Back to all insights
HIPAAVendor RiskBAAThird-Party RiskHealthcare

Vendor Risk Management for Small Healthcare Practices

Edward Stratton · · 11 min read

The Risk You Can’t See From Your Own Network

Walk through a typical day at a small medical or dental practice and count the outside companies that touch your patients’ data. The cloud-hosted electronic health record. The billing clearinghouse. The lab interface. The appointment-reminder service that texts patients. The email and document platform. The backup provider. The IT company that manages your computers. Maybe a transcription service, a patient-survey tool, a payment processor.

Every one of those is a vendor, and most of them hold, process, or transmit protected health information (PHI) on your behalf. That is the uncomfortable reality of modern healthcare technology: a large share of your risk now lives on networks you don’t own and can’t directly inspect. When one of those vendors is breached, it is your patients whose information is exposed, and it is your practice that carries the notification obligation and the reputational cost.

You can have excellent security inside your own four walls and still suffer a major breach because a company you forgot you were paying left a database exposed.

This is not a reason to avoid vendors — modern care delivery is impossible without them. It is a reason to manage them deliberately. Vendor risk management is the discipline of knowing who touches your data, holding each of them to a reasonable standard, and having a plan for when one of them fails. This guide lays out a practical, affordable way for a small practice to do exactly that, without the staffing or tooling that large hospital systems take for granted.

What “Vendor Risk” Actually Covers

It helps to be precise about what we’re managing, because “vendor risk” is broader than most people assume. For a healthcare practice, it generally breaks into four overlapping concerns.

Confidentiality risk is the obvious one: a vendor exposes or loses PHI through a breach, a misconfiguration, or an insider. This is what most people picture, and it is the core of the HIPAA Breach Notification obligation.

Availability risk is quieter but just as real. If your cloud EHR goes down, your scheduling tool fails, or your internet circuit drops, you may be unable to deliver care. A vendor doesn’t have to be breached to hurt you — it just has to be unavailable at the wrong moment. The HIPAA Security Rule’s contingency planning expectations exist precisely because availability is part of protecting health information.

Compliance risk is the chain of accountability. Under HIPAA, a vendor that handles PHI on your behalf is a business associate, and you are required to have a Business Associate Agreement (BAA) in place. If you don’t — or if the vendor subcontracts to others who never signed one — the gap is a compliance failure that lands on you. We cover the mechanics of that relationship in depth in our guide on business associates, BAAs, and who is actually responsible.

Concentration and lock-in risk is the one practices discover too late. When a single vendor holds your data in a proprietary format with no clean export, or when one provider runs your EHR, billing, and patient communications all at once, a failure or a dispute with that vendor becomes an existential problem rather than an inconvenience.

A workable vendor risk program addresses all four, in proportion to how much each vendor can actually hurt you.

Step One: Build the Inventory You Probably Don’t Have

You cannot manage risk you can’t see, and the single most common gap in small-practice vendor management is the absence of a current list. Most practices have never written down every company that touches their data. The first, highest-value step costs nothing but an afternoon.

Build a simple vendor inventory — a spreadsheet is fine. For each vendor, capture:

  • Who they are and what service they provide.
  • What data they touch. Do they handle PHI? Payment data? Just scheduling? Be specific, because the answer drives everything else.
  • How they connect. A cloud login, a direct network interface, an API, a piece of installed software, remote access into your systems?
  • Whether a BAA is in place (and where the signed copy lives).
  • How critical they are. If they vanished tomorrow, could you still see patients?
  • A business owner inside your practice — the person responsible for that relationship.

Don’t aim for perfection on the first pass. Aim for completeness. The goal is to surface the vendors you’d otherwise forget — the reminder service signed up three years ago, the analytics tool a previous office manager enabled, the “free” app someone connected to your email. Those forgotten connections are where unmanaged risk accumulates.

This inventory is not a one-time artifact. It becomes the backbone of everything that follows, and it should be reviewed on a schedule, which we’ll come back to.

Step Two: Tier Your Vendors by Risk

Once you can see your vendors, resist the urge to treat them all the same. A small practice does not have the time to run an exhaustive security review on the company that supplies its office plants — and shouldn’t. The point of tiering is to spend your limited attention where the potential harm is greatest.

A simple three-tier model works well:

High risk — vendors that store or process significant PHI, or that have privileged access into your systems. Your EHR, your billing/clearinghouse, your email and document platform, your IT/MSP provider, your backup provider. A failure here is a serious breach or an inability to operate. These deserve the most scrutiny.

Medium risk — vendors that touch limited PHI or have narrow access. An appointment-reminder service, a patient-survey tool, a specific lab interface. A problem here is real but contained.

Low risk — vendors with no PHI and no system access. Office supplies, the plant service, general business software that never sees patient data.

The tier determines how much due diligence is reasonable, how tight the contract language needs to be, and how often you re-check. It’s a way of being thorough where it counts and pragmatic everywhere else — the affordable-advocacy principle applied to risk.

Step Three: Do Right-Sized Due Diligence Before You Sign

For a high-risk vendor, a few questions asked before you commit will tell you most of what you need to know. You are not auditing them like a federal regulator; you are confirming they take security seriously and meet the bar your practice needs.

Reasonable things to ask a high-risk vendor:

  • Will you sign a BAA? For any vendor handling PHI, this is non-negotiable. A vendor that resists or doesn’t understand the request is telling you something important.
  • Do you have an independent security attestation? A SOC 2 Type II report or HITRUST certification is strong evidence that a third party has reviewed their controls. Ask to see it.
  • How is our data encrypted — at rest and in transit?
  • How do you handle access for your own staff, and do they use MFA?
  • What is your breach notification process and timeline if you’re compromised?
  • Where is our data stored, and can we get a clean export if we leave?
  • Do you use subcontractors who would also touch our data, and are they under equivalent obligations?

The point of due diligence is not to generate paperwork. It’s to make sure that, before you hand a company your patients’ information, you actually know how they’ll protect it.

For medium-risk vendors, a lighter version — BAA in place, encryption confirmed, a basic sense of their security posture — is appropriate. For low-risk vendors, simply confirming they don’t touch PHI is usually enough. Match the effort to the stakes.

Step Four: Get the Contract and BAA Right

The contract is where good intentions become enforceable expectations. For any vendor handling PHI, the BAA is the legal floor, and it must be signed before PHI starts flowing — not “we’ll get to it.” Beyond the BAA, the service agreement is where you can set expectations on uptime, support response, data ownership, and what happens at the end of the relationship.

Two clauses practices routinely overlook are worth singling out. The first is breach notification timing — how quickly the vendor must tell you if they’re compromised, because your own notification clock can depend on theirs. The second is data return and deletion on termination — a clear, written commitment to give you your data back in a usable format and to destroy their copies when the relationship ends. Without that, leaving a vendor can mean abandoning your data to them.

A BAA on its own is not protection — it’s an allocation of responsibility. The actual security still has to happen. But a missing or sloppy BAA is a compliance gap with your name on it, so getting it right is foundational.

Step Five: Manage Access on the Principle of Least Privilege

Many of your highest-risk vendors don’t just hold data — they reach into your systems. Your IT provider, your EHR’s support team, and various integrated tools may have standing access to your network or applications. That access is a risk multiplier: a breach of the vendor can become a breach of you.

Apply least privilege to vendor access the same way you would to your own staff. Vendors should have only the access they genuinely need, scoped as narrowly as the work allows. Where possible, prefer time-bound access that’s granted for a specific task and removed afterward, rather than permanent standing accounts. Every vendor account that can reach your systems should require MFA, and remote-access pathways deserve particular attention. The principle is simple: the fewer open doors into your environment, and the smaller each one, the less any single vendor compromise can spread.

Step Six: Don’t Forget Availability and Continuity

Confidentiality gets the headlines, but availability failures are what shut down a practice on a Tuesday morning. Your vendor risk program should account for what happens when a critical vendor is down, not just when they’re breached.

For each high-risk vendor, ask a continuity question: if this service were unavailable for a day, or a week, what’s our fallback? Some answers are technical — local backups of EHR data, a documented downtime procedure for clinical staff, a secondary internet connection. Others are simply about having a plan and a contact rather than improvising under pressure. This is the same defense-in-depth thinking that underpins a good backup strategy; if you haven’t formalized your recovery approach, our piece on the 3-2-1-1-0 backup strategy is a natural companion to this section.

Step Seven: Review on a Schedule, and Offboard Cleanly

Vendor risk is not a one-time project, because your vendor list and the vendors themselves both change. New tools get added. Contracts renew. A vendor that was solid two years ago may have been acquired, changed its practices, or suffered a breach. A lightweight periodic review — even once a year for a small practice — keeps the inventory honest and catches drift before it becomes exposure. Tie this review to your broader security program so it doesn’t get forgotten.

Offboarding deserves the same discipline as onboarding, and it’s the step practices most often fumble. When you stop using a vendor, close the loop deliberately: revoke their access to your systems, confirm in writing that they’ve returned or destroyed your data per the contract, disable any integrations, and update your inventory. A vendor you no longer pay but who still has a live login into your network — or still holds a copy of your patient data — is pure downside risk with no remaining benefit.

Building a Program That Fits a Small Practice

If all of this sounds like a lot, remember the proportionality principle that runs through every step: you are matching effort to risk, not auditing the world. A small practice can run a genuinely effective vendor risk program with a single spreadsheet, a handful of pointed questions for high-risk vendors, signed BAAs, disciplined access control, and an annual review. That’s it. The point is not to build a bureaucracy; it’s to replace “we never thought about it” with “we know who touches our data and we hold them to a standard.”

This is also exactly the kind of work where a managed IT partner earns its keep. An MSP that understands healthcare can help you build the inventory, ask vendors the right technical questions, read a SOC 2 report so you don’t have to, configure least-privilege access, and keep the whole program current — turning vendor risk from a vague worry into a managed, routine part of running the practice. Security is a team effort, and your vendors, your staff, and your IT partner are all part of that team.

Where to Start

Don’t try to do everything at once. The highest-value first move is the inventory: spend one afternoon listing every company that touches your data, what they touch, and whether a BAA is in place. That single document will show you where your real exposure is and turn an abstract worry into a concrete, prioritized list. From there, tier the vendors, shore up the BAAs and access for your high-risk handful, and put a yearly review on the calendar. Each of those steps strengthens your security posture and supports your HIPAA Security Rule efforts — and none of them requires an enterprise budget. For how this fits into the broader picture, visit our HIPAA Security Rule resource hub.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

June 1, 2026·4 min read

Device Code Phishing Is Bypassing MFA: What Small Practices Should Do

Device code phishing hijacks Microsoft 365 mailboxes without stealing a password — and standard MFA doesn't stop it. What it means for healthcare practices.
May 31, 2026·9 min read

Beyond 3-2-1: Why Healthcare Practices Need a 3-2-1-1-0 Backup Strategy

The 3-2-1 rule was the gold standard for decades. Modern ransomware exposed its weakness. Here is why healthcare practices need to move to 3-2-1-1-0 — and how to know your backups will actually work when everything goes wrong.
May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.