If your organization operates in the healthcare sector, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, is critical. As a federal law, HIPAA heavily regulates the processing and management of personal health information (PHI), including sensitive patient data, to ensure the data stays confidential and protected at all times.

Safeguarding such critical data demands extensive due diligence once you start working with third parties who can access your systems and records, as even a minor slip-up can cost you millions in data breach penalties.

HIPAA includes several sections dedicated to third-party risk management (TPRM) in relation to PHI and personally identifiable information (PII). In this guide, we cover those relevant sections and also discuss how to manage third-party relationships to avoid jeopardizing PHI.

Why HIPAA and TPRM are inseparable

PHI is constantly shared with third parties like insurance providers, billing companies, medical equipment suppliers, and cybersecurity vendors. Each time you share PHI for any reason, you expand your risk landscape because you no longer have complete control over the data’s management.

This is why you must make sure the data recipient will handle PHI responsibly and keep its confidentiality, safety, and integrity intact. In practical terms, you need to build a comprehensive TPRM program that follows the relevant HIPAA guidelines.

{{cta_withimage20="/cta-modules"}}

Who needs to comply with HIPAA’s third-party requirements?

HIPAA compliance is mandatory for two types of organizations: covered entities (CEs) and business associates.

The distinction between CEs and business associates is often confusing to those handling HIPAA for the first time. However, HIPAA clearly outlines the difference. CEs are split into three types of organizations:

  1. Healthcare providers
  2. Healthcare plans
  3. Healthcare clearinghouses

As for business associates, they encompass all entities that do business with CEs, including examples such as:

  • IT service providers
  • Law firms
  • Cloud service providers
  • Billing Services
  • Shredding companies (particularly those handling documents that contain PHI)

Regardless of the type, any entity with access to PHI must meet the applicable HIPAA requirements—including those related to third parties.

TPRM-related HIPAA requirements

Third-party risk requirements of HIPAA are outlined in Section 164.308 of the Code of Federal Regulations (CFR). The requirements you should focus on are as follows:

  1. 45 CFR § 164.308(a)(1)(A): Risk assessments
  2. 45 CFR § 164.308(a)(1)(B): Reducing risk exposure
  3. 45 CFR § 164.308(a)(1)(D): Regular monitoring and reviews
  4. 45 CFR § 164.308(a)(6): Security incidents
  5. 45 CFR § 164.308(a)(8): System security evaluations
  6. 45 CFR § 164.308(b)(1): Business associate agreements

1. 45 CFR § 164.308(a)(1)(A): Risk assessments

As per this requirement, your organization must conduct comprehensive risk and vulnerability assessments related to electronic PHI held by your organization or a business associate.

HIPAA requires stringent risk assessments to evaluate your internal systems and each external party with access to PHI. The goal is to determine whether the necessary protection measures are in place.

Due to the complexity of each third party’s risk profile, you might need to gather numerous data points as part of your assessments. That’s why it may be helpful to standardize the process through risk assessment questionnaires covering relevant aspects of PHI management, such as:

  • Cybersecurity measures and controls
  • Data protection procedures
  • PHI sharing practices
  • Legal contracts and related agreements

{{cta_withimage13="/cta-modules"}}

2. 45 CFR § 164.308(a)(1)(B): Reducing risk exposure

According to this paragraph, you must put appropriate security measures in place to mitigate mapped vulnerabilities and reduce your overall risk exposure to an acceptable level.

Security measures have a vast scope in the healthcare sector and can be challenging to implement, especially if you do it from scratch. This is why many organizations decide to get a head start by adopting an established security framework—the NIST Cybersecurity Framework, for instance.

NIST offers plenty of resources for HIPAA-regulated entities to help them adjust the framework to their needs and mitigate risks to enable full compliance.

You can also explore other frameworks, such as:

  • HITRUST: A flexible framework that consolidates requirements from multiple security standards to help ensure regulatory compliance and effective risk management.
  • CIS Critical Security Controls: A robust set of best practices aimed at strengthening an organization’s security posture.
  • COBIT: A globally recognized framework for IT governance. 

Whatever framework you choose, you can meet this requirement more effortlessly if you also monitor your risk exposure with capable TPRM software.

3. 45 CFR § 164.308(a)(1)(D): Regular monitoring and reviews

This paragraph outlines the importance of ongoing monitoring. Specifically, it describes the need to regularly review different records of an organization’s information system activity, such as:

  • Audit logs
  • Access reports
  • Security incident tracking reports

The section offers no specifics on how frequently such reviews should be conducted, so you can define what “ongoing” would entail for your organization. In general, risk leaders are moving away from point-in-time assessments that display the risk landscape passively and leave room for undiscovered vulnerabilities.

Addressing this requirement relative to third parties also involves ensuring that any third parties with access to PHI adhere to these monitoring and review practices as well. Organizations should consider including specific provisions in their business associate agreements (BAAs) requiring third parties to conduct regular reviews of their information system activities and share relevant reports.

A practical solution here is to opt for a TPRM platform that enables centralized and streamline workflows for third party reviews to reduce extensive manual work. Look for solutions that offer:

  • Integration with your current systems to pull data
  • Automation capabilities that eliminate manual data entry and other laborious tasks
  • Centralized dashboards containing actionable information on third parties

4. 45 CFR § 164.308(a)(6): Security incidents

This paragraph discusses three important requirements related to security incidents:

  1. Identifying and responding to known or suspected incidents
  2. Mitigating the effects of such incidents to the fullest practicable extent
  3. Documenting security incidents and their outcomes

The main issue with third-party security incidents is that they may not be reported promptly enough. As a result, the incident may escalate before you get a chance to address it.

Such delays can be avoided through transparent and efficient vendor communication. Assign a dedicated point of contact to which your third parties can reach out, and define regular touchpoints to proactively discuss any potential threats.

Still, prevention can only take you so far, so it’s crucial to develop effective incident response plans. Examine the results of your risk assessments to prioritize the most pressing threats, and then come up with effective strategies to handle a realized risk event with minimal damage.

{{cta_withimage5="/cta-modules"}}

5. 45 CFR § 164.308(a)(8): System security evaluations

This is another paragraph that recommends regular evaluations of your security measures and their effectiveness in safeguarding PHI—its intent is similar to that of paragraph 45 CFR § 164.308(a)(1)(D). The main difference is that it doesn’t only discuss information system activity reviews but broader technical and non-technical evaluations of both your and your business associates’ security measures.

To meet this requirement for third parties, you should go beyond the initial risk assessment and perform comprehensive reassessments as needed. The goal is to understand whether the measures and controls implemented by you or your associates are still relevant to your risk posture.

To streamline ongoing reassessments, you can use a TPRM solution that enables you to keep a centralized vendor inventory. It will be easy to maintain, and you’ll have a bird’s-eye overview of your third parties and their risk profiles. The inventory should include data points such as:

  • Basic vendor information and business functions impacted
  • Risk information (which should ideally be quantified through a risk score)
  • Status updates and pending tasks (security reviews, audits, etc.)

6. 45 CFR § 164.308(b)(1): Business associate agreements

This paragraph outlines a CE’s relationships with business associates. It emphasizes the need for a business associate agreement (BAA) that demonstrates an associate’s ability to safeguard PHI once a covered entity gets into a contract with them.

The main challenge with these assurances is extensive evidence collection and tracking of agreements. Demonstrating that sufficient protective measures are active requires gathering numerous data points, which can slow down your procurement process and may even overstretch security teams.

If you're looking to make your data-gathering workflow more efficient, start adopting technologies like TPRM software that can centralize the evidence and agreement gathering for you. You can also set up easy-to-track due diligence procedures through standardized questionnaires and analyze the results faster with the help of AI-powered review solutions available with platforms like Vanta. 

{{cta_testimonial11="/cta-modules"}}

Ensure HIPAA compliance with Vanta

Vanta is a trust management platform that helps you automate compliance, manage risk, and prove trust. It comes with pre-built content for 20+ frameworks—including HIPAA—and provides end-to-end guidance to help you get compliant quickly.

With Vanta, you can automate the evidence collection necessary to demonstrate HIPAA compliance. You can also download Vanta’s HIPAA compliance checklist to help you get ready for your next security audit. These resources allow your security teams to shift their attention toward strategic initiatives like closing more deals.

Vanta also offers a Vendor Risk Management solution to help you meet specific HIPAA TPRM requirements with features such as:

  • Risk auto-scoring based on predetermined or custom parameters
  • Centralized vendor inventory and a comprehensive dashboard of data
  • Vanta AI to extract findings from security documentation to automate security reviews

Schedule a custom demo to learn more.

{{cta_simple18="/cta-modules"}}

Regulatory compliance and industry standards

How to meet the third-party risk requirements of HIPAA

If your organization operates in the healthcare sector, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, is critical. As a federal law, HIPAA heavily regulates the processing and management of personal health information (PHI), including sensitive patient data, to ensure the data stays confidential and protected at all times.

Safeguarding such critical data demands extensive due diligence once you start working with third parties who can access your systems and records, as even a minor slip-up can cost you millions in data breach penalties.

HIPAA includes several sections dedicated to third-party risk management (TPRM) in relation to PHI and personally identifiable information (PII). In this guide, we cover those relevant sections and also discuss how to manage third-party relationships to avoid jeopardizing PHI.

Why HIPAA and TPRM are inseparable

PHI is constantly shared with third parties like insurance providers, billing companies, medical equipment suppliers, and cybersecurity vendors. Each time you share PHI for any reason, you expand your risk landscape because you no longer have complete control over the data’s management.

This is why you must make sure the data recipient will handle PHI responsibly and keep its confidentiality, safety, and integrity intact. In practical terms, you need to build a comprehensive TPRM program that follows the relevant HIPAA guidelines.

{{cta_withimage20="/cta-modules"}}

Who needs to comply with HIPAA’s third-party requirements?

HIPAA compliance is mandatory for two types of organizations: covered entities (CEs) and business associates.

The distinction between CEs and business associates is often confusing to those handling HIPAA for the first time. However, HIPAA clearly outlines the difference. CEs are split into three types of organizations:

  1. Healthcare providers
  2. Healthcare plans
  3. Healthcare clearinghouses

As for business associates, they encompass all entities that do business with CEs, including examples such as:

  • IT service providers
  • Law firms
  • Cloud service providers
  • Billing Services
  • Shredding companies (particularly those handling documents that contain PHI)

Regardless of the type, any entity with access to PHI must meet the applicable HIPAA requirements—including those related to third parties.

TPRM-related HIPAA requirements

Third-party risk requirements of HIPAA are outlined in Section 164.308 of the Code of Federal Regulations (CFR). The requirements you should focus on are as follows:

  1. 45 CFR § 164.308(a)(1)(A): Risk assessments
  2. 45 CFR § 164.308(a)(1)(B): Reducing risk exposure
  3. 45 CFR § 164.308(a)(1)(D): Regular monitoring and reviews
  4. 45 CFR § 164.308(a)(6): Security incidents
  5. 45 CFR § 164.308(a)(8): System security evaluations
  6. 45 CFR § 164.308(b)(1): Business associate agreements

1. 45 CFR § 164.308(a)(1)(A): Risk assessments

As per this requirement, your organization must conduct comprehensive risk and vulnerability assessments related to electronic PHI held by your organization or a business associate.

HIPAA requires stringent risk assessments to evaluate your internal systems and each external party with access to PHI. The goal is to determine whether the necessary protection measures are in place.

Due to the complexity of each third party’s risk profile, you might need to gather numerous data points as part of your assessments. That’s why it may be helpful to standardize the process through risk assessment questionnaires covering relevant aspects of PHI management, such as:

  • Cybersecurity measures and controls
  • Data protection procedures
  • PHI sharing practices
  • Legal contracts and related agreements

{{cta_withimage13="/cta-modules"}}

2. 45 CFR § 164.308(a)(1)(B): Reducing risk exposure

According to this paragraph, you must put appropriate security measures in place to mitigate mapped vulnerabilities and reduce your overall risk exposure to an acceptable level.

Security measures have a vast scope in the healthcare sector and can be challenging to implement, especially if you do it from scratch. This is why many organizations decide to get a head start by adopting an established security framework—the NIST Cybersecurity Framework, for instance.

NIST offers plenty of resources for HIPAA-regulated entities to help them adjust the framework to their needs and mitigate risks to enable full compliance.

You can also explore other frameworks, such as:

  • HITRUST: A flexible framework that consolidates requirements from multiple security standards to help ensure regulatory compliance and effective risk management.
  • CIS Critical Security Controls: A robust set of best practices aimed at strengthening an organization’s security posture.
  • COBIT: A globally recognized framework for IT governance. 

Whatever framework you choose, you can meet this requirement more effortlessly if you also monitor your risk exposure with capable TPRM software.

3. 45 CFR § 164.308(a)(1)(D): Regular monitoring and reviews

This paragraph outlines the importance of ongoing monitoring. Specifically, it describes the need to regularly review different records of an organization’s information system activity, such as:

  • Audit logs
  • Access reports
  • Security incident tracking reports

The section offers no specifics on how frequently such reviews should be conducted, so you can define what “ongoing” would entail for your organization. In general, risk leaders are moving away from point-in-time assessments that display the risk landscape passively and leave room for undiscovered vulnerabilities.

Addressing this requirement relative to third parties also involves ensuring that any third parties with access to PHI adhere to these monitoring and review practices as well. Organizations should consider including specific provisions in their business associate agreements (BAAs) requiring third parties to conduct regular reviews of their information system activities and share relevant reports.

A practical solution here is to opt for a TPRM platform that enables centralized and streamline workflows for third party reviews to reduce extensive manual work. Look for solutions that offer:

  • Integration with your current systems to pull data
  • Automation capabilities that eliminate manual data entry and other laborious tasks
  • Centralized dashboards containing actionable information on third parties

4. 45 CFR § 164.308(a)(6): Security incidents

This paragraph discusses three important requirements related to security incidents:

  1. Identifying and responding to known or suspected incidents
  2. Mitigating the effects of such incidents to the fullest practicable extent
  3. Documenting security incidents and their outcomes

The main issue with third-party security incidents is that they may not be reported promptly enough. As a result, the incident may escalate before you get a chance to address it.

Such delays can be avoided through transparent and efficient vendor communication. Assign a dedicated point of contact to which your third parties can reach out, and define regular touchpoints to proactively discuss any potential threats.

Still, prevention can only take you so far, so it’s crucial to develop effective incident response plans. Examine the results of your risk assessments to prioritize the most pressing threats, and then come up with effective strategies to handle a realized risk event with minimal damage.

{{cta_withimage5="/cta-modules"}}

5. 45 CFR § 164.308(a)(8): System security evaluations

This is another paragraph that recommends regular evaluations of your security measures and their effectiveness in safeguarding PHI—its intent is similar to that of paragraph 45 CFR § 164.308(a)(1)(D). The main difference is that it doesn’t only discuss information system activity reviews but broader technical and non-technical evaluations of both your and your business associates’ security measures.

To meet this requirement for third parties, you should go beyond the initial risk assessment and perform comprehensive reassessments as needed. The goal is to understand whether the measures and controls implemented by you or your associates are still relevant to your risk posture.

To streamline ongoing reassessments, you can use a TPRM solution that enables you to keep a centralized vendor inventory. It will be easy to maintain, and you’ll have a bird’s-eye overview of your third parties and their risk profiles. The inventory should include data points such as:

  • Basic vendor information and business functions impacted
  • Risk information (which should ideally be quantified through a risk score)
  • Status updates and pending tasks (security reviews, audits, etc.)

6. 45 CFR § 164.308(b)(1): Business associate agreements

This paragraph outlines a CE’s relationships with business associates. It emphasizes the need for a business associate agreement (BAA) that demonstrates an associate’s ability to safeguard PHI once a covered entity gets into a contract with them.

The main challenge with these assurances is extensive evidence collection and tracking of agreements. Demonstrating that sufficient protective measures are active requires gathering numerous data points, which can slow down your procurement process and may even overstretch security teams.

If you're looking to make your data-gathering workflow more efficient, start adopting technologies like TPRM software that can centralize the evidence and agreement gathering for you. You can also set up easy-to-track due diligence procedures through standardized questionnaires and analyze the results faster with the help of AI-powered review solutions available with platforms like Vanta. 

{{cta_testimonial11="/cta-modules"}}

Ensure HIPAA compliance with Vanta

Vanta is a trust management platform that helps you automate compliance, manage risk, and prove trust. It comes with pre-built content for 20+ frameworks—including HIPAA—and provides end-to-end guidance to help you get compliant quickly.

With Vanta, you can automate the evidence collection necessary to demonstrate HIPAA compliance. You can also download Vanta’s HIPAA compliance checklist to help you get ready for your next security audit. These resources allow your security teams to shift their attention toward strategic initiatives like closing more deals.

Vanta also offers a Vendor Risk Management solution to help you meet specific HIPAA TPRM requirements with features such as:

  • Risk auto-scoring based on predetermined or custom parameters
  • Centralized vendor inventory and a comprehensive dashboard of data
  • Vanta AI to extract findings from security documentation to automate security reviews

Schedule a custom demo to learn more.

{{cta_simple18="/cta-modules"}}

See how VRM automation works

Let's walk through an interactive tour of Vanta's Vendor Risk Management solution.

Explore more TPRM articles

Get started with TPRM

Start your TPRM journey with these related resources.

Security

How to minimize third-party risk with vendor management

Get insights and best practices from security & compliance experts on how to manage third-party vendor risk in this free guide.

This is some text inside of a div block.
This is some text inside of a div block.
Security

Vanta in Action: Vendor Risk Management

Vendor security reviews can be manual and time-consuming, draining security teams of precious hours. Vanta’s Vendor Risk Management solution changes that, automating and streamlining security reviews so that you can spend less time on repetitive work and more time strengthening your security posture. Curious to see what it looks like?

This is some text inside of a div block.
This is some text inside of a div block.
Security

10 important questions to add to your security questionnaire

We’ve identified 10 critical questions to include in your security questionnaire and why each answer is vital for informed decision-making.

This is some text inside of a div block.
This is some text inside of a div block.