In his monthly blog post for, Mac muses about the healthcare industry’s management of its business associates and third-party vendors calling for greater due diligence, management and oversight of these relationships. This is a call to action for the industry and a wake-up call for those third-party organizations that serve our industry.

Is it time for greater due diligence and management of third party vendors in healthcare? It certainly seems so, but why hasn’t healthcare embraced what is standard practice in the banking industry and others, particularly in the face of recurring incidents that end up in the headlines? A colleague recently asked a group, “how many of you remember a recent breach involving a Business Associate, raise your hand?” Then he asked, “how many of you remember the hospital involved – if so, keep your hand up?” Most hands remained up. Then he asked, “how many of you remember the name of the vendor involved, keep your hands up?” Most hands dropped. Time and again this scenario repeats itself. While the vendors involved may eventually be the ones held accountable, the reputational damage is done. You’d think that would be enough. Seriously though, it’s not the most important reason. More importantly is the responsibility that covered entities have to the people they care for. Performing due diligence of vendors prior to turning over patient information and managing that relationship afterwards should be a mandatory requirement. Business Associate agreements in and of themselves are not enough.

There are many examples that speak directly to the need for better vendor management. One recent high-profile incident involving Stanford Hospital and Clinics reportedly saw the medical records of a large number of patients exposed for more than a year on a public website which were put there by a Business Associate’s subcontractor. In the many articles covering this incident, the subcontractor has remained unnamed, the Business Associate is mentioned somewhere in the article and Stanford Hospital has had to endure the headline over and over again. The investigation into this incident has not yet been finalized so we’ll have to wait to know the whole story, but if the subcontractor as alluded to in each article is indeed responsible for the compromise, then Stanford Hospital has been an unfortunate victim. Or are they?

Another recent revelation for another hospital was when a considerable amount of patient information, which had been shared with a vendor, had been transferred to a subcontracted cloud vendor without their knowledge or permission. When they inquired about that relationship and the security of that vendor they were less than impressed with some of the answers they received. Again were they a victim, or not?

And last, but not least, the breach everyone has certainly heard of by now, 4.9 million patient records potentially compromised due to the mishandling of backup tapes – tapes that were not encrypted- belonged to Tricare by their business associate SAIC. Again, while it appears the

25contractor mishandled the information, the decision not to encrypt and the decision to permit this process of data transfer was ultimately the responsibility of Tricare.

If these hospitals and others like them who have suffered unfortunate surprises have relied solely on a Business Associate Agreement as their sole protection, and more importantly their patient’s privacy, then the term victim might not be appropriate. There are excellent examples of vendor management models for security that covered entities can employ to aid in the vendor selection process, to incorporate security measures in contracts and for vendor oversight and contract termination. Some healthcare entities have incorporated more rigorous vendor security management practices, but not enough. Hopefully the updated HIPAA Security Rule (due out this year), which is supposed to cover more guidance regarding Business Associates, will promote due diligence and vendor management practices as obligatory requirements. Do we actually need the Federal Government to tell us to do what common sense tells us we should already be doing?