Business Associate Agreements Aren’t Protection. They’re a Starting Point.
A signed BAA tells you a vendor agreed to safeguard ePHI. It doesn’t tell you whether they actually are.
Most healthcare organizations have business associate agreements on file for their major vendors, billing services, cloud hosting providers, transcription services, telehealth platforms. The agreement gets signed during onboarding, filed, and rarely revisited.
This is one of the most common, and most consequential, compliance gaps in the industry. A signed BAA establishes a legal obligation. It does not establish ongoing assurance that the obligation is being met. A growing share of healthcare data breaches now originate not from the covered entity itself, but from a business associate or subcontractor with weaker security controls.
Why the “set and forget” approach fails
A vendor’s risk profile is not static. Systems get upgraded, subcontractors get added, security postures change, and personnel turn over. The BAA signed three years ago may reflect almost nothing about how that vendor currently handles your data. Without a recurring verification process, organizations are operating on an assumption of safety rather than evidence of it.
This becomes acutely visible during a breach investigation or audit, when the question shifts from “did you have an agreement” to “what oversight did you exercise.” A filed contract with no ongoing monitoring behind it offers limited protection in that conversation.
Building real vendor oversight
- Inventory every vendor with ePHI access, including subcontractors your direct vendors may rely on.
- Require annual written verification that each vendor has implemented the safeguards their agreement requires, not just a renewed signature.
- Tier vendors by risk and data sensitivity, and apply more frequent review to those with the broadest or most sensitive access.
A business associate agreement is the floor of a vendor relationship, not the ceiling. Organizations that treat it as ongoing oversight, not a one-time formality, are the ones that hold up under scrutiny.