Hospital CIOs and IT security teams spend significant time vetting EHR vendors, billing partners, and clinical software providers. Vendor risk assessments, security questionnaires, penetration test results, and SOC 2 reports all become standard parts of the procurement process. The same hospitals will then sign a medical courier contract, granting access to patient health information for hundreds of daily deliveries, with minimal IT involvement and a one-page agreement.
This is not an oversight on the part of any particular hospital. It is an industry pattern. Medical couriers are seen as logistics vendors, not data vendors. The result is a substantial gap in hospital vendor risk management, with material implications for both data security and operational continuity.
This article looks at why hospital IT leaders should treat their medical courier as a high-stakes data vendor, and what questions to ask before signing.
The Volume of PHI a Medical Courier Touches
A medium-sized hospital with active courier operations handles roughly 50,000 medical courier interactions annually. Each interaction involves at minimum a manifest, often with patient identifiers, sometimes accompanied by full chart printouts, lab requisitions, or pharmacy paperwork. Each interaction also involves physical custody of specimens or medications labeled with patient identifiers.
The volume of protected health information passing through a hospital’s courier vendor in a year is roughly comparable to what passes through its billing partner, and substantially exceeds what passes through most non-EHR clinical software vendors. The gap between how rigorously these vendors are evaluated, however, can be substantial.
How PHI Actually Travels Through Courier Operations
To understand the risk surface, it helps to look at what a typical courier handoff actually involves.
Pickup. A driver arrives at the hospital lab, pharmacy, or unit. Specimens, medications, or documents are handed over along with a manifest that frequently lists patient names, dates of birth, medical record numbers, and the nature of the material. The driver scans or photographs the manifest, which now exists on a mobile device. The physical material also bears patient identifiers on labels.
Transit. The material is in a vehicle, potentially for several hours, potentially making multiple stops. During this time, the material is technically in the courier’s custody. The driver may also receive paperwork from multiple facilities, meaning a single vehicle may simultaneously contain PHI for dozens of patients across multiple healthcare organizations.
Delivery. The material is handed over at the destination, with a signature or photo capture of the receiving party. The chain of custody documentation is now distributed across multiple systems: the courier’s mobile platform, possibly the courier’s central server, possibly the receiving facility’s intake system.
At each of these points, there is data being created, transmitted, stored, and potentially exposed. A driver’s lost phone, a courier company’s compromised dispatch system, a misrouted delivery: each represents a potential breach event.
The Hidden Risk Categories
The most common risk categories that hospital IT teams underweight in courier vendor evaluations:
Mobile device security. Drivers carry mobile devices that capture PHI through photos, signatures, and scans. The standard for those devices ranges widely across vendors. Some courier companies issue managed devices with mobile device management, encryption at rest, and centralized control. Others allow drivers to use personal devices for the platform app. The security posture of the latter is much weaker.
Data retention. Courier operations generate a substantial volume of records: manifests, photos, signatures, GPS logs, temperature readings. HIPAA requires retention of relevant records for at least six years. Many courier vendors have inconsistent retention practices: some keep records indefinitely on systems with weak controls, some delete records prematurely. Neither aligns with the hospital’s compliance obligations.
Subcontractor risk. General courier services often subcontract overflow work, especially during demand surges. Each subcontractor relationship is a separate data exposure path. Many hospital BAAs do not adequately address subcontractor flow-down requirements, and many courier vendors do not reliably enforce them.
Driver turnover and offboarding. Medical courier industry turnover frequently exceeds 100% annually at gig-economy operators. Each departing driver represents a potential offboarding gap: devices to recover, access to revoke, training expectations to reset for replacements. High-turnover vendors are harder to maintain in compliance even when they are trying.
Incident response capability. When something goes wrong, a lost specimen with PHI on the label, a stolen vehicle, a misdirected delivery, the courier’s incident response capability becomes part of the hospital’s incident response. A vendor without a clear protocol, escalation tree, and 72-hour breach notification capability becomes a liability.
At carGO Health, we have built our infrastructure around exactly these failure modes. Managed mobile devices with full mobile device management, W-2 employee drivers with consistent training records, in-house dispatch with no subcontractor flow-down, and multi-year retention on all chain-of-custody documentation. The operational cost of doing this correctly is higher than running it loosely. The procurement decision a hospital makes when it selects a courier is which side of that cost equation it wants to absorb.
What to Ask Before Signing
For hospital CIOs, security officers, and procurement teams evaluating medical courier vendors, the questions that surface real differences:
Mobile device security. Does the vendor issue managed devices with mobile device management? Is data encrypted at rest and in transit? What happens to data if a device is lost or stolen?
Driver employment model. Are drivers W-2 employees with background checks, training records, and consistent device controls? Or are they 1099 contractors with personal devices and ad-hoc training? The answer significantly affects both security posture and operational reliability.
Subcontracting practices. Does the vendor subcontract work? If yes, how are subcontractors vetted, contracted, and audited? Does the BAA flow down properly?
Incident response. What happens when something goes wrong? Walk through a hypothetical lost specimen with PHI on the label. What is the timeline? Who is notified? What is the documentation?
Records and audit access. Can the hospital access courier records for its own audit purposes? What is the retention policy? How are records produced for regulatory inquiries?
Driver retention. What is the annual driver turnover rate? Vendors with stable, long-tenured driver workforces are inherently lower-risk than vendors with high turnover, because consistent training and oversight is easier to maintain.
These questions cost nothing to ask but separate the medical courier vendors that are operationally serious about data handling from those that treat it as background paperwork.
The Operational Continuity Angle
Beyond data security, hospital IT teams should also evaluate courier vendors as operational continuity dependencies. When the EHR goes down, hospitals have well-rehearsed downtime protocols. When the courier vendor fails (drivers do not show, dispatch goes silent, the platform breaks), the impact on the hospital is similar in many ways: specimens do not move, medications do not deliver, clinical care is disrupted.
A courier vendor that operates as a single point of failure across an entire hospital system is a continuity risk that deserves the same level of vendor management as any other critical system.
The Procurement Implication
The practical conclusion for hospital IT leaders is straightforward: medical courier vendors deserve the same vendor risk management treatment as EHR vendors, billing partners, and clinical software providers. The volume of PHI handled, the complexity of the operational integration, and the consequences of failure all justify equivalent scrutiny.
The vendors that perform well under that scrutiny (specialized medical courier operations with managed device fleets, W-2 employee drivers, consistent retention practices, and documented incident response) are the ones that should be on the shortlist. The vendors that do not perform well are the ones that hospital security teams will eventually wish they had evaluated more rigorously.
carGO Health operates as a HIPAA compliant medical courier service across the Northeast United States, with W-2 employee drivers, a managed mobile device fleet, and 200,000+ medical deliveries completed since 2020.
___
About the Author
Parth Patel is the founder and CEO of carGO Health, a specialized medical courier service operating 24/7/365 across the Northeast United States. carGO has completed 200,000+ medical deliveries since 2020 for hospitals, clinical laboratories, pharmacies, and biotechs.
