BAA vs. Vendor Risk Assessment: Why a Signed Contract Isn’t Compliance

Many healthcare organizations treat a signed Business Associate Agreement (BAA) as the finish line for vendor compliance. It is closer to the starting line. A BAA is a contract that allocates legal responsibility for protected health information (PHI). A vendor risk assessment is the verification that the business associate can actually protect that data. HIPAA expects both — and the gap between the two is where most third-party breaches happen.

What a BAA actually does

Under the HIPAA Privacy Rule, a covered entity may disclose PHI to a business associate only with “satisfactory assurances” that the associate will safeguard it, and those assurances must be documented in a written contract (45 CFR 164.502(e)). The Security Rule repeats the requirement for electronic PHI at 45 CFR 164.308(b), and 45 CFR 164.314(a) spells out the clauses the agreement must contain — permitted uses, breach reporting obligations, subcontractor flow-down, and return or destruction of PHI at termination.

What a BAA does not do is prove the vendor is secure. It is a promise, enforceable after the fact. It says what happens if PHI is mishandled; it does not confirm that the vendor’s controls make mishandling unlikely. A signed BAA on file satisfies the contractual element of HIPAA. It does nothing to satisfy the diligence element.

What a vendor risk assessment adds

The Security Rule’s risk-analysis standard (45 CFR 164.308(a)(1)(ii)(A)) requires an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of ePHI. PHI that lives in a vendor’s environment is still your risk surface. That means the controls protecting it — encryption, access management, employee training, incident response, subcontractor governance — fall within the scope of an assessment you are obligated to perform.

A vendor risk assessment is how you discharge that obligation for third parties. It verifies, rather than assumes, that a business associate’s safeguards are real and current. A structured HIPAA vendor risk assessment questionnaire typically covers where ePHI is stored and transmitted, encryption at rest and in transit, role-based access and offboarding, the date and scope of the vendor’s most recent risk analysis, breach history, and how the vendor governs its own subcontractors. The answers tell you whether the promise in the BAA is backed by capability.

Why the distinction matters: enforcement reality

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has repeatedly resolved cases in which a BAA existed but diligence did not. The point of those settlements is consistent: holding a contract did not absolve the covered entity of responsibility for risks it never assessed. When a business associate suffers a breach, regulators ask what the covered entity knew about that vendor’s security posture and when. “We had them sign a BAA” is rarely a sufficient answer.

The practical lesson is that the BAA and the assessment answer different questions. The BAA answers “who is liable?” The assessment answers “how likely is a breach, and have we reduced it?” You need both documented to demonstrate good-faith compliance.

How they work together across the vendor lifecycle

BAA and assessment are not sequential one-time events; they operate together over the life of the relationship. At onboarding, run the risk assessment before signing so findings can shape the contract and remediation timelines. Keep a current BAA inventory so no vendor touches PHI without an executed agreement. Then reassess on a cadence — annually at minimum, and immediately after a vendor’s breach, acquisition, or material change in how it handles your data. A signed BAA from three years ago paired with an assessment that was never repeated is a weak position in front of OCR.

This lifecycle view is the core of healthcare third-party risk management: contracts and verification maintained in parallel, refreshed on a schedule, with evidence retained. It also connects directly to your own security risk analysis — your enterprise risk picture is incomplete until third-party risk is folded into it.

A simple test for your program

Pick any vendor that handles your PHI and ask three questions. Do we have a current, signed BAA? Have we assessed this vendor’s security controls in the last twelve months? Can we produce the evidence for both today? If the answer to any of those is no, the signed contract on file is not protecting you the way you think it is. Closing that gap — at scale, across every business associate — is what purpose-built HIPAA tooling like Medcurity’s Vendor Risk and Agreements workflows is designed to do. Compare options on our best HIPAA SRA software guide.

Frequently asked questions

Is a vendor risk assessment required by HIPAA?

HIPAA does not name “vendor risk assessment” as a standalone requirement, but the Security Rule’s risk-analysis standard (45 CFR 164.308(a)(1)(ii)(A)) requires you to assess risks to ePHI wherever it resides — including in a business associate’s environment. In practice, assessing your vendors is how you meet that obligation for third parties, which is why OCR expects to see diligence beyond a signed BAA.

If we have a signed BAA, are we covered if the vendor has a breach?

Not automatically. A BAA shifts certain liability and obligates the vendor to report breaches, but it does not relieve the covered entity of its own duty to assess and manage third-party risk. If you never evaluated the vendor’s safeguards, OCR can find that you failed to perform a thorough risk analysis even though a BAA was in place.

How often should we reassess a business associate?

At least annually, and additionally whenever there is a triggering event — the vendor reports a breach, is acquired, changes subcontractors, or materially changes how it stores or transmits your PHI. The BAA stays in force continuously; the assessment is the recurring verification that the controls behind that contract are still adequate.

Ready to close the gap between your contracts and your verification? Explore Medcurity’s HIPAA compliance solutions to manage BAAs and vendor risk assessments in one place.