In the last six months Meridian shared identifiable patient records with 14 external vendors. Only 3 of those connections sit behind a current Business Associate Agreement mapped to a data-loss-prevention control.
Ratify the four-tier Data Governance Framework, suspend the two research pilots operating past their approval date, and authorize the Chief Compliance Officer to shut down non-compliant vendor access without a further board vote.
Prepared by the Office of Compliance · For board vote.
A single emergency-department visit touches 11 systems before the chart closes.
Every hop is a chance for protected health information to leave a controlled boundary.
Care-team access inside the electronic health record, role-based, audit-logged, minimum-necessary enforced.
Risk: acceptable and monitored
Imaging AI, billing clearinghouse, population-health analytics — contracts exist but DLP coverage is partial.
Risk: contractual, not technical
Two research pilots and one care-coordination app pull full records with no BAA renewal on file.
Risk: reportable breach exposure
Internal audit (March 2026) found this figure exceeds our entire annual outpatient volume. Remediation is required within 45 days to stay ahead of the next OCR audit cycle.
# data-governance-policy.yaml · enforced at the API gateway tier_1_internal_clinical: - systems: [epic_ehr, pharmacy_system] control: role_based_access + minimum_necessary tier_2_vendor_baa: - systems: [imaging_ai, billing_clearinghouse, population_health] control: dlp_scan + signed_baa + quarterly_audit tier_3_research_pilot: - systems: [research_registry, care_coordination_app] control: irb_approval AND deidentification AND 90_day_review forbidden_always: - "phi export to personal email" - "unencrypted usb transfer" - "vendor access without a signed baa"
OCR's 2025 median settlement for uncontrolled vendor access was $4.2M. The proposed governance office costs $310K per year to run.
Adopt the Data Governance Framework as binding institutional policy, effective immediately.
Halt the two overdue research pilots and recertify all 14 vendor BAAs within 45 days.
Chartered committee chaired by the CCO, reporting quarterly to the full board.
This framework does not eliminate risk. It gives the board a defensible record that Meridian identified its exposure and acted before a regulator had to point it out.
Framework effective today · Vendor recertification due in 45 days · Committee's first report due next quarter.