Third-Party Risk Assessment for Healthcare Organizations

HIPAA creates two distinct obligations for healthcare organizations managing vendor relationships:

Business Associate Agreements (BAAs). The Privacy Rule (§ 164.502(e)) requires covered entities to obtain satisfactory assurances via written agreement that Business Associates will appropriately safeguard PHI. The BAA must specify permitted uses and disclosures, require appropriate safeguards, require breach reporting, and ensure the BA imposes similar requirements on subcontractors.

Security risk assessment including BAs. The Security Rule (§ 164.308(a)(1)(ii)(A)) requires risk assessment covering all ePHI — including ePHI held by Business Associates. This means evaluating vendor security controls, not just signing a contract. OCR enforcement actions have increasingly targeted covered entities that signed BAAs but performed no actual security assessment of their Business Associates.

For a deeper dive into BAA requirements and what goes beyond the contract, see our HIPAA vendor due diligence guide. The critical point: a BAA is necessary but not sufficient. OCR expects documented evidence that you assessed the vendor's ability to protect PHI, not just that you obtained their contractual commitment to do so.

The healthcare third-party threat landscape has intensified significantly:

Change Healthcare (2024). A ransomware attack on UnitedHealth Group's Change Healthcare subsidiary disrupted claims processing for thousands of providers nationwide. The breach affected an estimated 100 million individuals — the largest healthcare breach in US history. Organizations that had not assessed Change Healthcare's security posture had no documentation of due diligence when regulators and patients demanded accountability.

MOVEit (2023-2024). A zero-day vulnerability in the MOVEit file transfer application affected hundreds of healthcare organizations that used the tool or whose vendors used it. This demonstrated fourth-party risk: organizations that had never directly contracted with MOVEit were still exposed through their vendors' use of the tool.

Systemic concentration risk. The healthcare supply chain is concentrated around a small number of critical vendors. EHR systems, clearinghouses, and cloud infrastructure providers create single points of failure. When one major vendor is compromised, the impact cascades across thousands of covered entities.

These trends reinforce why assessment must go beyond the BAA. Understanding your vendors' security posture, breach history, and subprocessor dependencies is essential for anticipating and managing third-party risk.

Healthcare vendor assessments should cover both standard TPRM domains and healthcare-specific requirements:

BAA status and terms. Is a BAA in place? Does it include breach notification timelines that meet your HIPAA obligations (60 days for BA to CE, 60 days for CE to individuals)? Does it address subcontractor requirements?

PHI handling practices. How does the vendor store, transmit, and process PHI? Encryption at rest and in transit should be minimum requirements. Access controls, audit logging, and data segregation practices determine how well PHI is protected in the vendor's environment.

Certifications and compliance evidence. Does the vendor hold SOC 2, HITRUST, or other relevant certifications? Can these be independently verified or are they self-attested? HITRUST certification, while not required by HIPAA, provides strong evidence of a mature security program aligned with healthcare requirements.

Breach and incident history. Has the vendor appeared in the HHS Breach Portal? Have they been subject to OCR enforcement actions? Past incidents inform current risk — a vendor with a history of breaches requires enhanced scrutiny, even if they claim to have remediated the issues.

Subprocessor chain. Who does the vendor share PHI with? Do those subprocessors have BAAs? A vendor's subprocessor compromise is effectively your fourth-party breach. ThirdProof's assessment checks 27 intelligence sources, including subprocessor discovery, to map these dependencies.

Business continuity and incident response. What happens if the vendor goes down? What is their incident response timeline? Healthcare operations are time-sensitive — a vendor outage affecting EHR access or claims processing has immediate patient care implications.

Step 1: Inventory all Business Associates. Create a comprehensive list of every vendor with PHI access. Include EHR vendors, clearinghouses, billing services, transcription, cloud hosting, IT support, shredding companies, and analytics platforms. Most healthcare organizations discover more Business Associates than they expected — 50-150 is typical for a mid-size health system.

Step 2: Risk-tier your vendors. Not all Business Associates present equal risk. Tier 1 (critical): EHR, claims processing, cloud infrastructure — high PHI volume, critical to operations. Tier 2 (significant): billing, analytics, telehealth — moderate PHI access. Tier 3 (standard): lower-volume PHI access, easier to replace.

Step 3: Assess proportionally. Tier 1 vendors require full assessment: independent security evaluation, certification verification, breach history review, subprocessor analysis, and financial stability check. Tier 2-3 vendors require proportional assessment. ThirdProof provides the independent evidence layer for all tiers — the same assessment depth applied consistently across your entire BA portfolio.

Step 4: Document for OCR. Your vendor assessment documentation should demonstrate: that you assessed vendors before granting PHI access, that assessment depth was proportional to risk, that you reassess periodically, and that you monitor for vendor security events between assessments. This documentation is your primary defense in an OCR investigation.

Step 5: Monitor continuously. Subscribe to HHS breach notifications, monitor vendor adverse media, and reassess vendors on a defined schedule (annually for Tier 1, every 18-24 months for Tier 2-3). Any vendor with a material change — breach, acquisition, regulatory action — should trigger immediate reassessment.