Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Vendor risk management when state regulators are watching: third-party accountability under HIPAA and beyond

Vendor risk management in healthcare isn't a one-time checkbox—it's an ongoing control obligation that state and federal regulators are actively enforcing with seven-figure penalties.

Patient Protect ResearchMay 4, 2026First reported in HIPAA Pulse →

The control gap

Third-party and supply-chain risk represents one of the most consequential—and most undermanaged—control gaps in healthcare compliance. When protected health information flows through a vendor's platform, the covered entity retains accountability for the security of that data, regardless of where the technical failure originates. The principle is embedded in HIPAA's business associate framework and, as recent state enforcement has confirmed, amplified by state cybersecurity regulations that impose their own independent requirements. A $2.25 million NYSDFS settlement with Delta Dental—stemming from the 2023 MOVEit file-transfer campaign that exposed data on more than 7 million patients—illustrates exactly what happens when vendor risk is treated as a contractual formality rather than an active control program. First reported in HIPAA Pulse →[https://hipaapulse.com/nysdfs-settles-with-delta-dental-for-2-25-million-over-moveit-data-c4a343c1]

The Delta Dental action is notable because the vulnerability originated in a third-party software product, not in Delta Dental's own systems—yet regulators assigned accountability to the covered entity for the security posture of that vendor relationship. That same logic applies to every practice routing patient data through a billing platform, clearinghouse, or file-transfer service.

The HIPAA Security Rule provision in play

§164.308(a)(1)(ii)(A) — Risk Analysis requires covered entities to identify risks to ePHI across all systems, including those operated by vendors. §164.308(b)(1) — Business Associate Contracts requires enforceable security obligations in every BAA. §164.314(a)(1) extends those obligations to the business associate tier directly. OCR has cited inadequate risk analysis as a finding in the majority of its settlement actions—and the NYSDFS framework under 23 NYCRR 500 operates independently, adding a parallel enforcement layer for entities subject to state insurance or financial services regulation.

How Patient Protect addresses this

  • BAA Management / Vendor Risk Scanner tracks every business associate relationship, flags missing or expired agreements, and documents the security baseline established for each vendor—so "we have a BAA" becomes "we have a current, reviewed BAA with documented controls."
  • Security Risk Assessment (SRA) explicitly surfaces third-party and supply-chain risk as a scored category, producing the documentation regulators expect to see when they ask whether vendor risk was part of your periodic analysis.
  • Information Systems Inventory maps which vendors hold or transmit ePHI and under what conditions—the data-flow visibility that makes meaningful vendor oversight possible.
  • Autonomous Compliance Engine recalculates your compliance posture continuously as your vendor roster changes, flagging gaps that emerge between annual reviews.
  • Event Log maintains an auditable record of compliance activity, supporting the documented review cycle that regulators look for when assessing whether vendor oversight was treated as an ongoing program.

Practical next steps

  • Audit every active BAA this week: confirm it includes specific, enforceable security requirements beyond generic compliance language.
  • Request security documentation from your highest-risk vendors—billing platforms, clearinghouses, file-transfer services—including patch cadence and vulnerability management practices.
  • Add third-party risk as a named category in your next Security Risk Assessment, with vendor-specific findings and response timelines.
  • Set calendar reminders tied to contract renewal dates to trigger a documented vendor security review at each cycle.
  • Monitor state regulatory guidance if your practice operates under any state insurance or financial services license—your obligations may exceed HIPAA's federal baseline.

Try Patient Protect

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/nysdfs-settles-with-delta-dental-for-2-25-million-over-moveit-data-c4a343c1