Session ID: 

Assessing when a Vendor’s Security Incident Is a Breach

4:15pm - 5:15pm Tuesday, February 12
Orlando - Orange County Convention Center


OCR reported third-party vendors to be the cause of, on average, 15 percent of all large breaches of protected health information (PHI). But data shows that these incidents are more likely to impact a disproportionate number of individuals as they often involve information systems handling large volumes of PHI belonging to a number of HIPAA covered entities. In this session, a former OCR regulator and an experienced healthcare CISO will evaluate how to look beneath the surface when a third-party vendor experiences a security incident and provide best practices of how to survive such an incident. They will share their experiences in evaluating and assessing vendor security incidents to determine the extent of information needed to assess the risk of data compromise. The speakers will guide participants on how to apply HIPAA lens, as well as other health information privacy rules, to determine what is a reportable breach, who must be notified by whom, and when it must be reported.

Learning Objectives: 

  • Define how covered entities can determine if a reportable breach occurred with a business associate, and outline the roles privacy, compliance, security, in-house counsel and outside consultants and advisers should play
  • Identify the questions that covered entities need to ask their business associates to determine the root cause of a security incident, assess the extent of information needed to determine the risk of data compromise and analyze how to view the vendor’s self-assessment
  • Interpret these questions through scenarios by applying HIPAA lens but also the patchwork of state health information privacy rules, for a complete picture on what is a reportable breach, who must be notified by whom and when it must be reported


Chief Information Security Officer,
University of Iowa
Vice President, Compliance Strategies,