How outsourcing healthcare services could lead to HIPAA violations

Organizations may choose to outsource for several reasons, including the need to reduce costs, access specialized skills, and improve scalability in response to fluctuating patient volumes. However, outsourcing comes with inherent risks that could lead to a HIPAA violation, mainly when outsourcing processes are not handled within the organization's business associate agreement (BAA). 

Checklist for validating the vendor

1. Clearly outline the services you expect from the vendor.
2. Obtain essential documents such as business licenses, incorporation papers, and organizational charts.
3. Review the vendor's financial reports and audit history to ensure they are financially sound.
4. Check for compliance with data protection regulations and review their cybersecurity policies.
5. Investigate any past violations or breaches related to HIPAA or other regulations.
6. Research the vendor’s reputation and history in the industry, including references and case studies.
7. Assess the credentials and training of the vendor's staff who will handle sensitive information.
8. Ensure that a BAA is in place to define responsibilities regarding PHI handling.
9. Implement ongoing monitoring of the vendor’s compliance and performance metrics.
10. Schedule periodic audits to ensure continued compliance with HIPAA and other relevant regulations.
11. Be alert for any warning signs during the evaluation process, such as lack of transparency or inadequate documentation.
12. Keep thorough records of all due diligence activities for accountability and future reference.

The real-life risk of outsourcing healthcare services

A lawsuit filed by All American Homecare/Glidedowan, LLC in January 2025 argues that the New York State Department of Health's (DOH) plan to require homecare agencies to provide customer data lists violates federal healthcare privacy laws. A large point in the lawsuit is how under HIPAA, prior written consent from healthcare customers is necessary before disclosing any identifiable information. The court has issued a temporary restraining order preventing the DOH from enforcing this requirement.

This case shows how outsourcing can lead to compliance risks if safeguards are not established. The transition to a single fiscal intermediary, Public Partnerships, LLC (PPL), raises concerns among advocates about protecting sensitive patient information. Critics argue that the rushed nature of this transition could compromise vital services and force companies to share consumers' protected health information (PHI) in potentially illegal ways.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What are the potential violations arising from the use of third-party vendors?

Failing to thoroughly assess a vendor’s security practices can lead to partnerships with organizations that do not have proper safeguards in place, increasing the risk of data breaches. Not entering into a BAA with vendors who handle PHI can also result in liability for any HIPAA violations committed by those vendors.

What is the role of business associate agreements in vendor management? 

BAAs outline specific security measures that business associates must take to safeguard PHI. This ensures that they remain accountable for their handling of sensitive data.

What is the difference between business associates and subcontractors? 

Business associates are third-party vendors that perform functions or activities on behalf of a covered entity involving the use or disclosure of PHI. If a business associate hires another company to assist in handling PHI (e.g., a cloud service provider used by an IT vendor), that company is considered a subcontractor.