Tightening Up Third Party Relationships


threats picture.jpg


The relationships between provider(s) organization and third party vendors - labs, insurance companies, referral physician(s), etc. as they handle provider(s) patient information, has moved to the forefront of information management.  As a provider organization(s) we entrust our patient’s PHI (Patient Health Information) to vendors who demonstrate willingness and the ability to safeguard PHI as per the HIPAA Privacy and Security Rule.

Before we proceed to sign a BAA with the vendor, there is lot of due diligence which needs to be done. But the most important is evaluate our ourselves – where is the risk?

  • Create a list of vendors with whom we, as an organization, plan to share the PHI and sign the BAA
  • Understand what data needs to be shared – PHI or partial PHI
  • How the data is going to be shared – FTP, system access, etc.

And then prepare a risk matrix:

# of Patient records

Desired result

Less than 10 records

OK ?

Warn sender?

Do they have a signed/current BAA?

Sender/Receiver approved?

Alert to compliance department?

Notify compliance?

Block the transmit?

                 100 records

                  250 records

                  500 records

                  1000 records and

                   1M records



The above helps the provider(s) organization to prepare for their own readiness.

Where to Start?

For the provider organization, the current policies and procedures need to be evaluated against the risk matrix. The organization needs to perform a self-audit and educate the staff.

Prior to establishing a BAA with a vendor,  it is important for the organization to:

  • Develop a culture of compliance
  • Brief/debrief employees on the risk matrix
  • If a breach happens, what to do
  • Compliance controls


As any organization, the providers are not immune from 100% efficiency. The controls – policies and procedures should always demonstrate:

  • Avoid the breach
  • Turn around when a breach happens.

Once when the organization is contemplating a relationship with a BAA – privacy and security assurances it is important to assess whether they qualify as a Business Associate. However the most important variable is self-preparedness. An oversight on our part, should not be the reason for the breach.

At MindLeaf (www.mindleaf.com) we have been protecting patient privacy by ensuring  providers have the right procedures, policies and tools to monitor privacy AND Vendor risk management.

MindLeaf and Intel are offering complementary breach security assessment for healthcare organizations (www.mindleaf.com/breachsecurityprogram.html).

Managing risk is hard, but successful vendor risk management is a key variable in the overall compliance of the provider organization. In short, an effective vendor risk management policy will ensure that the mistakes/breach your vendors make will not become your organization(s) problem.

As our former President Lincoln said, “I will prepare and someday my chance will come.”


 Schedule your assessment now.



Paresh K. Shah

Labels: HIPAA Privacy