If you run security or compliance at a healthcare organization, your hardest HIPAA problems probably aren't inside your own walls anymore. They're sitting in the dozens of vendors, contractors, and SaaS tools that touch protected health information (PHI) on your behalf: the billing platform, the transcription service, the cloud backup, the AI scribe, the analytics vendor. Each one is a door into your patient data, and under HIPAA, you are accountable for whether those doors are locked.
This is third-party risk management (TPRM), and for healthcare it has a specific legal spine: the business associate relationship.
Why a signed BAA is the floor, not the ceiling
A Business Associate Agreement (BAA) is required before a vendor can handle PHI on your behalf. But a BAA is a contract, not a control. It documents that a vendor has promised to safeguard PHI. It does nothing to verify that they actually do.
The gap most teams underestimate: collecting signed BAAs and then treating the work as done. The HHS Office for Civil Rights has repeatedly made clear that covered entities and business associates are expected to know who has access to their PHI and to manage that risk on an ongoing basis. A drawer full of signed agreements with no inventory, no risk tiering, and no review cadence is exactly the posture that turns one vendor's breach into your enforcement problem.
A practical TPRM loop for healthcare
You don't need an enterprise GRC suite to do this well. You need a repeatable loop:
- Inventory every vendor that touches PHI. If you can't list them, you can't manage them. Start with the systems that store, transmit, or process patient data.
- Confirm a BAA exists for each one — and that it's current. Vendors get acquired, change subprocessors, and sunset products. Last year's BAA may not cover this year's data flow.
- Tier vendors by risk. A cloud EHR that holds your entire patient record is not the same risk as a one-off design contractor. Spend your attention where the PHI concentration is highest.
- Reassess on a schedule. At minimum annually, and whenever a vendor has a material change or a reported incident. Tie this to your overall HIPAA Security Risk Assessment so it isn't a separate, forgotten workstream.
- Document the whole thing. If it isn't written down, from an auditor's perspective it didn't happen.
Where this connects to your Security Risk Assessment
Third-party risk isn't a side quest. The HIPAA Security Rule requires an accurate and thorough assessment of risks to ePHI, and the vendors who hold or move that ePHI are squarely in scope. The cleanest programs treat vendor risk as one chapter of the annual SRA rather than a parallel binder nobody opens. When your SRA and your vendor inventory share the same source of truth, "who can touch our PHI, and is that risk acceptable?" becomes a question you can actually answer.
The healthcare-native angle
General-purpose compliance automation tools are built to cover many frameworks across many industries. That breadth is useful for a SaaS startup chasing SOC 2 and ISO 27001. It's less useful when your actual question is "does this BAA cover our new AI scribe, and where does that vendor sit in my HIPAA risk picture?" Healthcare-native tooling starts from the Security Rule and the BAA relationship instead of bolting HIPAA on as one framework among many.
That's the approach we take at Medcurity. We build for healthcare organizations specifically — Security Risk Assessments, vendor and BAA tracking, policies, and staff training in one place — at $499/year. If you want the full walkthrough of a healthcare TPRM program, we wrote it up here: https://medcurity.com/third-party-risk-management-healthcare/, and the SRA side lives at https://medcurity.com/hipaa-compliance-solutions/security-risk-analysis/.
If you'd rather just talk it through, reach us at https://medcurity.com/contact/explore-medcurity-solutions/.
Third-party risk is where HIPAA accountability quietly outgrows your own perimeter. The organizations that handle it well aren't the ones with the most signed BAAs. They're the ones who can still answer, on any given day, exactly who has their patient data and why that's safe.
