Most people read a HIPAA settlement and look at the fine. I look at the affected-individuals count, because that is the number that tells you how much harm actually happened. In March of this year OCR settled with a Maryland software company, MMG Fusion, and the two numbers could not have been further apart: 15 million individuals affected, and a $10,000 penalty — one of the smallest financial penalties OCR has ever imposed.

OCR was candid about why the penalty was so low. They considered the company’s financial position. So do not read that $10,000 as the price of exposing 15 million people’s health information. Read it as a fluke of one company’s balance sheet. The harm was enormous; the company simply could not pay what the harm was worth. I have been doing this work for three decades, in healthcare and on the federal side, and that gap between harm and penalty is exactly the kind of thing that makes me push clients to think harder about their vendors.

The part everyone skips: the vendor is a workforce too

MMG Fusion was a business associate. Its software received protected health information from covered entities and communicated directly with their patients. And here is the uncomfortable thing I have to say to a lot of healthcare organizations: you spend real effort on HIPAA training for staff, and then you hand a firehose of PHI to a vendor whose workforce you have never thought about for one second.

A business associate agreement is a piece of paper. It allocates liability. It does not train a single human being at the vendor to recognize a phishing email or handle PHI correctly. When I assess an organization’s real exposure, I have learned to follow the data out the door — to the billing service, the software platform, the transcription company, the third-party administrator — and ask the question nobody wants to answer: is anyone providing HIPAA training for employees over there?

Often the honest answer is that the vendor’s own people are exactly as under-trained as the covered entity’s people were before someone got serious. The PHI does not get safer just because it crossed an organizational boundary. If anything, it gets riskier, because now two sets of human beings can leave the front door unlocked.

Why this is a training problem before it is a contract problem

Lawyers love to solve the vendor problem with contract language, and I am not knocking good contracts. But I have watched enough breaches unfold to know that the BAA never stopped a single phishing click. The control that actually reduces the risk is the same one it always is: HIPAA workforce training that ensures people know what they are handling and how to handle it.

If you run a business associate — a software shop, a billing company, a clearinghouse — the obligation to train your people is yours, directly. You are regulated. And if you are a covered entity sending PHI to one of these vendors, you have every reason to ask whether their workforce is trained, because OCR has made clear a covered entity can be on the hook when it should have known a business associate was a mess.

Making it actually happen

Here is where the economics matter, and where I have changed my own advice over the years. Vendors under-train for the same reason everyone under-trains: someone decided it was too expensive to cover the whole staff. A small software company looks at per-seat training pricing and quietly trains the obvious people.

That is solvable now. Bulk HIPAA training that lets you train your entire team for as little as $20 takes the cost excuse off the table for a vendor of almost any size. Affordable HIPAA training for organizations is not just for hospitals — it is and annual HIPAA training for employees is arguably more important for the lean business associate that is handling millions of records with a small team and a thin budget.

For a business associate, the free starting point matters too. I routinely point smaller vendors to the free training at HIPAA Training US to get a baseline across their whole staff immediately, because there is no reason for a single person at a company touching PHI to be sitting untrained while leadership shops for a fancier program.

The roles vendors forget

Business associates have edge roles too, and they forget them in the same predictable ways. A medical billing company often contracts couriers or runners to move documents. A software vendor brings on people brand new to healthcare who have never heard the phrase “protected health information” in their lives. Both need training built for what they actually do.

  • New-to-healthcare hires at a vendor benefit from live beginner training far more than from a video they click through at 2x speed
  • Anyone moving physical PHI between sites needs courier-specific training, because their risks live in a parking lot, not at a desk
  • Everyone with email needs ongoing security awareness training, because the vendor’s inbox is just as much a front door as the covered entity’s

Prove it, on both sides of the agreement

When I help a covered entity tighten up vendor oversight, documentation cuts both ways. The vendor should be able to produce training records on demand, and the covered entity should be keeping evidence that it asked. I keep completion records for everyone, and for the people who hit real milestones I will hand them a framed certificate — partly as recognition, partly because a visible artifact of a trained workforce is a small but real signal to clients and auditors that this is taken seriously.

What the 15 million should teach us

I keep coming back to that number. Fifteen million people had their information exposed by one vendor, and the system extracted ten thousand dollars in response. You cannot rely on the penalty to be the deterrent, because the penalty is whatever the violator happens to be able to afford. The only real protection is upstream: train the people — yours and your vendors’ — before the data is ever at risk.

The vendor problem is not exotic and it is not unsolvable. It is the same workforce-training problem we already know how to fix, just sitting on the other side of a contract where it is easy to ignore. Stop ignoring it. The data went out your door; your responsibility for it did not.