Third-Party Risk Management for Healthcare: The 2026 HIPAA Guide

Quick answer: Third-party risk management (TPRM) in healthcare is the ongoing process of identifying, assessing, and monitoring the vendors, contractors, and software providers that touch your patients’ protected health information (PHI) — and proving you did it. A signed Business Associate Agreement is the floor, not the finish line. Under the HIPAA Security Rule, your vendors are part of your risk analysis, and a breach at one of them is reported as a breach at you.

Healthcare runs on vendors. Your EHR, your billing company, your cloud host, your secure-email provider, your IT managed-service partner, your transcription tool — every one of them can see, store, or move PHI. That reach is exactly why business associates are consistently among the leading sources of reportable healthcare breaches. When a vendor is compromised, the covered entity is the one explaining it to patients and to the HHS Office for Civil Rights (OCR).

This guide covers what HIPAA actually requires of you regarding third parties, why a BAA alone leaves you exposed, and how to run a vendor risk program that holds up to an audit — without a spreadsheet graveyard.

What HIPAA requires of you for third parties

Three obligations sit at the center of healthcare TPRM:

1. Business Associate Agreements (§164.308(b), §164.502(e)). Before a vendor handles PHI on your behalf, you need a written BAA establishing how they will safeguard it. This is mandatory and it is the first thing an auditor asks for.
2. Risk analysis that includes your vendors (§164.308(a)(1)(ii)(A)). The Security Rule requires an accurate, organization-wide assessment of risks to electronic PHI. Vendors with access to your data are part of that risk surface — leaving them out makes the assessment incomplete.
3. Ongoing diligence. HIPAA expects compliance to be a continuous state, not a once-a-year signature. If a vendor’s security posture slips, your exposure changes — and “we signed a BAA in 2022” is not a defense.

The gap most organizations fall into: they collect BAAs and stop there. A BAA is a contract promising good behavior. It does not tell you whether the vendor encrypts data at rest, trains its staff, has been breached, or would survive a ransomware event. That’s what a vendor risk assessment is for.

Why a signed BAA isn’t enough

A BAA is a legal instrument. Vendor risk management is an evidence instrument. They answer different questions:

• A BAA answers: “Has this vendor contractually agreed to protect PHI?”
• A vendor risk assessment answers: “Is this vendor actually able to protect PHI — and can I prove I checked?”

OCR investigations and client audits increasingly ask the second question. So do cyber-insurance underwriters. If your only artifact is a folder of signed BAAs, you have documented the promise but none of the diligence — and that is where findings come from.

The five steps of healthcare third-party risk management

1. Inventory every vendor with PHI access. You cannot manage what you have not listed. Categorize each by what they touch, whether they’re patient-facing, and how critical they are.
2. Tier by risk. A cloud EHR that holds your entire patient database is not the same risk as a shredding service. Tier vendors so your effort follows your exposure.
3. Assess. Send a security questionnaire mapped to HIPAA safeguards, collect documentation, and produce a clear “can we use them?” decision — not a pile of raw answers.
4. Remediate the gaps. A vendor assessment that ends in a score is half-finished. The findings need to land on a prioritized to-do list with owners and due dates.
5. Monitor continuously. Re-assess on a cycle, watch for breaches and posture changes, and re-flag automatically when an agreement expires or a safeguard lapses.

How Medcurity does healthcare TPRM

Medcurity is built for this exact workflow — and it works from both sides of the vendor relationship, which almost no one else does.

• Questionnaire by link, no account needed. Send a vendor a security questionnaire; get back an automatic score and a clear “can we use them?” answer. Vendors prove themselves with a shareable trust page and AI-assisted answers, so the back-and-forth that usually takes weeks takes a day.
• Agreements, handled. BAA tracking, negotiation, e-signature, and renewal alerts live alongside the assessment — and a one-click auditor package pulls it all together when OCR or a client calls.
• It feeds the one to-do list. Vendor gaps don’t sit in a silo. They drop into the same risk-ranked list as your SRA findings, scans, and policy gaps — deduplicated, and they lower your risk score when you close them (and climb back if a vendor’s proof expires).
• AI does the heavy lifting. The assistant fills questionnaires, reads agreements for missing HIPAA clauses, and recommends vendor decisions, drawing on your whole compliance picture at once.
• Built for the small practice and the vendor itself. The heavy enterprise tools (Censinet, Clearwater) are priced for big hospitals; the horizontal GRC tools (Vanta, Drata) aren’t healthcare. Medcurity serves the covered entity and the business associate — at $499/year, a price the others put out of reach for a small clinic.

This is third-party risk that closes the loop: identify the vendor risk, prove the diligence, fix the gap, and keep watching — all connected to the rest of your HIPAA program.

See how Medcurity turns vendor risk into an audit-ready program → Talk to us.

Frequently asked questions

Does HIPAA require third-party risk management?

Yes, in substance. HIPAA requires a Business Associate Agreement with any vendor that handles PHI (§164.308(b), §164.502(e)) and an organization-wide risk analysis that accounts for risks to electronic PHI (§164.308(a)(1)(ii)(A)) — which includes your vendors. Together those obligations amount to a third-party risk management duty, even though the regulation doesn’t use the phrase “TPRM.”

Is a signed BAA enough to be compliant?

No. A BAA is a required contract, but it doesn’t verify that the vendor can actually protect PHI. HIPAA’s risk analysis requirement and OCR’s enforcement expectations call for active diligence — assessing the vendor’s safeguards and documenting that you checked — beyond collecting a signature.

Who is responsible when a vendor causes a breach?

Both parties can have obligations, but the covered entity remains accountable to its patients and to OCR for the PHI it entrusted to a business associate. A breach at your vendor is generally reportable as a breach affecting your organization, which is why vendor diligence is part of protecting yourself, not just the vendor.

How often should vendors be reassessed?

Best practice is a risk-tiered cycle: high-risk vendors (those holding large volumes of PHI or providing critical services) at least annually, with continuous monitoring for breaches and posture changes in between. Lower-risk vendors can be reassessed less frequently. The key is that assessment is ongoing, not a one-time event.

What’s the difference between a vendor risk assessment and a security risk assessment (SRA)?

Your SRA assesses your whole organization’s risk to PHI; a vendor risk assessment focuses on a specific third party’s ability to safeguard the PHI you share with them. In a connected program the two feed each other — vendor findings become part of your overall risk picture.