Printer Friendly, PDF & Email

You are only as secure as your riskiest vendor

Kellie Worley ( is a Consultant, Professional Services, at Clearwater, located in Nashville, TN.

As part of a healthcare organization, you are likely well versed in the data privacy and data protection mandates that must be met under the Health Insurance Portability and Accountability Act (HIPAA). If you are a covered entity, you may work with third-party vendors (business associates) that create, receive, maintain, or transmit electronic protected health information (ePHI). Under HIPAA, you need assurances these third-party vendors will safeguard ePHI.

Third-party or vendor risk management is the process of analyzing and controlling risks associated with outsourcing services to third-party vendors or service providers. Many companies have both direct and indirect relationships with third parties that are important to fulfilling business functions or operations, but those outside party relationships also carry significant risks to organizations.

What is the difference between a vendor and a third party? A vendor is an external entity, often in the supply chain, that supplies goods or services to an organization. Examples are:

  • Cloud service providers,

  • Law firms,

  • Accountants/auditors,

  • Consultants,

  • Software developers, and

  • Payment processors.

Third-party relationships encompass all the vendor entities listed above but also include others with whom an organization does business, such as:

  • Business partners,

  • Venture capitalists, and

  • Regulatory agencies.

While many companies have a vendor risk management program, others have more encompassing third-party risk management programs. For purposes of this article, “third party” and “vendor” will be broadly defined to include all entities that have entered a contractual relationship with a healthcare entity to provide business functions or activities.

This document is only available to members. Please log in or become a member.

This document is only available to subscribers. Please log in or register for complimentary access.

* required field