Knowledge and Insights

HIPAA and the Risks with Contractors

risk button

Most public, private and governmental entities are well aware of their responsibilities, as covered entities, to protect health records and certain personal information. They have identified their areas of risk and have put systems and processes into place to mitigate the risks and potential threats to the security of this protected health information (PHI) within their organization. What they may not have considered, however, is the impact to their risks when they out-source business and program processes to third-party vendors.

A covered entity’s risks are increased when they use a third-party vendor for any service that includes transmission, processing, or storage of PHI. In these common business relationships, the covered entity needs to have an understanding of how the vendor is mitigating the risks to the PHI. They also need to be aware of whether the vendor also is outsourcing some of their responsibilities or using contractors. The covered entity should have written representation from their vendors identifying these controls and who will have access to the PHI. They also should require the vendor to report any breaches to the security of the PHI.

For the controls identified by the third-party vendors, the covered entity should determine whether these appear to be sufficient to mitigate the risks to PHI. Then, the covered entity should perform tests of those controls to gain assurance that they are in place and functioning as designed.

If you are concerned about the HIPAA-related risks your organization may have with third-party vendors, contact the professionals at Mercadien who possess vast experience in assessing risks and testing controls in place at (609) 689-9700 or

The co-author of this article, Bryan Screws, is a former employee of Mercadien.