You Didn’t Invite AI – But Your Vendor Did
AI may not be on your project roadmap, but it probably already landed in your inbox—perhaps even your EHR—without an invitation. What’s quietly changing in healthcare privacy, compliance, and security isn’t always happening inside your own four walls, and that’s exactly the problem.
Why AI in the Supply Chain Actually Matters
Healthcare often treats privacy and security as afterthoughts, at least until someone’s data shows up somewhere it shouldn’t. With the rise of AI-driven tools—from billing solutions to clinical support platforms—the temptation is to focus on your own use of artificial intelligence. But as Donna Grindle and David Sims point out in this episode, the real wildcard is often your vendor’s use of AI.
It’s entirely possible to decide “we’re not using AI,” but if your software vendor is quietly feeding your patients’ data to machine learning models, you’re just as exposed as if you’d built the algorithm yourself. As David Sims puts it, “I don’t think there’s such a thing anymore as ‘I’m not using AI’—it’s everywhere. Even if you didn’t ask for it.”
Third-Party Risk Just Got Harder to See
Traditional third-party risk management has always been tricky. Add in AI, and suddenly even basic transparency feels rare. Vendors may add new AI features or even switch to entirely different models in the background—sometimes without you noticing. That innocuous support chatbot? It might now feed data into an external AI tool, raising new privacy and compliance questions.
And it’s not just your direct vendors. The whole supply chain matters. Donna Grindle jokes, “It’s like that uninvited party guest who shows up, except they also brought their entire extended family.”
Tools and Approaches to Regain Some Control
So what can healthcare leaders do? The episode highlights a new resource: the Health Sector Coordinating Council’s “3PAIR” Guide for Third-Party AI Risk and Supply Chain Transparency. It’s practical, not prescriptive—meant to be used where it helps, not just read end-to-end like a new compliance manual.
Key takeaways for organizations:
- Don’t chase AI for its own sake. Start by asking whether a problem actually requires AI at all.
- Evaluate what value you expect AI to deliver—before a vendor brings it in “by surprise.”
- Keep contracts up to date. Standard BAAs and license agreements aren’t enough when AI is actively using or training on your data.
- Inventory matters. Know what you’re using, but also what your vendors are using on your behalf.
- Transparency is not optional. Both operational and contractual visibility are vital if you want to manage risk.
- Expect “AI debt”—like technical debt, but worse—if new tools get added without a plan or ROI.
As always, compliance is about more than just checking a box, and the “3PAIR” guide includes sample policy language, contract clauses, risk definitions, and training resources to get started—without panicking.
Listen to the Episode
Want practical guidance without the panic? This episode is worth adding to your listening list.
Specialized training for privacy and security officers.