Third-Party Risk Management and the Health Insurance Portability and Accountability Act (HIPAA): How OneTrust Vendorpedia Helps


Create workflows to automate HIPAA third-party risk assessments on your business associates to ensure that you safeguard protected health information (PHI), as well as electronic PHI (ePHI), and meet HIPAA’s Security and Privacy Rules.

Protecting PHI with
Proper Third-Party Risk Management

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities (i.e., health care providers, health plans, and health care clearinghouses) to safeguard the privacy and security of individuals’ PHI. As healthcare providers and other covered entities continue to outsource tasks to business associates, third-party risk management is a growing HIPAA compliance challenge.

Manage All Third-Party Risks in a Single Inventory

HIPAA Security Rule’s Administrative provisions require covered entities to perform risk analyses to identify potential risks to PHI and implement measures to protect PHI. OneTrust Vendorpedia includes intelligent HIPAA questionnaire templates with built-in risk flagging to automate security and privacy assessments and streamline third-party risk management at scale. With Vendorpedia, your organization can assess whether its business associates have proper controls that ensure the confidentiality, integrity, and availability of ePHI and have properly implemented administrative, technical, and physical safeguards.

Identify and Mitigate Potential Threats to PHI

According to the HIPAA Security Rule, PHI threat detection, documentation, and mitigation is a key third-party risk management outcome. With intelligent assessments, out-of-the-box control frameworks, and drill-down reporting, OneTrust Vendorpedia helps healthcare organizations to measure threats, as well as to prioritize and to mitigate risks in a timely manner.

Track Key Contract Terms and Assurances

Contractual assurances are a critical aspect of HIPAA when working with business associates to guarantee that they meet HIPAA’s security standards. With OneTrust Vendorpedia, extract and report on key contract terms for all business associates to ensure that your business associates have the appropriate administrative, physical, and technical safeguards in place, in order to enable your organization to establish and demonstrate a defensible third-party risk management program.

Manage Subcontractors in the Supply Chain

Risks associated with PHI extend past business associates to their subcontractors. Your business associates’ subcontractors can introduce risks to your healthcare organization. OneTrust Vendorpedia helps your third-party risk management team monitor changes to subcontractors, as well as confirm that adequate contractual safeguards are extended and implemented throughout the supply chain.

Hold Vendors Accountable to Breach Notification Requirements

HIPAA requires business associates to notify covered entities in the event of a data breach. OneTrust Vendorpedia enables your organization to track breaches reported by business associates and ensure that the notifications contain the required content.

Looking to manage business associates and meet
HIPAA compliance requirements?

Request Demo

Key OneTrust Vendorpedia HIPAA Compliance Functionality
for Third-Party Risk Management

HIPAA Assessments

Out-of-the-Box HIPAA assessments, with built-in risk flagging and automation rules, saves your team time and reduces human error

Documentation & Reporting

Maintain records with dashboards and column reports to demonstrate HIPAA compliance as it relates to business associates’ risks

Workflow Automation

Introduce consistency and accountability across stakeholders with custom workflows and audit trails to manage the third-party risk management lifecycle