting account creation/termination procedures How do you protect mobile equipment (e.g., laptops and mobile phones)? What controls do you have for malicious software? How will security be maintained in the event of a business continuity issue? How do you monitor system access and usage? Do you align your information security policy with recognized standards (e.g., ISO) or other frameworks? If applicable, do you have a policy for complying with data protection laws (e.g., GDPR)? Please provide a copy. Will personal data be transferred outside the US to the UK or EU? If so, how do you ensure GDPR compliance? Do you have a clear desk policy? Do you have a clear screen policy? How do you audit compliance with your cybersecurity, information security, and data protection policies? Do you maintain logs for security incidents, and how are they protected against alteration or unauthorized access? Do you have a data retention policy or schedule? If yes, please provide a copy. Do you have a secure disposal policy for equipment, media, and data? If yes, please provide a copy. How do you dispose of paper records? What measures prevent unauthorized external access to your systems? Do you have a back-up and disaster recovery policy? If yes, please provide a copy. Describe your procedures for malware detection and prevention (e.g., security patches and penetration testing). Do you store data or equipment offsite? If so, what type of data and how is it secured? Do you conduct mock cybersecurity events or response exercises (i.e., tabletop exercises)? If yes, please describe.
Employees	Have you performed verification checks on all current employees? Do you screen potential employees before hiring? Do you have a personnel screening and vetting policy? If yes, please provide a copy. How do you ensure employee reliability when handling personal data? How do you train staff on data handling and cybersecurity, and how often is this training refreshed? Do your employment contracts include confidentiality clauses? Do your employment contracts require compliance with your security and data protection policies?
Contractors	Do your contractors sign a confidentiality agreement before accessing your system? Will you use sub-processors? If yes, what contractual measures preserve security and confidentiality? Do these sub-processor agreements comply with applicable laws such as GDPR? How do you ensure your sub-processors meet security standards for personal data? What due diligence do you perform on suppliers, subcontractors, and sub-processors to confirm data protection compliance?
Compliance Record	Do you maintain a record of data protection complaints? Have you been the subject of an government initiated complaint in the past [X years]? If yes, please provide details. Do you maintain a data breach record? Have you had any data breach that resulted in loss or unauthorized disclosure of personal data in the past [X years]? If yes, please explain. Have you reported any personal data breaches to the ICO within the past [X years]? If yes, please give more information. Do you have a reporting mechanism for data breaches? Do your data breach procedures comply with any applicable laws?

Now, let’s discuss healthcare-specific considerations, an area where VRM is especially critical. If you share PHI with a vendor, you must conduct extra checks and have BAAs in place to ensure, at a minimum, HIPAA compliance. HIPAA due diligence includes verifying that a vendor uses encryption, properly trains staff, and maintains secure processes around PHI. Vendors also have certain notification and reporting obligations regarding a potential or actual breach, which are highlighted in each respective BAA. Below in this Article is a detailed HIPAA due diligence section that outlines what CEs and BAs should investigate.

HIPAA Vendor Due Diligence

The process often begins with legal or compliance determining whether a BAA is necessary, which hinges on whether a vendor is a BA. A BAA is required when a vendor will access PHI on behalf of a CE. Where a BAA is appropriate, it should clearly delineate the parties’ respective responsibilities, including related costs, in the event of a breach affecting patient information. CEs may also seek vendor indemnification for breaches of unsecured PHI or broader HIPAA violations. It’s vital to carefully consider any limitation of liability provisions in service agreements or BAAs that could affect the entity’s right to seek indemnification. Additionally, compelling vendors to maintain cyber liability insurance can help cover breaches that could trigger liability for a healthcare entity.

After establishing the need for a BAA, the next step is thorough vendor vetting. There should be an established process for doing this. The big picture goal here is to determine whether the value of the third-party engagement (i.e., provision of services) is worth the risk at the onset. This vetting process involves assessing the vendor’s policies, procedures, and safeguards to ensure they meet the organization’s standards for privacy and security.

Below is a close look at HIPAA due diligence considerations for CEs and BAs. This section expands on the earlier discussion of healthcare-specific considerations, providing a structured approach to onboarding BA vendors. Keep in mind that this Article offers an overview of third-party diligence focused on general and HIPAA privacy and security considerations, but each healthcare organization’s efforts will vary based on its specific characteristics and compliance obligations. Before we dive into diligence considerations, let’s cover some useful background information.

Given the challenges of conducting direct audits, such as a lack of expertise or resources, many healthcare organizations implement a self-audit protocol. Think of it as having vendors complete a standard form assessing their cybersecurity posture. During this process, vendors would be asked to provide detailed information about their privacy and security measures. This might include structured questionnaires or assessments that cover key areas such as personnel and subcontractor screening, employee training on compliance issues, privacy and security measures, and the vendor’s compliance history. To implement this effectively, healthcare organizations should assign individuals with contracting authority to request the self-audit, identify teams to review the reports, and train relevant personnel on the tools and information requests used in the process. It might also be a good idea to ask vendors to self-certify the accuracy of the information provided during the self-audit. This added layer of accountability ensures vendors take the process seriously. Another option is to obtain a certification, audit report, or attestation of compliance by engaging a third-party, independent auditor. Organizations should consider engaging VRM auditors with experience in the healthcare space. It is even better to have qualified personnel from your own organization conduct the diligence themselves if the vendor is open to this approach and it is practical.

The Health Information Technology for Economic and Clinical Health (HITECH) Act extends the application of the Security Rule’s provisions on administrative, physical, and technical safeguards and documentation requirements to BAs, making them subject to civil and criminal liability for violations of the Security Rule. What does this mean? For one, you’re directly on the hook if you're a vendor. It is your sole responsibility as a BA to ensure that your BAs (i.e., subcontractors) enter into BAAs like you and the CE do. They are your BA under HIPAA. Alternatively, if you’re a CE, you’re only required to enter into BAAs with your BAs, not their BAs or so on and so forth.

Let’s begin discussing diligence considerations from the perspective of a CE.

Diligence by Covered Entities: What You’re Asking a BA

Again, as with the cybersecurity questionnaire above, the specifics will likely vary based on the exact situation at hand, including your organization’s characteristics, the intended business relationship, and the vendor type. This is not a comprehensive or tailored list but contains many of the general considerations that might apply. Request from the BA all the company’s policies and procedures regarding compliance with the HIPAA Privacy, Security, and Breach Notification Rules, in addition to the following:

Rule	Details
Privacy Rule	Policies on record maintenance, destruction, access, confidentiality, and HIPAA compliance List of vendors with PHI access Documentation on contracting with vendors List of CE clients Process for handling patient requests (copies, amendments, disclosures, restrictions) Process for third-party PHI requests Copies of any privacy/security complaints
Security Rule	Name of the HIPAA Security Officer and any compliance committee members, plus org chart Most recent HIPAA risk analysis under 45 CFR 164.308(a) IT security policies and procedures Description of how electronic health information is gathered from vendors, websites, etc. Types of health information (PHI, de-identified PHI) and format (hard copy, electronic) Safeguards for ePHI (encryption, password protection, etc.), in line with the Department of Health and Human Services (HHS) Guidance HIPAA/security training materials and employee training documentation Explanations for any addressable Security Rule specifications deemed not reasonable, plus alternative safeguards Procedures for reviewing audit logs, access reports, and security incident tracking Periodic security reminders and malicious software protection Contingency planning (backups, restoration, emergency mode operations, testing, criticality assessment) Records of hardware/media movements containing ePHI Audit controls to record and examine system activity
Breach Notification Rule	Detection, internal reporting, investigation, and notification/reporting processes for PHI breaches List of PHI breaches reported in the past 6 years Description of security incidents/potential breaches in the past 6 years, including whether they were reported Communications from agencies regarding privacy/security complaints or investigations

Diligence by Business Associates: What You’re Asking a CE

Request from the CE all the company’s policies and procedures regarding compliance with the HIPAA Privacy, Security, and Breach Notification Rules, in addition to the following:

Rule	Details
Privacy Rule	Name of the HIPAA Privacy Officer, compliance committee members, organizational chart Documentation regarding the use/disclosure of PHI (authorizations, minimum necessary standards) Notice of Privacy Practices, acknowledgments of receipt Patient rights procedures (access, amendments, accounting of disclosures, verification/denial methods) Implementation records for Privacy, Security, and Breach Notification requirements List of vendors with PHI access Vendor contracting documentation (template BAAs, enforcement policies, vendor due diligence) Copies of all BAAs Documentation of de-identification practices Marketing practices Limiting employee PHI access Policies for record maintenance, filing, destruction, confidentiality How third-party PHI requests are handled Copies of privacy/security complaints
Security Rule	Name of the HIPAA Security Officer, organizational chart Most recent HIPAA risk assessment, risk management plans IT security policies and procedures Description of electronic health information sources (third-party vendors, websites) Types of health information gathered (PHI, de-identified PHI) and format (e.g., hard copy or electronic) Methods of safeguarding ePHI (e.g., encryption, password protection, etc.) HIPAA/security training materials and documentation Explanations for addressable Security Rule specifications deemed not reasonable, alternative safeguards Evidence of periodic reviews/modifications to maintain ePHI protection Procedures for security reminders, malicious software defense Contingency planning (e.g., ePHI backups, restoration, emergency mode operations, contingency plan testing, application criticality, obtaining necessary ePHI in an emergency) Movement records for hardware/electronic media holding ePHI, responsible persons Audit controls that record and examine system activity
Breach Notification Rule	Process for detecting, internally reporting, investigating, notifying/reporting PHI breaches List of PHI breaches reported to agencies, clients, individuals in the past 6 years Description of security incidents and potential breaches investigated in the past 6 years, including whether they were reported Documentation for why any unreported incident was deemed not reportable Communications from state/federal agencies about privacy/security or complaint investigations Incident and breach response policies/procedures, timelines for notifying individuals, OCR, media, logs of security incidents or breaches

Proposed HIPAA Security Rule’s Third-Party Risk Management Implications

On December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) with critical updates to the HIPAA Security Rule, marking its first major revision since 2013. These updates aim to fortify cybersecurity protections for electronic PHI in response to evolving healthcare technologies and increasing cyber threats. While the proposed rule covers a wide range of cybersecurity improvements, this section specifically focuses on the implications of these updates for VRM in healthcare.

The general takeaway of the NPRM and the overall direction of where things are going is to increase efforts by healthcare organizations to do more and better diligence on vendors. The current Security Rule does not require CEs to verify that BAs are taking necessary steps to protect ePHI. Under the NPRM, a CE entity would need to verify that the BA has deployed the required technical safeguards by obtaining written documentation from the BA at least once every 12 months, along with a risk analysis of the BA’s relevant electronic information systems to be conducted by qualified personnel. A person authorized to act on behalf of the BA would need to certify in writing that the analysis has been carried out and is accurate. A regulated entity that delegates actions, activities, or assessments required by the Security Rule to a BA would remain responsible for compliance with all applicable provisions of the Security Rule.

Specifically, HHS proposes 8 implementation specifications for the risk analysis standard. Of relevance here is to create an assessment of risks to electronic PHI posed by entering or continuing a BAA or other written arrangement with any prospective or current BA, respectively, based on the written verification obtained from the prospective or current BA.

Also, notably, this NPRM is the first time HIPAA explicitly addresses the regulation of artificial intelligence (AI). However, this Article does not address AI-specific risks, including those related to VRM. For more on AI specifically, please check out my previous article, Navigating HIPAA's New Proposed AI Rule: Key Implications for Health Systems, a collaboration with the Center for Health AI Regulation, Governance & Ethics (CHARGE). Generally, most of the same approach will apply but with additional AI-specific considerations.

Inviting a Secure Future

Effective VRM is paramount for any organization relying on external business partners that handle sensitive data. By integrating your vendors into your extended team and holding them to high standards, you can significantly minimize and mitigate the risk of data breaches and compliance issues. This holistic approach, especially crucial in sectors like healthcare, ensures adherence to regulations such as HIPAA. Conducting thorough due diligence on future business partners is essential to safeguard your organization’s integrity.

As we move forward, we must recognize that data privacy and protection are evolving, and so must we. Staying ahead requires continuous innovation and vigilance. Organizations must remain agile, adapting to new threats and technologies. Let's think beyond compliance and envision a future where data protection is a cornerstone of trust and resilience, driving us toward a more secure and interconnected digital healthcare era.

A doctor sitting in a chair with a laptop.

[1] For the purposes of this Article, the term "Protected Health Information (PHI)" includes both PHI and Electronic Protected Health Information (ePHI). For more on the differences between the two, see Sam Khan, Spotting the Hungry, Hungry HIPAA-potamus: https://www.talkinghealthlaw.com/post/spotting-the-hungry-hungry-hipaa-potamus-what-is-hipaa-and-does-it-apply-to-you.