HIPAA Third-Party Risk Management: Vendor Assessment Best Practices
A growing share of healthcare data breaches no longer start inside the provider — they start at a vendor. Billing companies, cloud platforms, EHR hosts, and IT service providers all touch protected health information, and each one extends an organization’s attack surface. That is what makes third-party risk management distinct from the rest of a HIPAA program: you are accountable for safeguards you do not directly operate, held by companies you do not directly control. Managing that exposure takes more than a signature on a contract.
The Business Associate Agreement is the floor, not the ceiling
HIPAA requires a Business Associate Agreement (BAA) with every vendor that creates, receives, maintains, or transmits PHI on your behalf. The BAA is mandatory and it matters — it sets out each party’s responsibilities and breach-notification duties. But a BAA is a legal instrument, not a security control. It does not confirm that a vendor encrypts data at rest, enforces least-privilege access, or patches its servers. Treating the signed agreement as the end of vendor due diligence is one of the most common — and most consequential — gaps in healthcare security programs.
Inventory every vendor that touches PHI
Effective third-party risk management starts with a current inventory: every business associate, what PHI it handles, how the data reaches it, and how critical it is to operations. Many organizations are surprised by the length of the list once they include analytics tools, transcription services, fax-to-email gateways, and the subcontractors their vendors rely on. You cannot assess risk you have not catalogued, and a stale vendor inventory is itself a finding.
Assess safeguards before — and after — you sign
For each vendor, gather evidence of its actual security posture: independent audit reports such as SOC 2, HITRUST certification, security questionnaires, encryption practices, access-control policies, and incident-response history. Weight the depth of review to the risk — a vendor warehousing millions of records deserves far more scrutiny than a low-volume tool. Crucially, this is not a one-time exercise at onboarding. Vendor environments change, acquisitions happen, and certifications lapse, so reassessment on a defined cadence is what keeps the picture accurate.
Vendor risk belongs in your Security Risk Analysis
HIPAA’s Security Rule requires a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A) — an accurate and thorough assessment of the risks and vulnerabilities to electronic PHI. Third-party relationships are squarely within that scope: the analysis should account for where PHI leaves your environment, which vendors hold it, and what would happen if one of them were breached. A risk analysis that stops at the firewall ignores the very path most modern breaches travel.
The proposed 2026 Security Rule update
Vendor oversight is a focal point of the Notice of Proposed Rulemaking (NPRM) the HHS Office for Civil Rights published in December 2024. Among other changes — mandatory encryption, multi-factor authentication, and stronger documentation — the NPRM proposes requiring covered entities to obtain written verification that their business associates have actually implemented the required technical safeguards, refreshed on a regular basis. The NPRM is a proposal, not a final rule; it has not been finalized, and once a final rule is published, organizations would have a 240-day compliance window. Building a repeatable vendor-verification process now anticipates exactly where the rule is heading.
How Medcurity helps
Medcurity helps healthcare organizations complete and document the Security Risk Analysis HIPAA requires and keep a living view of where PHI flows — including out to business associates — with remediation tracked over time. Pricing is $499/year (about $42/month) for a single organization; larger or multi-entity organizations can request a quote. For related guidance, see our Business Associate Agreement guide and our overview of HIPAA compliance for IT vendors.
Frequently asked questions
Is a signed Business Associate Agreement enough to manage vendor risk?
No. A BAA is a legal requirement, but it is a contract — not a security control. It documents responsibilities and breach-notification duties but does not verify that a vendor actually encrypts data, restricts access, or patches systems. Real third-party risk management pairs the BAA with an assessment of the vendor’s safeguards.
Which vendors need a Business Associate Agreement?
Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate and needs a BAA — including EHR hosts, billing companies, cloud storage, email providers, and many IT and analytics services. Subcontractors that handle PHI for your business associates need agreements too.
How often should we reassess our business associates?
At least annually, and whenever a vendor’s role, systems, or the data it handles changes materially. High-risk vendors that store large volumes of PHI warrant closer and more frequent review than low-touch ones.
Does the proposed 2026 Security Rule change vendor requirements?
The December 2024 NPRM proposes requiring covered entities to obtain written verification that business associates have deployed required technical safeguards, with that verification refreshed on a regular cadence. It is a proposal, not final, but it signals where vendor oversight is heading.