Third-party Relationships and Your Confidential Data

Increased use of third-party vendors for applications and data processing services is a business model that is likely to continue, especially as organizations find it necessary to focus limited resources on core organizational objectives and contract out support services. Be sure to read the latest AHIA and Grant Thornton LLP White Paper: Third-party Relationships and Your Confidential Data to learn about the role internal audit should play in assuring risks are recognized and managed appropriately.

As the volume of electronic medical data has grown, so has the number of third-party custodians that handle it. Organizations increasingly rely on third parties for infrastructure, managed applications and data management. Navigating the changing rules governing these third parties has become more complex. Organizations now face theadditional responsibilities and challenges of useraccess management, change management anddata stewardship, even though they don't ownthe structure or directly manage the resourcesinvolved. The risk of these relationships is significant: third parties have been responsible for almost half of all data breaches.

Compounding these challenges are new federal requirements and  continuously evolving state requirements for managing electronic protected health information (ePHI). Important changes that take effect Sept. 23, 2013, in the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule broaden the definition of a business associate, set new limits on how data may be used, redefine what constitutes a breach and establish new civil penalties for violation

We wish to thank the following individuals, without whom this resource would not be available:

Grant Thornton Project Team:

David Reitzel
Principal, National Leader, Health Care IT Advisory Services

Eric Wendler
Business Development Director

Donna Wachman
National Marketing Manager, Health Care

AHIA White Paper Subcommittee:

Mark Eddy, CPA
HCA Healthcare

Michael Fabrizius, CPA
Carolinas HealthCare System

Linda McKee, CPA (Board Liaison)
Sentara Healthcare

Glen Mueller, CPA (Chair)
Scripps Health

Mark Ruppert, CPA
Cedars-Sinai Health System

Debi Weatherford, CPA
Piedmont Healthcare

Additional Contributors:

We appreciate the support of numerous colleagues who assisted in the review of this document.

About Grant Thornton LLP
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the US member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the United States, visit Grant Thornton LLP at