Secure Your Data: Vendor Due Diligence

Sandy Weitz, MD, advises physicians to a security analysis as part of their vendor due diligence to secure a practice's protected health information.

We regularly research vendors before we engage them to provide any service or product. After all, you wouldn’t hire them without knowing anything about them. And, when you run a private medical practice, you are responsible for protecting your patients’ protected health information (PHI.) Therefore, your due diligence needs to include a security analysis of the proposed vendor.


Due Diligence

The goal of due diligence is to determine that the vendor you are considering is financially solvent, legal, and trustworthy.  Due diligence is when you evaluate the other party before entering into an agreement but collecting as much data as you can.


Due Diligence and HIPAA

The Department of Health and Human Services (HHS) has established the Business Associate Agreement (BAA) as the legal document to be signed in conjunction with a service level agreement (SLA) or contract. The SLA simply defines the scope of practice. The BAA implies that the vendor, your Business Associate (BA), agrees to safeguard your protected health information.  In the strictest sense, the BAA between your practice and a vendor is sufficient.

When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. And although a BA is supposed to have policies and procedures in place to prevent a breach, they still occur. Therefore, you will want to go beyond just signing a BAA as your due diligence. You need to take steps to determine whether your BAs will meet the HIPAA security requirements.


When a BA causes a HIPAA breach, they bear the liability. But you, as the covered entity, are still responsible for addressing the breach. #privatepractice Click To Tweet


A Pre-Contract Vendor Security Survey

A security survey can give you invaluable insight whether a vendor can meet your security expectations. Here are some of the pre-contract questions that you should ask:


  1. Verify that the vendor is correctly representing themselves.
  2. Is the vendor financially sound? Do they have outstanding debts or other significant liabilities? How robust are their revenue streams?
  3. Evaluate the vendor’s reputation: Ask for references. Read publicly available reviews. Ask you colleagues.
  4. Where will your data be housed?
  5. Does the vendor conduct a security risk analysis? When was the last time the vendor completed a security risk analysis?
  6. When was the last time the vendor trained their employees on HIPAA? What is their training process?
  7. What security safeguards does the vendor have in place to protect PHI?
  8. What policies and procedures does the vendor have in and are employees following them?


A security issue can have significant financial consequences for your practice.  Going that extra step to understand how a vendor will prevent unauthorized access to your PHI is a worthwhile investment.


Do An Exclusion Search

An exclusion search can help you determine whether a vendor has been excluded from participating with federal healthcare organizations because of illegal or fraudulent behavior.

Check these exclusion lists:

  • List of Excluded Individuals and Entities (LEIE)

The Office of Inspector General maintains this list of individual providers and entities for Medicare or Medicaid fraud, patient abuse or neglect, felony convictions for healthcare-related fraud, theft, or other financial misconduct and felony convictions for unlawful manufacturing, distribution, prescription, or dispensing of controlled substances.

There’s a monetary penalty for entering a contract with an entity on the LEIE. In addition, some states maintain their own exclusion list prohibiting entities from participating in state government-run programs.

  • Centers for Medicare and Medicaid Services (CMS) Preclusion List

The CMS preclusion list prohibits prescribers, individuals, or entities from receiving payment for Medicare Advantage items or services or Part D drugs furnished or prescribed to Medicare beneficiaries for one to three years.

  • System for Award Management (SAM)

SAM is a website that lists all companies registered to do business with the federal government. Use SAM to determine whether a vendor has been suspended or debarred.


Key Takeaway:

Protecting your practice against a HIPAA breach requires doing more than simply signing a BAA. Before you entrust your protected health information to a BA you will want to do a thorough assessment of the potential vendor.



Tweet this:

Earn CME credit:

This learning experience is powered by CMEfy - a platform that brings relevant CMEs to busy clinicians, at the right place and right time. Using short learning nudges, clinicians can reflect and unlock AMA PRA Category 1 Credit.

Subscribe To Our Newsletter

Get updates and learn from the best

I Have to Wait How Long?!?!

I Have to Wait How Long?!?!

David Epstein, MD, MS, FAAP discusses why it takes time to be seen for an acute illness and what makes up a medical visit.

Susan J. Baumgaertel, MD FACP

Navigating Your Health (with Dr. Susan Baumgaertel)

Dr. Baumgaertel draws upon her 30 years of experience as a physician in primary care internal medicine, and uses her personal story-telling style to communicate with you as if you are sitting right across from her. Pull up a chair and enjoy.

My DPC Story

Their DPC Stories

Physicians are increasingly looking to different practice models, as burnout rates continue to climb. This series explores the DPC model.

Support A Platform that Celebrates Real Doctors

For just $10 a month, you can help keep this openly accessible site available to all & help us sposnor in more doctors.

I acknowledge that this site is not to be used for medical advice.

Play Video
Our Founder Answers Your BURNING Question


“Why should I become a member of SoMeDocs if I already have my own space online?”