Every third party that touches PHI needs a signed Business Associate Agreement (BAA) and a periodic risk look. The Vendors area tracks both — the vendor itself and the state of its BAA — so a gap or an expiring agreement doesn't slip past you.
Each vendor holds its services, data access (none / limited / full), a risk level (low → critical), a status (active / under review / terminated), and its BAA state: whether one is signed, the signed date, and the expiry date. Contact details and internal notes round it out.
The list view summarizes the two things that bite: vendors missing a BAA and BAAs expiring within 30 days. A vendor's own page shows a red or amber alert when its BAA is expired or close to it.
Assess runs a 15-question HIPAA security questionnaire (access controls, encryption, incident response, monitoring, continuity, third-party audits). Answers are scored 0–100, and the score sets the vendor's risk level automatically (≥80 low, ≥60 medium, ≥40 high, below that critical). Running an assessment also stamps the vendor's last review date.
Set a next review date to schedule the next look; the list flags overdue reviews, and the compliance calendar surfaces upcoming BAA and vendor review dates alongside your other deadlines.
The separate Business Associates registry (Settings → Business Associates) is for tracking agreements as standalone compliance evidence, with their own agreement and review/expiration dates.
Anyone can view vendors. Contributors and admins can add, edit, and assess them. Only org admins can bulk-import, bulk-manage, or manage the Business Associates registry. Auditors are read-only.