BAAsandVendorRisk:TheHealthcareMSP’sObligations

Every healthcare organization runs on vendors. An average ambulatory practice has 20–40 Business Associates. A health system has hundreds. Each one creates HIPAA exposure. Each one requires a Business Associate Agreement — and a BAA alone is not enough. The BAA is the legal vehicle. Vendor risk management is the program. This article covers both.

What a BAA Must Contain

HIPAA's regulatory requirement for a BAA is specific. At minimum, a compliant BAA must:

• Establish the permitted and required uses and disclosures of PHI by the business associate
• Provide that the business associate will not use or further disclose PHI except as permitted by the contract or required by law
• Require the business associate to use appropriate safeguards — and to comply with the Security Rule with respect to ePHI
• Require the business associate to report any use or disclosure of PHI not provided for by the contract, including breaches
• Require the business associate to ensure that subcontractors that receive PHI agree to the same restrictions (flow-down)
• Make PHI available to the individual or covered entity as needed for access requests
• Make PHI available for amendment
• Make available an accounting of disclosures
• Make internal practices, books, and records available to HHS for compliance determination
• At termination, return or destroy all PHI received, or extend protections if return/destruction is infeasible

What a Strong BAA Adds Beyond the Minimum

A BAA that only meets the regulatory floor leaves the covered entity exposed. Additional provisions we recommend for every healthcare BAA:

• Specific breach notification timeline — the rule says "without unreasonable delay"; specify a number (24, 48, or 72 hours) to remove ambiguity
• Cooperation during breach investigation — specific language requiring BA cooperation with forensic investigation, preservation of evidence, and provision of logs
• Cost allocation for breaches — who pays for breach notification, credit monitoring, OCR investigation response
• Cybersecurity insurance requirement — minimum limits appropriate to the BA's scope and data access
• Security control requirements — specific controls (MFA, encryption, logging, vulnerability management) rather than general "appropriate safeguards"
• Audit rights — the covered entity's right to audit BA security, either directly or via third-party attestation
• SOC 2 / HITRUST / ISO 27001 requirements — ongoing attestation rather than one-time assessment
• Data residency and sovereignty — where PHI is stored and processed
• Subcontractor notification and approval — not just flow-down, but advance notice and veto rights
• Indemnification — clear allocation of liability for breaches caused by the BA

Evaluating a Healthcare MSP

The managed service provider is one of the most consequential vendor decisions a practice makes. An MSP has deep access — often domain admin credentials, backup systems, EHR administrative privileges. A compromised MSP is a blast-radius event for every client the MSP serves. The 2019 ransomware attack on MSPs is not ancient history; MSP-vector ransomware remains active.

Due diligence for a healthcare MSP should cover:

• SOC 2 Type II report — not Type I (point-in-time) but Type II (over a period). HITRUST CSF is even stronger. Ask for the report, read it, note any exceptions.
• Healthcare-specific experience — not just "we have healthcare clients" but demonstrated HIPAA fluency, EHR familiarity, and healthcare-specific incident response experience
• Multi-tenant architecture — how they separate client data, credentials, and administrative access
• Privileged access management — how their technicians access client environments. Vaulted credentials, MFA, session recording, just-in-time access
• Incident response capability — on-call structure, DFIR partnerships, tabletop exercise cadence
• Cyber insurance — their own coverage, and limits
• Client concentration risk — do they have 500 healthcare clients on the same shared RMM platform, and what is the spread of that risk
• Supply chain posture — their own subcontractors and what access they have
• Breach history — ask about past incidents, what they learned, what changed

The Vendor Inventory

Vendor risk management starts with knowing who your vendors are. Every healthcare practice should maintain a vendor inventory that includes:

• Vendor name and primary contact
• Service provided
• Data accessed (PHI, payment card, employee data, none)
• Business associate status
• BAA on file (date signed, date of current version)
• Most recent due diligence date
• SOC 2 / HITRUST / ISO attestation, with report date
• Cyber insurance verification
• Access level (admin, read-only, no access)
• Criticality tier (high / medium / low based on business impact of compromise)

An inventory that is not reviewed quarterly drifts quickly. Account resets, vendor changes, acquisitions, and staff turnover all change the picture.

Tiered Due Diligence

Not every vendor needs equivalent due diligence. Tier the program:

• Tier 1 (high criticality — EHR, MSP, cloud hosting, backup, email security): annual SOC 2 / HITRUST review, breach history review, penetration test results, cyber insurance verification, executive-level relationship
• Tier 2 (medium — billing, scheduling, patient engagement, telehealth): biennial review, standard due diligence questionnaire, BAA review
• Tier 3 (low — janitorial with potential PHI exposure, shredding, copier service): BAA on file, baseline security questionnaire at contract

Calibrate by data access, not just vendor category. A "low-risk" copier service becomes high-risk when the copier stores scanned documents on an internal drive.

What Goes in a Vendor Security Questionnaire

A practical vendor security questionnaire for healthcare should cover:

• Information security program maturity and certifications
• Data handling (where stored, who accesses, how long retained)
• Encryption at rest and in transit
• Access controls (MFA, privileged access management, role-based access)
• Audit logging and retention
• Incident response program and breach history
• Business continuity and disaster recovery
• Subcontractor management
• Employee background checks and training
• Vulnerability management and patching cadence
• Physical security
• Insurance coverage

The SIG questionnaire (from Shared Assessments) or CAIQ (Cloud Security Alliance) are industry-standard templates. Customize for healthcare-specific concerns.

Termination and Offboarding

Vendor termination is where PHI most often escapes controlled channels. A strong offboarding procedure includes:

• Written notice of termination, with reference to BAA obligations
• Documented return or destruction of all PHI
• Certificate of destruction for any destroyed PHI
• Revocation of all credentials, API keys, VPN access, RMM agents
• Removal from approved vendor lists, security monitoring exemptions, firewall allow lists
• Final accounting of outstanding obligations (indemnification survival, insurance tail coverage)

Run this as a checklist per vendor. Missed items are future breach sources.

The Annual Program Review

At least annually, the vendor risk program itself should be reviewed:

• Has the vendor inventory been refreshed
• Have any vendors been downgraded (more access than they need) or upgraded (expanded scope)
• Have any vendors had public security incidents that warrant reassessment
• Are BAAs all current versions
• Have tier classifications held up, or do any need adjustment

For help building or auditing a vendor risk program, see our healthcare compliance services or schedule a consultation. We work with practices to build vendor inventories, evaluate MSP relationships, and close vendor-side compliance gaps.