HIPAA Vendor Risk Assessment Requirements

The HIPAA Security Rule at § 164.308(b)(1) — the Security Management Process standard — imposes three obligations on covered entities regarding business associates.

First, assess risk before sharing PHI. Before allowing a vendor to access, process, or store protected health information, the covered entity must evaluate the vendor's security posture and determine whether adequate safeguards are in place. This is the vendor risk assessment.

Second, ensure a BAA is in place. A Business Associate Agreement is a written contract that establishes the permitted uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, and mandates breach notification. No BAA, no PHI sharing — period.

Third, monitor the business associate relationship. The covered entity must have ongoing oversight of its business associates' compliance with the BAA and applicable HIPAA requirements. This is not a one-time check. See our HIPAA industry page for the full control mapping.

Using BambooHR as a practical example — an HRIS/payroll platform that processes employee information for healthcare organizations.

Does this vendor access PHI? BambooHR processes employee records including names, dates of birth, Social Security numbers, health insurance enrollment data, and potentially disability accommodation records. For a covered entity (hospital, clinic, health plan), employee health insurance data and disability records qualify as PHI. Answer: yes.

Is a BAA required? Yes — BambooHR functions as a business associate when it processes PHI on behalf of a covered entity.

Does the vendor offer a BAA? ThirdProof's investigation of BambooHR identified SOC 2, SOC 1, and PCI DSS claims on its trust page at trust.bamboohr.com, all classified as vendor-attested. The trust page also references EU-US DPF and Swiss-US DPF participation. A BAA should be requested directly through BambooHR's compliance team.

What does the investigation reveal about compliance posture? BambooHR received Tier 4 — Low Risk at 80% confidence. Key findings: clean sanctions screening, clean domain reputation across 94 security engines, 11 open ports with 0 CVEs, and HTTP security headers scoring C (50/100). Recommended actions: obtain PCI DSS AoC, request SOC 2 Type II report, and execute a HIPAA BAA alongside the CCPA Service Provider Agreement.

Across investigations of healthcare-adjacent vendors, four patterns emerge consistently.

Vendors claiming HIPAA compliance without published BAA. A vendor's trust page may list HIPAA in its compliance certifications, but HIPAA compliance is not independently certifiable like SOC 2 or ISO 27001. There is no HIPAA certification body. When ThirdProof finds a HIPAA claim, it classifies it as vendor-attested and flags a recommended action to request the actual BAA and the vendor's HIPAA risk assessment documentation.

Missing HITRUST certification despite claiming it. HITRUST CSF is the closest thing to a HIPAA certification — an independently assessed framework that maps to HIPAA requirements. Some vendors claim HITRUST on their trust page but are not listed in the HITRUST assessor directory. ThirdProof's three-tier verification (independently verified, vendor-attested, not found in evidence) catches this discrepancy.

Subprocessor lists not published. The BAA flow-down requirement means your vendor's subprocessors that access PHI also need BAAs. If your vendor does not publish a subprocessor list, you have no visibility into downstream PHI exposure. ThirdProof's subprocessor discovery scanner flags vendors with no published subprocessor documentation.

HTTP security deficiencies on platforms handling PHI. While HTTP security headers on a marketing site do not directly indicate application-level security, they reflect the vendor's security configuration standards. Okta scored F (20/100) on HTTP headers — notable for a vendor that may process authentication data for healthcare systems.

The HHS Office for Civil Rights (OCR) has increased enforcement around business associate oversight. Notable enforcement actions demonstrate the risk.

In its breach investigation guidance, OCR consistently examines whether the covered entity conducted a risk assessment of its business associate before sharing PHI, whether a BAA was in place at the time of the breach, and whether the covered entity had an ongoing monitoring program for its business associates. Covered entities that cannot demonstrate these three elements face higher settlement amounts.

The practical takeaway: document your vendor risk assessment process, maintain BAAs for every business associate, and keep evidence of periodic reassessment. ThirdProof's investigation reports provide the assessment evidence; the BAA and reassessment schedule are your responsibility to maintain.

Assess your business associates in under 2 minutes. ThirdProof checks compliance documentation, certification claims, and PHI exposure across 22 sources.