Secure Your Data: Vendor Due Diligence

Secure Your Data: Vendor Due Diligence

Sandy Weitz, MD, advises physicians to a security analysis as part of their vendor due diligence to secure a practice's protected health information.

We regularly research vendors before we engage them to provide any service or product. After all, you wouldn’t hire them without knowing anything about them. And, when you run a private medical practice, you are responsible for protecting your patients’ protected health information (PHI.) Therefore, your due diligence needs to include a security analysis of the proposed vendor.


Due Diligence

The goal of due diligence is to determine that the vendor you are considering is financially solvent, legal, and trustworthy.  Due diligence is when you evaluate the other party before entering into an agreement but collecting as much data as you can.


Due Diligence and HIPAA

The Department of Health and Human Services (HHS) has established the Business Associate Agreement (BAA) as the legal document to be signed in conjunction with a service level agreement (SLA) or contract. The SLA simply defines the scope of practice. The BAA implies that the vendor, your Business Associate (BA), agrees to safeguard your protected health information.  In the strictest sense, the BAA between your practice and a vendor is sufficient.

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. And although a BA is supposed to have policies and procedures in place to prevent a breach, they still occur. Therefore, you will want to go beyond just signing a BAA as your due diligence. You need to take steps to determine whether your BAs will meet the HIPAA security requirements.


When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. #privatepractice Click To Tweet


A Pre-Contract Vendor Security Survey

A security survey can give you invaluable insight whether a vendor can meet your security expectations. Here are some of the pre-contract questions that you should ask:


  1. Verify that the vendor is correctly representing themselves.
  2. Is the vendor financially sound? Do they have outstanding debts or other significant liabilities? How robust are their revenue streams?
  3. Evaluate the vendor’s reputation: Ask for references. Read publicly available reviews. Ask you colleagues.
  4. Where will your data be housed?
  5. Does the vendor conduct a security risk analysis? When was the last time the vendor completed a security risk analysis?
  6. When was the last time the vendor trained their employees on HIPAA? What is their training process?
  7. What security safeguards does the vendor have in place to protect PHI?
  8. What policies and procedures does the vendor have in and are employees following them?


A security issue can have significant financial consequences for your practice.  Going that extra step to understand how a vendor will prevent unauthorized access to your PHI is a worthwhile investment.


Do An Exclusion Search

An exclusion search can help you determine whether a vendor has been excluded from participating with federal healthcare organizations because of illegal or fraudulent behavior.

Check these exclusion lists:

  • List of Excluded Individuals and Entities (LEIE)

The Office of Inspector General maintains this list of individual providers and entities for Medicare or Medicaid fraud, patient abuse or neglect, felony convictions for healthcare-related fraud, theft, or other financial misconduct and felony convictions for unlawful manufacturing, distribution, prescription, or dispensing of controlled substances.

There’s a monetary penalty for entering a contract with an entity on the LEIE. In addition, some states maintain their own exclusion list prohibiting entities from participating in state government-run programs.

  • Centers for Medicare and Medicaid Services (CMS) Preclusion List

The CMS preclusion list prohibits prescribers, individuals, or entities from receiving payment for Medicare Advantage items or services or Part D drugs furnished or prescribed to Medicare beneficiaries for one to three years.

  • System for Award Management (SAM)

SAM is a website that lists all companies registered to do business with the federal government. Use SAM to determine whether a vendor has been suspended or debarred.


Key Takeaway:

Protecting your practice against a HIPAA breach requires doing more than simply signing a BAA. Before you entrust your protected health information to a BA you will want to do a thorough assessment of the potential vendor.


Do you have a compelling personal story you’d like to see published on SoMeDocs? Find out what we’re looking for here and submit your writing, or send us a pitch.


Earn CME

This learning experience is powered by CMEfy - a platform that brings relevant CMEs to busy clinicians, at the right place and right time. Using short learning nudges, clinicians can reflect and unlock AMA PRA Category 1 Credit.

Leave a Reply

Your email address will not be published. Required fields are marked *


Earn CME

This learning experience is powered by CMEfy - a platform that brings relevant CMEs to busy clinicians, at the right place and right time. Using short learning nudges, clinicians can reflect and unlock AMA PRA Category 1 Credit.

Tweet Me

More from SoMeDocs

Subscribe To Our Newsletter

Get updates and learn from the best

Cooking Tips and Tricks with Dr. Danielle

Blueberry Power Bowl [VIDEO]

Dr. Danielle shows us how to make a dish full of good-for-you protein, fiber, probiotics, and antioxidants , in this episode of “Cooking Tips & Tricks with Dr. Danielle”

Retreat for Personal Growth

Retreat for Personal Growth

Dawn L Baker MD, MS writes that sometimes, the answers are right in front of you, but a retreat is what you need to realize them.

David Norris, MD, MBA

Negotiate as a Physician and Win

Catch this 8-part series, hosted by physician & business consultant David Norris, MD, MBA & produced by Dana Corriel, MD. Learn to be a stronger negotiator with these important tactics.

My “Go To” Spices for Indian Food: Beginner’s Guide

The Doctor’s Food

In honor of our upcoming virtual Lifestyle Medicine conference, we thought it would be fun to share some of what doctors eat (and prepare!), released regularly. Bottoms’ up!

Cheng Ruan, MD

Cheng Ruan, MD

Burnout is the delta between our expectations and perceived reality.

Want More?

Be a part of the healthcare revolution.
Don't miss a thing SoMeDocs publishes!

Disclaimer: SoMeDocs assumes no responsibility for the accuracy, claims, or content of the individual experts' profiles, contributions and courses. Details within posts cannot be verified. This site does not represent medical advice and you should always consult with your private physician before taking on anything you read online. See SoMeDocs' Terms of Use for more information.

follow us

© 2023 SoMeDocs. All Rights Reserved.

Support A Platform that Celebrates Real Doctors

For just $10 a month, you can help keep this openly accessible site available to all & help us sponsor in more doctors.

Interested in the must-read, unique content from our magazine?

Lifestyle Medicine conference

A Virtual Event, June 9-11, 2023

15 speakers, 3 days,
loads of valuable content.

I acknowledge that this site is not to be used for medical advice.

Play Video
Our Founder Answers Your BURNING Question


“Why should I become a member of SoMeDocs if I already have my own space online?”

What We Bring to the Practice of Medicine

We feature books!

And they’re written by experts!

Site SoMeDocs Logo, square