Third party HIPAA compliance refers to the obligations of vendors that are neither covered entities nor business associates to handle protected health information (PHI) according to HIPAA law.
Covered entities include healthcare providers, health plans, and healthcare clearinghouses, while business associates are individuals or companies that handle PHI in place of the covered entity. Third party entities fall outside these categories but may still interact with PHI in ways that may lead to HIPAA compliance issues.
Table of Contents
Examples of HIPAA Third Party Vendors
Health app developers, IT service providers, and software companies that indirectly engage with PHI on their platforms or services are considered HIPAA third party vendors. A patient using a mental health app developed by a third party, a platform designed for users to track mental health habits, is not considered a covered entity or business associate under HIPAA. The Compliancy Group says it’s considered a third party vendor.
Does HIPAA Apply to Third Party Vendors in Healthcare?
HIPAA does not automatically apply to third parties unless they fall under the definition of a covered entity, business associate, or subcontractor of a business associate. Suppose a patient chooses to share their health data with a third party app or service provider without the involvement of their healthcare provider. In that case, HIPAA protections do not extend to that data. In this scenario, the patient assumes the responsibility for any subsequent use or disclosure of their data by the third party.
However, when the third party entity provides services for a covered entity (e.g., an app that handles PHI and allows a patient and their provider to communicate), it becomes a business associate. This distinction is crucial because once the third party entity acts as a business associate, it must enter into a BAA and comply with HIPAA.
Also, third party vendors that handle PHI on behalf of a business associate are required to comply with HIPAA. For instance, a cloud service provider (CSP) that creates, receives, maintains, or transmits electronic PHI as a service to a business associate is considered a third party vendor. In this case, the Department of Health and Human Services says the CSP should enter into a HIPAA-compliant business associate agreement (BAA) with the business associate. In other words, all parties that handle, process, and store PHI must comply with HIPAA.
Before 2009, business associates and their subcontractors were indirectly regulated by HIPAA through the healthcare organizations they served. However, the HITECH Act changed this by making business associates and their subcontractors directly liable for HIPAA compliance. This requires third party vendors to follow HIPAA regulations. Failing to do so would subject them to enforcement actions, penalties, and fines for HIPAA violations, independent of the covered entity or business associate they serve.
Is Third Party HIPAA Vendor Risk Assessment Required?
HIPAA itself does not mandate HIPAA third party risk assessment. However, the HIPAA Security Rule requires covered entities and business associates to conduct regular risk assessments to identify and mitigate risks that may compromise PHI. This requirement indirectly impacts any third party HIPAA vendor risk assessment since healthcare providers must ensure that any vendor handling PHI complies with HIPAA.
5 Most Common Third Party HIPAA Compliance Risks
Third party vendors can introduce various compliance risks if they don’t have the proper safeguards in place. Here are the five most common:
1. Inadequate vendor vetting
Many healthcare organizations fail to thoroughly vet third party vendors before sharing PHI with them. Without due diligence, organizations may partner with vendors that lack the necessary security controls, which could lead to data breaches.
2. Failure to implement BAAs
A common mistake healthcare providers make is not entering into a BAA with a vendor that qualifies as a business associate under HIPAA. Business associates should also enter into agreements with their subcontractors. Without a contract, the covered entity or business associate may be held liable for any HIPAA violations caused by the vendor.
3. Lack of data encryption and secure transmission
Third party vendors may not prioritize data encryption. Failure to use proper encryption for data at rest and in transit increases the likelihood of data breaches, which could lead to huge penalties for healthcare providers.
4. Inconsistent security policies across vendors
Not all third party vendors follow industry-standard security practices. Inconsistencies in security policies can create vulnerabilities. Vendors without formalized security protocols or regular employee HIPAA training may expose healthcare organizations to unnecessary risks.
5. Limited monitoring and auditing of third party access
Even when a third party has access to PHI, many healthcare organizations do not monitor how that access is used. Without regular audits and monitoring, detecting potential misuse or breaches becomes difficult until significant damage has already been done.
Comply With HIPAA Third Party Risk Management
While third parties may not always fall directly under HIPAA’s regulatory umbrella, they still pose significant risks to the privacy and security of PHI. Healthcare organizations must proactively manage third party compliance through thorough HIPAA vendor risk assessments, BAAs, and continuous monitoring. Follow these steps to mitigate the risks associated with third party vendors and safeguard patient data.
Is your organization in need of a HIPAA-compliant fax solution?
iFax offers security and efficiency when faxing sensitive health documents. Why risk the safety of your faxes when there’s a safer way to do it fast and online?
Get a demo of iFax and see how it can help upgrade your faxing experience.
