If you work in healthcare, you know that any vendor handling protected health information (PHI) needs to sign a Business Associate Agreement (BAA). You’ve collected the signatures. You’ve checked the compliance box.
But a signed BAA doesn’t mean patient data is actually protected. It means you have a legal document that establishes accountability if a healthcare data breach occurs.
That’s not the same thing as cybersecurity protection.
What a Business Associate Agreement Actually Does and Doesn’t Do
A Business Associate Agreement is a legal document that establishes responsibility between a covered entity and a business associate under HIPAA.
It confirms the vendor understands their HIPAA obligations, agrees to safeguard electronic protected health information (ePHI), and accepts liability if they fail to do so. While important, a BAA is a contractual protection, not a technical security control.
A signed BAA does not:
- Encrypt a vendor’s systems
- Enforce multi-factor authentication (MFA)
- Strengthen access controls
- Monitor suspicious activity
- Prevent phishing attacks
- Improve incident response capabilities
More than half of major healthcare data breaches involve business associates or third-party vendors. When those incidents occur, the covered entity still faces regulatory scrutiny, reputational damage, operational disruption, and the cost of breach response.
The Questions Your BAA Isn’t Asking
Before a third-party vendor accesses patient data, healthcare organizations should understand what cybersecurity controls are actually in place.
Important questions include:
- Does the vendor enforce MFA for employee accounts?
- How is access to ePHI managed and monitored?
- Are access controls role-based?
- Are audit logs reviewed regularly?
- What is the vendor’s incident response process?
- Has the vendor completed a recent cybersecurity risk assessment?
- How are backups secured and tested?
These are not unreasonable demands. They are standard cybersecurity expectations for organizations handling sensitive healthcare information.
Vendors that resist answering security questions may be revealing important gaps in their cybersecurity posture.
Ongoing Vendor Oversight Is Part of HIPAA Compliance
The HIPAA Security Rule does not simply require organizations to collect BAAs. It also requires covered entities to oversee business associate compliance and manage ongoing third-party risk.
That means vendor oversight should be an ongoing process, not a one-time onboarding task.
As vendors update systems, add employees, change infrastructure, or modify how they handle ePHI, healthcare organizations need to continually evaluate whether those vendors still meet cybersecurity and HIPAA compliance expectations.
Even a simple annual vendor security review goes significantly further than what many healthcare organizations currently do today.
The Bottom Line
Third-party vendors represent one of the most significant and under-managed cybersecurity risks in healthcare.
A Business Associate Agreement is an important legal requirement, but it is only the starting point. Healthcare organizations that successfully protect patient data treat vendor security management as an ongoing operational discipline, not a one-time signature process.
Review your vendor list. Ask more in-depth cybersecurity questions. And don’t mistake paperwork for protection.
