Business associates—vendors, contractors, and third parties that access protected health information—represent significant risk to your organization. Comprehensive risk assessment must include evaluation of business associate security practices and compliance. This guide explains how to assess and manage vendor risk under HIPAA.
What is a HIPAA Business Associate?
A business associate is any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Common business associates include:
- EHR vendors and software providers
- Cloud service providers (Microsoft, Amazon, etc.)
- Backup and disaster recovery providers
- Billing and collections companies
- IT service providers and managed IT companies
- Telehealth platforms
- Lab and imaging vendors
- Accounting and payroll vendors
- Data analytics and reporting services
- Insurance companies
- Healthcare consultants and auditors
Critical Point: Many healthcare organizations underestimate the number of business associates they have. Common vendors you interact with daily may handle PHI and require formal assessment.
Legal Requirements for Business Associate Risk Assessment
Under HIPAA, covered entities must:
- Identify all entities that access or may access PHI
- Ensure business associates execute written Business Associate Agreements (BAAs)
- Evaluate business associate security practices and capabilities
- Monitor ongoing business associate compliance
- Include business associate risk assessment findings in your organizational risk assessment
- Take corrective action if a business associate does not meet security requirements
Business Associate Risk Assessment Process
Step 1: Complete Business Associate Inventory
Create comprehensive list of all entities with access to PHI:
Entity name, type (vendor, contractor, etc.), and primary contact
Type of PHI accessed (clinical records, billing, research, etc.)
Method of access (direct system access, data transfer, printed records, etc.)
Volume of PHI handled (estimated number of records, frequency of access)
Length of relationship and contract renewal dates
Criticality to operations (essential, important, supplementary)
Step 2: Verify Business Associate Agreements
Confirm required documentation is in place:
- Written BAA: Executed agreement that meets HIPAA requirements
- Required clauses: Agreement must specify security requirements, breach notification, subcontractor provisions
- Signature and dates: Both parties have signed and agreement is current
- Updated agreements: If vendor updates terms or services, BAA may need updating
Step 3: Evaluate Vendor Security Practices
Assess whether business associate has implemented appropriate controls:
| Assessment Area |
Questions to Ask/Verify |
| Administrative |
Does vendor have documented security program? Designated security officer? Annual risk assessment? Security training? |
| Physical |
Is data stored in secure facility? Badge access and surveillance? Backup stored offsite? Destruction procedures documented? |
| Technical |
Is authentication required? Access logs maintained? Data encrypted in transit and at rest? Systems patched? Firewalls in place? |
| Breach Response |
Does vendor have incident response plan? Will they notify of breaches? Maintain liability insurance? |
| Compliance |
Are they HITRUST certified? Have SOC 2 audit? Comply with industry standards? |
Step 4: Request Vendor Security Documentation
Request specific evidence of vendor security controls:
- Security questionnaire responses: Completed HIPAA/HITRUST security assessment forms
- SOC 2 Type II audit report: Third-party audit of vendor's controls (preferred for major vendors)
- HITRUST certification: Healthcare-specific security standard certification
- Data center certifications: Proof of ISO 27001, SAS 70, or similar certifications
- Incident history: Disclosure of any prior breaches or security incidents
- Subcontractor list: Identify if vendor uses other vendors (subcontractors) with PHI access
Step 5: Assess Subcontractor Risk
Business associates often use subcontractors who also access PHI:
- Identify all subcontractors used by primary business associate
- Verify written subcontracts are in place with equivalent security terms
- Conduct risk assessment of critical subcontractors
- Remember: You remain responsible for subcontractor compliance
Streamline Vendor Risk Management
Tracking and assessing multiple business associates is complex. Medcurity's vendor risk assessment module helps you manage business associate inventory, track security documentation, and document compliance status.
Manage Vendor Risk Effectively
Business Associate Risk Rating
Evaluate each business associate's risk level based on:
| Risk Factor |
High Risk |
Medium Risk |
Low Risk |
| Type of PHI Accessed |
All PHI; sensitive data |
Clinical or billing data |
Demographic data only |
| Volume |
Large patient population; frequent access |
Moderate volume |
Limited access; few records |
| Access Method |
Direct system access; remote access |
System access with controls |
Read-only access; limited functions |
| Security Maturity |
No documented controls |
Some controls; basic compliance |
Comprehensive controls; certified |
| Criticality |
Essential to operations |
Important function |
Supplementary service |
Vendor Assessment Checklist
Business Associate Agreement in place and current
Vendor has documented security program and risk assessment
Physical security measures verified (facility access, backup storage)
Technical controls confirmed (encryption, authentication, logging, patching)
Breach notification procedures documented
Subcontractors identified and assessed
Insurance or bonding requirements verified
Incident history reviewed (any prior breaches)
Right to audit or assessment confirmed in contract
Annual compliance monitoring documented
Ongoing Business Associate Monitoring
Assessment is not one-time; you must monitor compliance continually:
- Annual review: Include business associate compliance in annual risk assessment
- Incident notifications: If vendor reports a breach, evaluate for compliance failures
- Contract updates: When vendor changes services or updates agreements, review for new risks
- News monitoring: Watch for public announcements of vendor breaches or security issues
- Periodic audits: Conduct on-site audits of critical vendors periodically
- Updated documentation: Request updated security assessments/SOC 2 reports
Frequently Asked Questions
Q: Are all vendors business associates?
No, only vendors that create, receive, maintain, or transmit PHI on your behalf. A vendor that provides services without touching PHI (facility maintenance, landscaping) is not a business associate. However, when in doubt, it's safer to treat them as business associates and execute a BAA.
Q: What if a vendor refuses to sign a BAA?
They cannot access your PHI without a BAA. This is non-negotiable under HIPAA. If a vendor refuses, you must either find an alternative vendor or stop using their services. Some vendors claim their terms of service suffice—they don't under HIPAA.
Q: Who is responsible if a business associate has a breach?
You remain responsible for business associate compliance even if they're negligent. You could face OCR penalties if you failed to adequately assess or monitor them. This emphasizes the importance of thorough vendor risk assessment.
Q: Do we need SOC 2 audit for all vendors?
Not necessarily. Small vendors with limited PHI access may not need SOC 2. However, vendors with significant PHI access should provide SOC 2 Type II or equivalent. At minimum, vendors should complete a HIPAA security assessment questionnaire.