Connect

With more than 15,000 vendors supporting UVA Health, effective oversight is critical. 

That’s why earlier this year, teams across the organization launched the Third-Party Vendor Oversight and Management Project, a systemwide initiative to simplify, standardize, and strengthen how we work with third-party service providers — commonly known as vendors. 

Recent audits uncovered gaps in UVA Health’s vendor oversight. Without clear policies or consistent procedures, we lacked a reliable way to track IT service providers, assess risk levels, or confirm whether vendors and their subcontractors had the right security controls in place. 

Recognizing these vulnerabilities, UVA Health leadership tasked a multi-disciplinary project team, led by Health Information and Technology (HIT) and Procurement, to identify the most critical gaps and build a plan to close them by the end of June. A key focus of this work is ensuring our data, and the data of our patients, is secure and properly managed across all third-party partnerships. 

To demonstrate progress and readiness, the team will participate in a mock audit in June, ahead of an official audit scheduled for later this summer. 

Why It Matters 

Patients trust UVA Health to safeguard their private information. That trust is foundational, and so is the health system’s responsibility to ensure vendors uphold the same high standards we abide by at UVA Health.  

"Every time we work with a third-party vendor, we extend the perimeter of our digital footprint. This project ensures that extension is secure, standardized, and supports the trust our patients place in us every day," explains Chris Baker, Chief Information and Security Officer, HIT. 

The Vision: Smart, Secure, Seamless Oversight 

The project aims to create a system that is: 

• Predictable — standardized, clear processes across all UVA Health entities  
• Efficient — reducing manual work and increasing automation 
• Compliant — fully meeting audit and regulatory requirements 

What This Means for You 

The Third-Party Services Providers Oversight Policy will be effective across the Health System on July 1 and will outline the changes impacting current and future business contract owners.  

While many contract owners already maintain strong vendor relationships, monitor performance, and stay connected to their primary business contacts, what’s changing is the need for greater transparency and consistency in how this information is documented and shared. 

Previously, there wasn’t a defined platform or clear directive for documenting these details beyond the needs of individual teams. Moving forward, we’ll be asking contract owners to not only maintain these standards but also ensure documentation is accessible and aligned with broader organizational processes. 

In addition, a new area of focus will be around contract closure. Contract owners may not be fully aware of the responsibility to ensure all data is returned and properly destroyed when a contract ends. This will now be a key expectation, and the processes to support these responsibilities will represent a meaningful shift in how we manage vendor relationships over the full contract lifecycle. 

Key Milestones 

To ensure transparency and efficiency, the project follows a timeline with focused phases leading up to—and continuing beyond — the audit period. 

• March-May 2025: 
  • Vendor and data inventory 
  • Contract language and policy updates 
  • Oversight structure and governance 
  • System evaluation and technical planning 
  • Communication and change management 
• June 2025: Mock audit 
• July 1, 2025: Third-Party Services Providers Oversight Policy finalized and launched  across the health system  
• July-August 2025: Official audit 
• June-November 2025: Continued system implementation 

Look for email updates and Connect articles as this important work progresses. Together, we’re building a more secure, streamlined way to collaborate with our trusted vendor partners — keeping patient trust, safety, and quality at the center of everything we do.