Getting your supply chain right


We’ve never shied away from expressing our issues with the HIPAA laws. The truth is, they’re a good start, but it’s difficult for a legislative process to keep upVendor business associate agreement with the pace of change in an area like technology, and it’s painfully obvious in the case of healthcare. To overcome this, we rely on the NIST Cybersecurity Framework for our testing and assessments, a more robust and detailed body of work. But while we can take issue with those areas, we can applaud their approach to vendor management. 

In the world of HIPAA compliance, vendor security behavior and expectations are managed through the Business Associate Agreement (BAA). The BAA is where your vendor acknowledges they are bound by HIPAA and as such, must meet the data management requirements it requires. In fact, while the BAA is required to be obtained by HIPAA Covered Entities (CE) from their appropriate vendors, this process would have value far beyond healthcare. If you are not bound by HIPAA but collect sensitive data, you should download a sample BAA and consider how it may be of value to you. 

The challenges with a BAA, however, are twofold. First, having a vendor sign off is helpful, but some vendors don’t adhere to the commitment. How do you, as a CE know? One way to check is to ask for a copy of their recent Risk Assessment as part of your vendor management process. Frankly, if you aren’t doing this, then you’re taking your vendor’s word for it, and that won’t protect you if things go wrong. Second, has your vendor required their vendors with access to your information to sign a BAA? While it may seem to manage your vendor’s sub-contractors is beyond your reach, if it’s your data they have access to, then you’re still on the hook. 

This is what supply chain management is all about when it comes to data security, and it can be applied to any organization.

However, while HIPAA provides a basic construct for vendor management, just getting the BAA back and signed doesn’t close the loop. You really need additional assurances that they’re doing what they have committed to. One of the simplest ways to do that is by asking for and obtaining a copy of their risk assessment. 

If you have any questions regarding vendor supply chain management, please feel free to give us a call.




If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.