Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Vendors & Business Associates

Every third party that touches PHI needs a signed Business Associate Agreement (BAA) and a periodic risk look. The Vendors area tracks both — the vendor itself and the state of its BAA — so a gap or an expiring agreement doesn't slip past you.

A vendor record

Each vendor holds its services, data access (none / limited / full), a risk level (low → critical), a status (active / under review / terminated), and its BAA state: whether one is signed, the signed date, and the expiry date. Contact details and internal notes round it out.

The list view summarizes the two things that bite: vendors missing a BAA and BAAs expiring within 30 days. A vendor's own page shows a red or amber alert when its BAA is expired or close to it.

Risk assessment

Assess runs a 15-question HIPAA security questionnaire (access controls, encryption, incident response, monitoring, continuity, third-party audits). Answers are scored 0–100, and the score sets the vendor's risk level automatically (≥80 low, ≥60 medium, ≥40 high, below that critical). Running an assessment also stamps the vendor's last review date.

Reviews & reminders

Set a next review date to schedule the next look; the list flags overdue reviews, and the compliance calendar surfaces upcoming BAA and vendor review dates alongside your other deadlines.

The separate Business Associates registry (Settings → Business Associates) is for tracking agreements as standalone compliance evidence, with their own agreement and review/expiration dates.

Who can do what

Anyone can view vendors. Contributors and admins can add, edit, and assess them. Only org admins can bulk-import, bulk-manage, or manage the Business Associates registry. Auditors are read-only.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.