Last updated: July 7, 2026 · By Stas Bojoukha, Founder of Compyl
Third-party risk management (TPRM) in healthcare is the practice of identifying, assessing, and continuously monitoring the risk your vendors and business associates create for patient data. It matters more in healthcare than any other industry for one blunt reason: under HIPAA, your vendor’s breach is your breach. Regulators, patients, and plaintiffs’ attorneys will not care that it was your transcription vendor’s fault.

Why healthcare TPRM is different
Three things make healthcare the hardest TPRM environment. First, the data: PHI is more valuable on secondary markets than payment card data and cannot be reissued like a credit card. Second, the vendor sprawl: a mid-size healthcare organization typically shares PHI with hundreds of business associates — EHR platforms, billing processors, transcription services, analytics vendors, imaging providers. Third, the liability structure: HIPAA’s business associate rules mean the covered entity carries regulatory exposure for its vendors’ failures, and breaches involving business associates have been among the largest healthcare incidents on record. Healthcare has also topped IBM’s Cost of a Data Breach Report as the most expensive breach industry for over a decade.
This is not a theoretical concern for us. In Compyl’s analysis of more than 1,500 recorded sales conversations, third-party risk came up in 38% of all calls — the single most common topic — and nowhere more urgently than with healthcare security teams.
What HIPAA actually requires of your vendor program
HIPAA does not use the phrase “third-party risk management,” but its requirements add up to one: a business associate agreement (BAA) with every vendor that touches PHI, reasonable diligence that the vendor can protect that data, and action when you know of a violation. The Security Rule’s risk analysis requirement extends to where PHI flows — including out of your environment. A signed BAA plus an annual questionnaire is the floor, and the floor is where most programs stop.
How to build a healthcare TPRM program: 6 steps
- Inventory every vendor that touches PHI. Not the vendors you remember — the ones in your accounts payable data, your SSO logs, and your integration inventory. Shadow vendors are the ones that end up on breach reports.
- Tier vendors by data exposure, not spend. A small transcription vendor with full clinical notes is higher risk than a large vendor that never sees PHI. Tier drives assessment depth and monitoring frequency.
- Verify BAAs and map them to vendors. Every PHI-touching vendor needs a current BAA, linked to the vendor record and its contract, not filed in a drawer.
- Assess with evidence, not just questionnaires. Questionnaires capture what a vendor says; certifications, SOC 2 reports, and security ratings capture what others verified. High-tier vendors deserve both.
- Monitor continuously, not annually. Vendor posture changes between assessments the same way your controls drift between audits. The same logic behind monitoring controls between audits applies to vendors: an annual questionnaire is a photograph of a moving target.
- Wire vendor risk into incident response. When a vendor reports an incident, you’re on a HIPAA breach-notification clock. Know before the letter arrives which systems, data, and patients a vendor touches.
Annual questionnaires vs. continuous vendor monitoring
| Dimension | Annual questionnaire | Continuous TPRM |
|---|---|---|
| Vendor posture | Self-reported, once a year | Verified and refreshed continuously |
| New vendors | Assessed if someone remembers | Caught at onboarding via workflow |
| Vendor incidents | You learn when they tell you | Monitoring flags degradation early |
| BAA coverage | Point-in-time file check | Linked to vendor records, gaps surfaced |
| Audit readiness | Scramble to assemble evidence | Evidence accumulates automatically |
Frequently asked questions
What is a business associate under HIPAA?
A business associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity — billing companies, cloud vendors, transcription services, analytics providers, and many subcontractors. Business associates must sign a BAA and are directly liable under parts of HIPAA.
Does HIPAA require third-party risk management?
Not by that name, but its requirements — BAAs with every PHI-touching vendor, risk analysis covering PHI flows, and reasonable diligence on business associates — effectively mandate a vendor risk program. Enforcement actions regularly cite vendor oversight failures.
How often should healthcare vendors be assessed?
High-tier vendors with deep PHI access: continuously monitored with a full assessment at least annually. Mid-tier: annually. Low-tier without PHI access: at onboarding and on contract renewal. The mistake is assessing every vendor on the same schedule regardless of exposure.
What should be in a healthcare vendor risk assessment?
Data exposure (what PHI, how much, where stored), security posture evidence (SOC 2, HITRUST, penetration tests), BAA status, subcontractor chain, incident history, and business criticality. The output should be a tier and a monitoring plan, not just a completed questionnaire.
About the author: Stas Bojoukha is the founder of Compyl and spent 20+ years as a CISO. Compyl runs TPRM programs for healthcare organizations including tribal health systems, care coordination platforms, and digital health companies — vendor inventory, BAAs, questionnaires, and continuous monitoring in one system.
See how healthcare teams automate third-party risk with Compyl — book a demo.