Procurement’s Guide to Vendor Risk Under HIPAA and DORA

Procurement teams face new compliance duties under HIPAA and DORA. Learn how to manage vendor risk, safeguard data, and embed resilience in supply chains.

Read Time: 3 Minutes
September 9, 2025

Louw du Toit (Vic)

Procurement has moved far beyond its traditional role of sourcing and contract negotiation. In today’s regulated industries, it is the first line of defence against third-party risk. Nowhere is this more evident than under two frameworks shaping vendor oversight on both sides of the Atlantic: the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and the Digital Operational Resilience Act (DORA) in the European Union.

Both regulations require that organisations manage the security and resilience of their third-party providers. For procurement teams, this means vendor risk is no longer just a due diligence exercise—it is a compliance obligation that directly impacts the organisation’s ability to operate securely and efficiently.

Vendor Risk Under HIPAA

HIPAA mandates that healthcare organisations safeguard protected health information (PHI), not only within their own walls but also across every vendor that touches that data. For procurement, this translates into three critical areas of responsibility:

  • Business Associate Agreements (BAAs): Every supplier handling PHI must have a BAA in place, establishing clear security obligations.
  • Minimum safeguards: Vendors must demonstrate strong technical and organisational measures, from encryption to access controls and audit logging.
  • Ongoing oversight: Risk assessments cannot be a one-off. Procurement must drive continuous monitoring and evidence collection.

Vendor Risk Under DORA

DORA, meanwhile, focuses on financial services but sets a precedent for ICT supply chain resilience across Europe. Procurement functions are tasked with ensuring that:

  • Critical third parties are identified and mapped across all ICT dependencies.
  • Resilience and recovery requirements are embedded into contracts.
  • Oversight mechanisms are enforceable, with rights for audit, reporting, and incident notification.

DORA moves procurement from transactional buying to long-term vendor governance, with regulators expecting contracts to carry operational resilience clauses aligned to supervisory standards.

The Common Thread

Despite differences in geography and industry, HIPAA and DORA converge on a central principle: risk cannot be outsourced. Vendor oversight must be embedded at every stage of the supplier lifecycle, from selection and contracting through monitoring and eventual offboarding.

Both frameworks underline the importance of:

  • Clear contractual accountability.
  • Continuous monitoring and assurance.
  • Procurement as a strategic partner to compliance, security, and risk teams.

The Procurement Advantage

Procurement teams that embrace these responsibilities will move beyond compliance to deliver real business value. By embedding risk management into procurement strategy, organisations strengthen resilience, protect sensitive data, and build stakeholder trust.

In a regulatory landscape defined by HIPAA, DORA, and their inevitable successors, procurement is no longer just about cost and efficiency. It is about safeguarding the enterprise itself.