Simone Colgan Dunlap Quoted in Healthcare Risk Management Article About HIPAA Compliance with Third-Party Vendors

Media Mention

Simone Colgan Dunlap, national vice chair of the Quarles & Brady Health & Life Sciences Practice Group, shared her insight in a Healthcare Risk Management article about considerations for health care organizations as they seek to ensure HIPAA compliance in their work with third-party vendors.

Colgan Dunlap outlined several steps organizations should take to minimize their risk of violating federal and state laws. An excerpt:

It is important to note that different contracting and vendor oversight steps are triggered depending on the specific federal and state laws, says Simone Colgan Dunlap, JD, partner with the Quarles law firm in Phoenix, AZ. Therefore, a critical first step is to inventory data and identify the data that the vendor will create, receive, maintain or transmit on behalf of the organization. “If we are talking about a vendor in the context of HIPAA, the vendor in question is going to be a business associate — a person or entity that performs certain functions involving the use or disclosure of protected health information on behalf of a covered entity or an upstream business associate,” she explains.

To minimize the risk that an entity will be held responsible for the compliance errors of its business associate, Dunlap advises taking a few key steps. First, establish a formal privacy and data security vendor management process. “This process should involve conducting due diligence on vendors pre-engagement to assess the vendor’s ability to comply with HIPAA’s requirements and assess whether the vendor has the wherewithal — via assets and insurance — to make the entity whole in the event that the vendor creates liability as a result of a compliance mishap,” she says. “Note that HIPAA’s requirements related to security may shift significantly and be much more proscriptive if the proposed rule to modify HIPAA’s Security Rule is adopted. If the Proposed Rule is adopted, entities subject to HIPAA should reassess vendor relationships.”

Another common pitfall is insufficient upfront vendor diligence and monitoring, she says. Many vendors are willing to agree to rigorous contract terms but are not actually living up to these requirements, she notes.

“Related, failure to ask questions about a vendor’s subcontractor relationships is another source of liability that is often under-investigated,” Dunlap says. “A vendor may actually have a solid privacy and information security program, but their program is only as good as their weakest subcontractor.”

Resources

Originally published in Healthcare Risk Management, June 1, 2025 (Subscription required.)

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.