This document discusses strategies for organizations to manage risks associated with non-business associate vendors. It recommends that organizations implement organizational policies, conduct due diligence on vendors, and enter into confidentiality agreements. Specific policies are suggested around data access, premises access, and incidental data use or disclosure. Due diligence may involve vendor screening and obtaining privacy assurances. Confidentiality agreements should address data use, compliance with laws and policies, incident reporting, reimbursement for incidents, and indemnification. Proper management of non-business associate vendors can help organizations address privacy risks beyond those regulated by HIPAA.