Back to Blog
#13 · TechnologyCompliance & SecurityHealthcare AP Operations

The Audit Trail No One Thinks About: Vendor Communications and HIPAA Compliance

HIPAA compliance in AP is usually discussed around invoice data. But untracked vendor email communications create a compliance gap that auditors are starting to notice.

Mason AuchJune 9, 202610 min read
Share
The Audit Trail No One Thinks About: Vendor Communications and HIPAA Compliance

An auditor at a regional health system asked a question last year that the AP director couldn't answer: "Who sent this email to your Cardinal Health contact on March 14th, what ERP data was included in the response, and was that information appropriate to share externally?"

The email in question had been sent from the shared AP inbox. The AP director knew the team had a shared mailbox. She didn't know which specific rep had sent the message, what data they had pulled from the ERP to compose it, or whether any of that data touched any protected health information (PHI) adjacent territory.

She could reconstruct the answer eventually, by interviewing the team and checking sent items, but she couldn't produce an immediate, documented audit trail. The auditor logged a finding.

This scenario isn't unusual. It reflects a compliance gap that exists in most healthcare AP departments and that is receiving increasing scrutiny as internal and external audit functions grow more sophisticated about data governance requirements.

The HIPAA Dimension in AP Communications#

HIPAA (Health Insurance Portability and Accountability Act) compliance in accounts payable is typically discussed in terms of invoice data, ensuring that invoices referencing clinical services don't include PHI, that vendor contracts include appropriate BAA (Business Associate Agreement) language, and that third-party software handling health system data has appropriate security posture.

What's less often discussed is the vendor communication layer, the emails sent from the AP inbox to vendor AR contacts in the course of handling inquiries.

The question of whether HIPAA applies to any specific vendor email is contextual. In most cases, routine invoice status communications don't touch PHI. An AP rep confirming that Invoice #45892 is scheduled for payment on March 15th is not disclosing protected health information.

But healthcare invoices sometimes reference information that is PHI-adjacent or, in some interpretations, directly PHI-relevant. There are invoices for patient transport services that reference service dates and pickup locations. There are medical equipment invoices that reference specific clinical units or procedure types. There are pharmaceutical invoices from McKesson and Cardinal Health that reference specific drug types associated with identifiable treatment categories. There are consulting invoices that reference specific clinical programs or patient population types.

When an AP rep responds to a dispute inquiry about one of these invoice types, and includes invoice description information in the response, there is at least a defensible question about whether that communication requires the same handling controls as other PHI-adjacent information flows.

Most AP teams haven't thought through this. Most AP automation tools haven't built for it. And most AP-related HIPAA training programs don't cover it.

⚠️

This is not a legal opinion and should not be construed as legal advice. Healthcare organizations should evaluate their specific circumstances with legal counsel. The point here is that the question is worth asking, and most AP departments have never asked it.

The Access Control Gap#

Beyond HIPAA, there's a more general data governance question that applies to all healthcare AP operations: who is authorized to access what ERP data, and is that authorization tracked?

In a typical shared AP inbox setup, any member of the AP team can read any email in the inbox, access the ERP with their credentials, query any vendor's invoice and payment data, and respond to vendor inquiries. The workflow is designed for efficiency. The data access control model is essentially "anyone on the AP team."

This creates potential issues in several scenarios:

Segregation of duties. If the same person who processes an invoice can also respond to vendor inquiries about that invoice, there's a segregation of duties gap that auditors flag in fraud risk assessments. The payment decision and the vendor communication about payment should ideally involve different access controls.

Data access scope. An AP rep who is assigned to handle vendor inquiries for a specific set of vendors shouldn't necessarily have unrestricted ERP access to all vendors' data. In practice, most healthcare ERP implementations don't enforce this level of granularity for AP customer service roles, but the access control gap is worth acknowledging.

Communication content authorization. When an AP rep includes specific ERP data in an external email, payment amounts, check numbers, bank routing information, invoice details, is there a review step? For most shared inbox operations, the answer is no. The rep composes and sends. There is no approval workflow for external communications containing financial data.

Debra Richardson on Audit Exposure#

Debra Richardson's "Tales from an Audit" post, which covers audit findings in vendor master file management, makes an observation that extends directly to vendor communications: auditors are increasingly looking at whether organizations can demonstrate control over vendor data handling at the process level, not just the system level.

System-level controls, who has database access, what the software's permission model looks like, are necessary but not sufficient. Auditors are asking process-level questions. When an employee sends financial data to a vendor, is there a documented procedure governing what data can be shared, who can share it, and what the review step looks like? When that documentation doesn't exist, it's an audit finding regardless of how good the system-level security is.

For vendor communications in AP, the process-level documentation almost never exists. There is no written policy governing what an AP rep is authorized to include in a vendor email response. There is no review step for external communications. There is no log of what data was retrieved and shared. The process is: rep reads email, rep looks up ERP, rep writes response, rep sends.

What a Compliant Communication Audit Trail Should Include#

A properly designed vendor communication audit trail for healthcare AP should be able to answer these questions for any outbound communication:

Who sent it? Not "someone on the AP team using the shared inbox," but the specific individual who composed and sent the email, tied to their authenticated identity.

When was it sent? Timestamp with sufficient precision to reconstruct a timeline for any inquiry thread.

What data was included? What ERP records were accessed in connection with this communication? What financial data was included in the response (invoice amounts, payment dates, check numbers)?

Was it reviewed? Was there a second-step review before sending, and if so, who performed the review?

What was the data access context? What ERP queries were run to generate the response, and by whom?

This level of traceability is the standard that healthcare organizations apply to other data handling functions. Clinical systems log who accessed which patient record and when. Financial systems log who approved which payment and why. Vendor communication management, if it's handled in a shared Outlook inbox with no logging, has essentially no equivalent traceability.

SOC 2 Implications#

For healthcare organizations subject to SOC 2 Type II requirements, which includes most health systems that handle significant volumes of contractor and vendor data, vendor communication handling may fall within the scope of audit evidence requirements.

SOC 2 security criteria include requirements around logical access controls (CC6), change management (CC8), and availability of audit information (A1). A vendor communication process that operates entirely within a shared Outlook inbox, with no access logging, no approval workflow, and no audit trail, may represent gaps against several of these criteria.

As health systems expand their SOC 2 programs to cover more operational processes, not just IT systems but business processes that handle sensitive data, vendor inquiry management is a natural candidate for inclusion in scope. The time to build the audit trail is before it becomes a finding, not after.

A Practical Path to Compliance Readiness#

Most healthcare AP departments are not in a position to implement enterprise-grade vendor communication compliance infrastructure next month. But there are practical steps that move in the right direction:

Document the current process. Write down how vendor inquiries are handled, who has access to the shared inbox, what ERP access AP reps have, and what the current review process looks like. This documentation is the baseline against which any compliance gap can be assessed.

Classify your high-risk communication types. Identify the vendor communication scenarios where data sensitivity is highest. There are statement reconciliation communications that include multiple payment details. There are dispute communications that reference invoice descriptions for clinical services. There are remittance communications that include bank routing information. These are the scenarios that most warrant a review step before sending.

Implement individual attribution for the shared inbox. Most Microsoft 365 shared mailbox configurations can be set to show "sent on behalf of" attribution that identifies the individual sender. This is a zero-cost configuration change that converts an unattributed shared inbox into one where individual communications are traceable. It's the single highest-value quick win for AP communication audit readiness.

Evaluate whether your AP communication approach includes audit logging. If you're evaluating technology for AP inquiry management, audit trail completeness should be an explicit evaluation criterion. What does the system log? Is that log tamper-evident? Can it be produced for an auditor in a queryable format?

The systems that reduce AP vendor inquiry backlog in healthcare and the systems that maintain a compliant audit trail are the same systems, not separate investments. A platform that automates vendor inquiry responses while logging every action, attribution, and ERP query solves both problems simultaneously. Healthcare AP teams that have reduced their inquiry backlog through systematic communication automation find that the audit trail problem resolves as a side effect. When every inquiry goes through a structured workflow rather than a shared inbox, audit evidence is built into the process rather than reconstructed after the fact.

It's worth being precise about what kind of automation does this work. Robotic Process Automation (RPA) is excellent at the structured, rule-based parts of an AP audit story. Logging when a scheduled invoice register pulls from PeopleSoft Financials, capturing the timestamp on a Workday Financial Management batch post, recording who triggered an Infor CloudSuite FSM extract, those are the kind of jobs RPA was built for, and a well-configured bot will produce clean evidence for years. Vendor communication is a different shape of evidence. The inputs are unstructured emails from McKesson, Cardinal Health, Medline, and a long tail of smaller vendors. The outputs include free-text responses that may reference invoice descriptions, payment dates, and bank routing details. The audit question is not "did the bot run on schedule" but "which person sent which response, what ERP records did they read to compose it, and was the content appropriate." Vendor communication tooling that classifies inquiry type, extracts invoice and PO numbers, queries the ERP, and drafts a response for human review captures all of that as a side effect of the workflow itself.

The compliance dimension of vendor communication management is not the most urgent problem in healthcare AP. But it is the problem that tends to surface at the worst possible moment, during an audit or after an incident, rather than being proactively managed. The AP teams that will be best positioned as compliance requirements continue to evolve are the ones that are building traceability into their vendor communication workflows now, not retrofitting it after a finding.

Reducing the AP vendor inquiry backlog in healthcare and achieving audit readiness are directly linked. The same structured, attributed workflow that supports a compliant audit trail also enables the response speed and consistency that reduces backlog accumulation. For more on the operational side of that tradeoff, see the vendor inquiry SLA framework and what your AP team isn't telling you for the cost of the unmanaged backlog.

Compliance and Backlog Reduction, One Investment

Auxtri builds a complete, attributed audit trail into every vendor inquiry response, while simultaneously reducing the AP vendor inquiry backlog through automated ERP lookups and draft generation. Request a demo to see how the compliance and operational improvements work together in practice.