PART 2 – HIPAA Benchmark Survey Insights: Managing Third-Party Relationships, Emerging Technologies, and Data Sharing Risks
This blog is the second installment in our Health Insurance Portability and Accountability Act (HIPAA) Benchmark Survey series, where we explore key findings and practical takeaways from the 5th Annual HIPAA Benchmark Survey webinar. In Part 1, we examined workforce training, policies, and employee behavior. In Part 2, we turn our focus to vendor management, Business Associate relationships, and emerging risks related to data sharing and artificial intelligence (AI).
Managing vendors and third-party relationships continues to be a major focus for HIPAA compliance programs. During the webinar, we received several questions about handling data requests, managing Business Associate relationships, and addressing evolving risks such as AI. As technology evolves, so do the risks facing compliance programs. Organizations are not only navigating traditional vendor management challenges but also adapting to new complexities introduced by emerging technologies.
Below are practical approaches to these key areas.
Vendors
Q: What is the current process for handling vendor requests for de‑identified data, including where responsibility sits between privacy, compliance, and contracting?
A: Under HIPAA, there is no single prescribed “current process” for handling vendor requests for de-identified data. Instead, organizations design their own workflows around U.S. Department of Health and Human Services (HHS) standards for de-identification standards. In most organizations this is a cross-functional effort involving privacy, compliance, legal or contracting teams. In some cases, the privacy function may manage the process end-to-end, since HIPAA does not prescribe specific roles for vendor management, only requiring that the de-identification requirements are met.
Typically, data requests should first be reviewed to determine whether the data qualifies as de-identified versus protected health information (PHI) or a limited data set. The privacy function then ensures the data is properly de-identified using either the Safe Harbor method or an Expert Determination, where a qualified expert documents that the risk of re-identification is very small. Privacy may also validate the fact that there is no actual knowledge the data could be used to identify individuals and that internal policies are followed. Finally, contracting or legal may apply data use agreements or other safeguards, even though they are not required for de-identified data, to manage downstream risk.
Business Associate Agreements
Q: Who are the best operational owners of the Business Associate to monitor privacy compliance?
A: From a best practice perspective, identifying which vendors must sign a Business Associate Agreement (BAA) should be a shared responsibility across contracting/procurement, legal, and privacy functions. The most effective operational owner of a BAA relationship, to ensure the vendor is complying with its terms, should be the individual who works closely with that vendor operationally. That individual must be empowered by the organization to oversee the vendor with knowledge about the terms of the BAA and HIPAA Privacy and Security regulatory requirements to ensure the vendor is meeting the requirements. In compliance terms, this individual would monitor the vendor to ensure compliance with the terms of the BAA. At the same time, the Privacy Official should maintain oversight responsibility, including auditing or overseeing vendor performance against BAA requirements.
HIPAA and Artificial Intelligence
Q: Are compliance officers concerned that AI tools may unintentionally disclose PHI?
A: AI is going to be a part of our everyday professional lives. The challenge is having strong safeguards in place to ensure patient information is not disclosed without proper authorization. Compliance teams are concerned that using AI could inadvertently expose and disclose patient information. Many public AI tools are not set up to meet HIPAA regulatory requirements. Current industry best practices are to use AI only within approved, HIPAA-compliant platforms, ensuring vendors have proper agreements in place, checking for AI-related risks, and training staff not to put any PHI into unauthorized tools.
Takeaway
Effective vendor management processes, clearly defined BAA ownership, and proactive AI risk management are all critical to maintaining HIPAA compliance in an increasingly complex and technology-driven environment. In Part 3 of this series, we will turn to risk management, auditing, ongoing compliance, and breach response.
For more information on this topic contact [email protected] and [email protected].
