The Business Associate Agreement sits in your vendor files, signed and dated. You check the box on your risk register. The vendor claims they're "HIPAA compliant." And then, eighteen months later, you're on a call with your legal team explaining to OCR why your covered entity is liable for a breach that happened in a subcontractor's AWS account that you didn't know existed.
I've watched this pattern repeat across healthcare organizations of every size. The BAA has become a checkbox—a piece of paper that creates a false sense of security while doing almost nothing to actually manage the risk that business associates represent. OCR knows this. Their enforcement actions make it clear: signing a BAA is the beginning of your compliance obligation, not the end of it.
The reality of HIPAA compliance for healthcare vendors is more complex than most covered entities want to admit. Your business associates have business associates. Your cloud storage provider uses a backup service. Your transcription vendor routes work through offshore contractors. Your patient portal provider just got acquired by a company you've never heard of. Each link in that chain creates exposure, and under HIPAA, much of that exposure flows back to you.
What OCR Actually Expects From Your Vendor Oversight Program
The HIPAA Security Rule doesn't just require you to have BAAs in place. It requires you to have a process for ensuring your business associates are actually protecting PHI. That's administrative safeguard 164.308(b)(1) if you're keeping score at home, and OCR has been increasingly explicit about what satisfactory compliance looks like.
In breach investigations, OCR routinely asks for evidence of your vendor oversight program. They want to see documentation of how you evaluated the vendor before engagement, how you monitor their security posture during the relationship, and how you verify they're meeting the terms of the BAA. They're looking for a program, not an artifact.
The pattern I see in organizations that handle this well: they treat vendor risk as a continuous process, not a point-in-time event. Before contract signature, they conduct due diligence that goes beyond reading the vendor's security questionnaire. During the relationship, they monitor for changes in the vendor's risk profile—acquisitions, breaches at peer organizations using the same vendor, service changes that affect PHI handling. When the relationship ends, they have a process for ensuring PHI is returned or destroyed, with verification.
Organizations that struggle here tend to treat HIPAA compliance for healthcare vendors as a procurement hurdle. Legal gets the BAA signed. IT might review a security questionnaire if someone remembers to ask for one. Nobody tracks what happens next. Nobody knows which vendors have subcontractors. Nobody has updated the vendor inventory since two acquisitions ago. When OCR comes calling, there's no program to point to—just a folder of BAAs and some hopeful representations about what vendors promised.
The Due Diligence That Actually Matters
Most healthcare organizations I work with have some kind of vendor security questionnaire. Many have multiple versions, depending on who in the organization is doing the buying. The questionnaires range from reasonable to theater—I've seen 300-question documents that ask about everything except the things that actually matter for PHI protection.
Effective vendor due diligence starts with understanding what PHI the vendor will access, how they'll access it, where they'll store it, and who else touches it. Those four questions drive everything else. If the vendor is hosting PHI in their environment, you need to understand their infrastructure controls, their backup procedures, their encryption implementation, and their access management. If they're just transmitting PHI without storage, the risk profile looks different.
For vendors handling significant PHI volumes or particularly sensitive data, I push for evidence beyond self-attestation. Third-party audit reports—SOC 2 Type II, HITRUST, FedRAMP if they work with federal agencies—provide independent verification that someone other than the vendor's sales team has looked at their controls. These reports aren't perfect, and they don't eliminate your responsibility to do your own assessment, but they give you a baseline that's more reliable than a questionnaire the vendor filled out themselves.
The due diligence should also cover the vendor's breach history and incident response capability. Have they had breaches? How did they handle notification? What did they fix? A vendor with no breach history either has excellent security or hasn't been looking hard enough to find their problems. A vendor that's had breaches but learned from them and improved their program may be less risky than one living in blissful ignorance.
The Subcontractor Problem Nobody Wants to Talk About
Your business associate agreement probably has language about subcontractors. It likely requires the vendor to flow down the same privacy and security obligations to any subcontractor that handles PHI on their behalf. It might even require them to notify you when they engage subcontractors. In practice, vendors interpret these clauses creatively, and covered entities rarely enforce them.
I've reviewed vendor architectures where PHI touched seven different entities between the healthcare provider and the actual storage location. The covered entity knew about the primary vendor. They had no visibility to the six layers below that. When we asked the primary vendor for their subcontractor list, it took them three weeks to produce it, and even then it was incomplete.
The regulatory framework here is clear but underutilized. Under the HITECH Act amendments to HIPAA, subcontractors have direct compliance obligations. They must comply with the same security and privacy rules that apply to business associates. They can be held liable for breaches. But the covered entity's obligation doesn't disappear just because a subcontractor is in the chain—in fact, your obligation to oversee the primary business associate includes ensuring they're managing their subcontractors properly.
The organizations handling this well require business associates to disclose all subcontractors who will have access to PHI, including cloud infrastructure providers. They update this list at least annually, and they require notification when new subcontractors are added. For critical vendors, they reserve the right to audit or require evidence that the subcontractor has appropriate safeguards in place. This creates friction in vendor relationships, which is exactly why most organizations avoid it—but the friction is proportional to the risk.
For more context on how the Security Rule's safeguards apply to both business associates and subcontractors, see The HIPAA Security Rule, Explained: Administrative, Physical, and Technical Safeguards.
Cloud Services and the Infinite Subcontractor Chain
Cloud infrastructure creates a particular version of the subcontractor problem. When your business associate hosts PHI in AWS, Azure, or Google Cloud, is the cloud provider a subcontractor under HIPAA? The answer is usually yes, which is why the major cloud providers offer BAAs for their healthcare customers. But those BAAs have carveouts and limitations that most covered entities never read.
The cloud provider's BAA typically covers the infrastructure layer—the compute, storage, and network services your business associate is using. It doesn't cover the application your business associate built, the configurations they chose, or the access controls they implemented. If your business associate misconfigures an S3 bucket and exposes PHI to the public internet, that's not the cloud provider's breach—it's yours and your business associate's.
This matters because I see healthcare organizations assume that if their vendor uses a major cloud provider, the vendor must be secure. The cloud provider's compliance certifications become a substitute for evaluating what the vendor actually built. It's magical thinking. The cloud provider gave your vendor a secure set of building materials; how your vendor assembled them is a completely separate question.
Need to Build a Vendor Oversight Program That Holds Up?
Carl Johnson delivers keynotes on HIPAA compliance, vendor risk management, and building practical oversight programs that satisfy regulators without grinding operations to a halt. His sessions are built on real implementation experience across healthcare organizations.
Book Carl to Speak
Breach Responsibility: Where Liability Actually Falls
When a business associate has a breach, covered entities often assume their liability is limited because the BAA assigns responsibility to the vendor. This assumption falls apart quickly when you read how HIPAA actually works.
Under HIPAA, both the covered entity and the business associate can be held liable for violations. The covered entity's liability for the business associate's breach depends on whether the covered entity failed in its own compliance obligations—specifically, whether it conducted adequate due diligence, had an appropriate BAA in place, and maintained reasonable oversight of the business associate's safeguards.
OCR has been clear in enforcement actions: if you did no meaningful due diligence before engaging the vendor, or if you ignored obvious red flags about the vendor's security posture, you share liability for the breach. The BAA doesn't indemnify you from your own compliance failures. It creates obligations for the business associate, but it doesn't eliminate your obligation under 164.308(b) to ensure you're working with vendors who can actually protect PHI.
I've seen this play out in breach responses where the covered entity's first instinct is to point at the vendor and say "they're responsible." That defense works only if you can show you did your job in selecting and overseeing them. If your vendor evaluation consisted of accepting their assurance that they're "HIPAA compliant," you don't have much to point to.
The financial exposure can be significant even when the covered entity isn't the direct cause of the breach. You're still responsible for breach notification to affected individuals, which carries hard costs. You may face state attorney general investigations or class action litigation. You're exposed to reputational damage when patients see your organization's name in breach notification letters, regardless of whose systems actually failed. The contractual right to seek indemnification from your vendor doesn't help if the vendor lacks the resources to pay or folds entirely after the breach.
What Your BAA Should Actually Say
Most business associate agreements I review are templates the vendor provides, lightly modified by the covered entity's legal team. They meet the minimum regulatory requirements under 164.314(a), but they don't adequately address risk allocation or operational realities.
A strong BAA should specify what security controls the business associate will implement, not just reference the regulatory obligation to have "appropriate safeguards." If encryption of PHI at rest and in transit matters to your risk profile, name it in the contract. If you need audit rights, put them in the BAA with enough specificity that you can actually exercise them—including the right to use third-party assessors, the frequency of audits, and how findings will be remediated.
The BAA should address breach notification timing with more precision than the regulatory minimum. HIPAA requires business associates to notify covered entities of breaches within 60 days. That's far too late for you to meet your own notification obligations to patients and OCR, which also run on a 60-day clock. Your BAA should require notification within days of discovery, not weeks, with enough detail that you can begin your own breach assessment.
Termination and data return provisions matter more than most organizations think. When the relationship ends—whether through normal expiration, early termination, or vendor failure—what happens to your PHI? The BAA should require certified destruction or return of all PHI, including backups, and it should give you verification rights. I've worked breach responses where the covered entity discovered that a vendor they'd terminated two years earlier still had PHI in backup systems nobody remembered existed.
For a detailed breakdown of what modern BAAs should cover and why the standard templates are increasingly insufficient, see What Is a Business Associate Agreement (BAA)? Why It Matters in 2026.
Building the Ongoing Monitoring Program OCR Expects
Vendor due diligence before contract signature addresses point-in-time risk. But vendors change. They get acquired. They change their infrastructure. They have incidents that affect their security posture. They expand into new markets that change their risk profile. A vendor oversight program that stops after the initial evaluation misses most of the risk.
The monitoring program I recommend to healthcare organizations has three components: periodic reassessment of vendor controls, continuous monitoring of vendor risk indicators, and structured communication channels for security issues.
Periodic reassessment means you're asking for updated evidence of security controls on a schedule tied to the vendor's risk level. For high-risk vendors—those storing large volumes of PHI or particularly sensitive data—annual reassessment makes sense. This might involve reviewing updated SOC 2 reports, conducting your own security questionnaire, or in some cases performing on-site or virtual audits. For lower-risk vendors, every two or three years may be sufficient. The key is having a schedule and following it, not waiting until you hear about a problem.
Continuous monitoring is harder to implement but increasingly necessary. This includes tracking breach reports from HHS to see if your vendors appear, monitoring for news of security incidents at vendor organizations or their subcontractors, and watching for significant corporate events like acquisitions or financial distress that might affect security investment. Some organizations use third-party services that aggregate this kind of vendor risk intelligence. Others build internal processes. Either way, you need a mechanism for learning about vendor risk changes between your formal reassessments.
The communication component means you have established channels for the vendor to report security incidents, potential breaches, or significant changes to their environment or subcontractor relationships. The BAA should require these notifications, but in practice you need operational contact points and processes that make reporting actually happen. I've seen too many situations where a vendor had an incident, wanted to report it to the covered entity, but couldn't figure out who to call and eventually gave up trying.
What Good Documentation Looks Like
When OCR investigates a breach or conducts a compliance audit, they ask for documentation of your vendor oversight program. The organizations that do well in these interactions can produce evidence that they have a systematic approach, not just ad hoc responses to problems.
Good documentation includes: a current inventory of all business associates and the PHI each one accesses; evidence of due diligence performed before engaging each vendor; copies of executed BAAs; records of periodic reassessments or monitoring activities; documentation of how you responded when vendors reported security incidents or when you identified risk issues; and evidence that someone in your organization is responsible for the vendor oversight program and has the resources to do it.
The inventory is foundational and often where organizations struggle. You need to know who your business associates are before you can oversee them. This sounds obvious, but healthcare organizations regularly discover business associates they didn't know they had—often because department-level procurement happened without IT or compliance involvement, or because the organization didn't recognize that a particular vendor relationship created PHI access.
I recommend maintaining the inventory in a system that tracks not just the vendor name and service, but also: what PHI they access, where it's stored, what your risk assessment showed, when you last reassessed them, when the contract expires, and who owns the vendor relationship internally. This becomes your operational tool for managing the program, not just audit evidence.
Looking for a Speaker Who Understands Healthcare Compliance in Practice?
Carl Johnson's keynotes cut through the checkbox mentality and focus on building programs that actually reduce risk. Drawing on experience as a CISO in regulated industries, he delivers actionable frameworks your team can implement. See all keynote speaking topics or reach out about your event.
Book Carl for Your Event
AI Vendors and the New Frontier of Business Associate Risk
Healthcare organizations are adopting AI tools at a pace that outstrips their ability to properly vet them. Ambient scribes that record patient encounters and generate clinical notes. Predictive models that analyze patient data to identify risks. Chatbots that triage patient questions. Imaging analysis tools that help radiologists read scans. Each of these creates business associate relationships, often with vendors whose security programs are less mature than traditional healthcare IT vendors.
The due diligence process for AI vendors needs to address risks that don't exist with traditional software. Where is the model training happening, and does training data include PHI? If so, how is it protected and how long is it retained? What humans review AI outputs, and where are those humans located? Does the vendor use your organization's PHI to improve their model for other customers, and if so, is that adequately de-identified?
Many AI vendors are startups or technology companies moving into healthcare from other sectors. They don't have the healthcare compliance muscle memory of established health IT vendors. Their BAAs may be inadequate, their security programs may be built for SaaS applications rather than PHI, and their incident response plans may have never been tested against a healthcare breach scenario. This doesn't mean you can't work with them—innovation in healthcare requires taking calculated risks on new vendors—but it means your due diligence and oversight need to account for the higher baseline risk.
I'm seeing healthcare organizations create separate vendor risk tiers for AI tools, with enhanced scrutiny before deployment and more frequent monitoring during use. This is appropriate. The technology is evolving faster than the regulatory framework, which means you can't simply check whether the vendor meets HIPAA requirements—you need to assess whether their implementation of AI introduces risks that HIPAA didn't contemplate when it was written.
When Vendors Won't Cooperate: Negotiating Leverage and Alternatives
The vendor oversight program I've described assumes vendors will cooperate with due diligence requests, sign reasonable BAAs, and provide evidence of their security controls. In practice, many vendors resist, especially market-dominant vendors who know you have limited alternatives.
Large EHR vendors, dominant cloud platforms, and specialized clinical tools with no real competitors often take a "take it or leave it" approach to BAAs and due diligence. They provide a standard BAA that you can't modify. They offer a security questionnaire or SOC 2 report but won't answer follow-up questions. They refuse audit rights. They won't commit to notification timing beyond the regulatory minimum.
Your leverage in these situations depends on the vendor's replaceability and your organization's size. If you're a large health system negotiating with a vendor who wants your business, you have room to push. If you're a small practice trying to use Office 365, Microsoft isn't rewriting their BAA for you.
When you lack leverage to change vendor terms, your options are to accept the risk, implement compensating controls, or choose a different vendor. Accepting the risk is sometimes the right answer—if the vendor is providing critical clinical functionality and you've documented why alternatives aren't viable, OCR is unlikely to fault you for working with that vendor under their standard terms, provided you've done reasonable due diligence with the information available.
Compensating controls might include restricting what PHI the vendor accesses, implementing additional monitoring on your side, or adding contractual protections outside the BAA itself. If the vendor won't give you audit rights in the BAA, perhaps they'll agree to a security review process in the master services agreement.
Choosing a different vendor is often more viable than organizations assume. The switching costs are real, but so is the risk of working with a vendor who won't provide basic assurances about PHI protection. I've watched organizations stay with vendors they didn't trust because migration seemed too hard, only to face that migration anyway after a breach forced their hand under worse circumstances.
What Leadership Needs to Understand About Vendor Risk
The gap I see most often in healthcare organizations isn't technical—it's a leadership understanding gap about what vendor risk actually means and who's responsible for managing it.
Executives often believe that signing a BAA transfers risk to the vendor. It doesn't. It creates shared obligations and potentially gives you contractual remedies after something goes wrong, but it doesn't eliminate your regulatory responsibility or your practical exposure when vendors fail. The leadership team needs to understand that HIPAA compliance for healthcare vendors is not a vendor management problem you can delegate and forget—it's a compliance risk that requires investment, oversight, and periodic executive attention.
This means the vendor oversight program needs resources. Someone needs to own it—typically in IT, compliance, or risk management—and that person needs time allocated to actually do the work, not just maintain a spreadsheet. For organizations with significant vendor ecosystems, this may be a full-time role. For smaller organizations, it needs to be an explicit part of someone's job with enough hours allocated to do it properly.
It also means procurement processes need to change. Departments can't sign up for cloud services using a credit card without IT and compliance review. The procurement team needs training on how to identify when a vendor relationship creates PHI access and therefore needs a BAA. Contracts can't be executed until the vendor has been through appropriate due diligence for their risk tier.
The board or executive leadership should see periodic reporting on vendor risk—at minimum annually, and ideally as part of regular compliance or risk committee updates. This reporting should cover: how many business associates you have, what your highest-risk vendor relationships are, any vendor security incidents that occurred, and the status of your oversight program. When executives ask about vendor risk, they often get reassurance that "we have BAAs in place." That's not the right metric. The right questions are: Do we know who has our PHI? Have we verified they're protecting it? What would happen if our largest business associate had a breach tomorrow?
The pattern I see in organizations that manage vendor risk well is executive sponsorship that treats it as part of the organization's overall compliance and risk program, not an administrative task buried in IT. When leadership understands that vendor breaches are your breaches from a regulatory and reputational standpoint, the investment in proper oversight starts to make sense. When they don't, you end up with shelves of signed BAAs and a compliance program built on hope.