OGC
Plan Ahead

Bringing On a New IT Vendor

We're onboarding a new vendor — what HIPAA steps are required?

Get HIPAA Requirements Right Before You Sign

Vendor onboarding is one of the highest-risk areas for HIPAA compliance failures. Organizations often sign contracts and grant system access before completing the necessary HIPAA steps. The right order matters: assess, negotiate, execute the BAA, then grant access.

Step 1: Determine If This Vendor Is a Business Associate

Not every vendor requires a BAA. The key question: will this vendor create, receive, maintain, or transmit PHI in order to perform services for you?

Business Associate — BAA Required:

  • EHR, billing, scheduling, or practice management software vendors
  • IT support companies with remote access to systems containing PHI
  • Cloud providers where PHI is stored (AWS, Azure, Google Cloud — even if indirectly)
  • Transcription, coding, or billing services
  • Analytics platforms that process patient data
  • Lawyers or accountants who access PHI as part of their service
  • Shredding or document destruction companies

NOT a Business Associate — No BAA Required:

  • Internet service providers (conduit exception — they transmit but don't access content)
  • Janitorial services (unless they access areas with PHI)
  • Office supply companies
  • Marketing vendors who don't handle PHI

When in doubt, err toward treating the vendor as a Business Associate and executing a BAA.

Step 2: Vendor Due Diligence

Before signing anything, assess the vendor's security posture. A Business Associate's breach is your breach — you bear notification and liability exposure even when the breach occurs at the vendor's end. Evaluate:

  • Security certifications: Do they have SOC 2 Type II, HITRUST, ISO 27001, or similar certifications?
  • HIPAA compliance program: Do they have documented HIPAA policies? Have they conducted their own SRA?
  • Breach history: Have they had reportable breaches? How were they handled?
  • Subcontractors: Who are their subcontractors, and do they have BAAs with them? (Your BA must have BAAs with their subcontractors — your "downstream" BAs)
  • Data handling practices: Where is data stored geographically? Who has access? How is it encrypted?
  • Incident response: Do they have a documented incident response plan? What's their breach notification commitment?

Use the Vendor Risk Questionnaire in your compliance portal to capture and document vendor responses. This questionnaire covers the key areas OCR looks at when reviewing vendor management practices.

Step 3: Execute the Business Associate Agreement

The BAA must be signed by authorized representatives of both parties before any PHI is shared or the vendor has access to systems containing PHI. A compliant BAA must include:

  • What the BA is permitted to do with PHI (permitted uses and disclosures)
  • The BA's obligation to protect PHI and implement appropriate safeguards
  • The BA's obligation to report breaches and security incidents to you
  • The BA's obligation to ensure its subcontractors comply (downstream BA requirements)
  • Requirements for returning or destroying PHI at contract termination
  • Your right to terminate the contract if the BA violates the BAA

Many large vendors (AWS, Google, Microsoft) offer standard BAA addendums. Review them carefully — some have carve-outs that may not be acceptable. Have legal counsel review any BAA before signing.

Step 4: Document in Your Vendor Management System

Once the BAA is executed, add the vendor to your compliance portal's Vendor Management section:

  • Vendor name and contact information
  • Services provided
  • BAA execution date and expiration (if any)
  • BAA document uploaded and stored
  • Risk assessment results
  • Systems or PHI types they can access
  • Next review date

Step 5: Ongoing Monitoring

Vendor management doesn't end at onboarding. Establish ongoing monitoring:

  • Annual review of each BA relationship — is the BAA still current and accurate?
  • Re-run the risk questionnaire annually or when the vendor's services significantly change
  • Track any security incidents or breaches reported by the vendor
  • Ensure BAAs are updated if HIPAA regulations change or the vendor's services change
  • Audit vendor access — confirm that only authorized vendor personnel have system access

Related Guides

Act Within 24 Hours

Vendor Requesting Patient Data

A vendor is asking for patient data — can I share it?

Read Guide
Act Within 24 Hours

Our Vendor's Subcontractor Has PHI Access

A vendor's subcontractor now has access to patient data.

Read Guide
Plan Ahead

Annual HIPAA Compliance Review

It's been a year — here's what needs to be renewed and redone.

Read Guide
Back to all guides