Written by Susan Lee Walberg, JD MPA CHC
Compliance Officers are always stretched thin with many responsibilities, and those duties seem to constantly grow with each year and every new law or regulation. One of the more challenging areas to monitor is the compliance of our vendors and Business Associates.
I believe this is now more important than ever. Why? Because cybercrime, hacking, phishing, and impersonation schemes are rampant, and the cyber-crooks are now using AI to circumvent our (and our vendorโs) security measures.
How many times have we heard about a major breach, and the root cause was a failure to conduct a Security Risk Assessment or apply patches or software updates timely? A failure of routine training is also often to blame. Over 60% of breaches are caused by Business Associates, so this is an area of risk that I believe needs more attention.
Over the years, I have found that prevention is the best cure. There are several steps we can take on the front end to reduce the risk of non-compliance during the term of the Agreement.
1. Compliance needs to be at the table BEFORE arrangements are entered into. Itโs not unheard of, in a large health system, for the compliance officer to not even know about every joint venture or acquisition, but, when thereโs a compliance problem at that entity, they are on the hook. Itโs critical to build trust with leadership, and educate them as to why Compliance needs to be at the table. We need to understand what the arrangement is about, why we are doing it, and who is paying what to who. If Compliance isnโt informed and engaged, some of these other steps likely wonโt happen.
2. Due diligence is critical for new business partners. While the finance team reviews the balance sheet, Compliance needs to be reviewing the organizationโs compliance program, culture and reputation. There should be a document list the Compliance reviews for acquisitions and partnerships, but even for contracted services, we want to take a peek and do some basic reviews.
- Review their Compliance Plan (and how often itโs been reviewed and updated)
- Have a conversation with their compliance, privacy, and/or security officer to get a better sense of how they operate
- Find out if theyโve been subject to any investigations
- Run a List of Excluded Individuals and Entities (LEIE) OIG check
- Ask to see their most recent Security Risk Assessment, if ePHI is going to be involved
Pay careful attention to any referrals that are considered as part of the contract. These are not only for physicians, but they can also be an IT vendor or other provider of goods or services-there have been plenty of cases where companies, such as Electronic Medical Record (EMR) companies have been found in violation of the Anti-Kickback statute. Have an attorney review it if this isnโt your area of expertise. The bottom line is to ask yourself if the arrangement itself is appropriate.
Those are just some suggestions, but at least these activities would give you a sense of how much they tend to compliance. Also, it never hurts to do a basic Google search. If they arenโt a new organization, and if they have any ethical or legal issues, you will likely find reviews on the Better Business Bureau site and/or sites where employees and customers can give a rating/review. That activity alone can speak volumes if the organization has a culture problem.
3. Contract provisions need to include compliance. Although bad actors sign contracts all the time, it still helps protect your organization and does show that you take compliance and ethics seriously. Some suggested provisions:
- The vendor agrees to comply with all applicable laws, rules, and regulations, including False Claims Act, Stark, HIPAA, and any other that are key for your business and the type of services.
- The vendor agrees that you are allowed to audit their processes and records that pertain to the services under the contract
- The vendor agrees that all their employees are checked for disbarment and that none of their employees or contractors are disqualified to participate in government health care programs; and to notify you immediately if that changes.
- The vendor agrees and attests that they have a compliance, privacy, and security program that meets or exceeds industry and regulatory standards, and that they maintain stringent security standards to protect the integrity of ePHI.
- Breach notification and remediation procedures need to be detailed. How long after a breach is identified must you be notified? Who notifies clients? Review the breach response requirements under HIPAA and make sure you address those.
- Data use is an important provision. Review your contract or Business Associate Agreement, keeping in mind that data is now as valuable as gold. Can your business partners sell your data? What if itโs de-identified? Are you comfortable with them doing so, and does your agreed-upon rate take that into account? The advent of AI makes data much more valuable.
- Adherence and compliance to all Medicare regulations, especially if this is a contract for any business office, documentation, coding, or record review service.
4. Training requirements are not optional. Privacy, Security, and Compliance training should be provided to the vendorโs employees, or they can take training you provide, if you have that option. If they have their own program, itโs totally acceptable to ask to see it. Ongoing data security training, in particular, is important due to the constantly evolving phishing and other schemes.
5. Make sure you have tight controls on granting access to your information. Your business partner canโt just get one log-in that everyone uses. That should be a core requirement for data access-unique user IDs and passwords.
Those are some key front-end steps. Once the agreement is in place, if the previous activities are completed there shouldnโt really be a heavy load of monitoring, absent some incident or breach. Here are a few things to consider:
- Stay in contact with the process/contract owner and ask how things are going. If there are problems, that person is likely the first to know. Make sure they know to call you if something starts to go sideways.
- Conduct any audits or monitoring you included in the contract, if youโre able to (itโs a resource issue, for sure)
- Send occasional surveys to your vendors inquiring about their compliance, privacy, or security measures. This at least lets them know you are paying attention.
- Touch base with their compliance, privacy, or security officers
- Monitor training logs, if they receive training from you (or ask them to provide that information)
- Look them up online now and then to see if there are any new complaints out there.
- Get an audit of what information their employees are viewing-make sure itโs appropriate.
Monitoring your vendors can seem like just one too many things to do, and most of the time you will find that there are no red flags. Most businesses try to do the right thing. But itโs important to keep in mind how much of a risk they could pose to your organization, especially if they are handling patient information and/or billing functions. You donโt want to be looking back and wishing you had done it and having to explain that to your leadership!
About the Author Susan Lee Walberg, JD MPA CHC
Ms. Walberg is an author, attorney and healthcare compliance consultant. She is available to help anyone work through these processes and provides a full range of compliance-related services and books, including serving as a fractional Compliance or Privacy Officer, or in an interim role. She can be contacted by email at swalberg@compliancealacarte.com, or find more about services and books on her website at susanwalberg.com or on LinkedIn!
Copyright ยฉ 2026 American Institute of Healthcare Compliance All Rights Reserved