What are HIPAA Vendors?

HIPAA vendors, also known as business associates, are vendors that a healthcare entity contracts to perform a service for them. These services involve the use or disclosure of protected health information (PHI), and as such, HIPAA vendors must comply with the standards set forth by HIPAA.

Which Vendors are Considered HIPAA Vendors?

Not all healthcare vendors are HIPAA vendors; HIPAA vendors create, transmit, receive, maintain, or store protected health information (PHI) on behalf of their covered entity clients. 

Businesses that are classified as HIPAA vendors, include the following:

A third-party claims processor

An accounting firm who must access patient data to service a healthcare provider

An attorney for a healthcare provider


Healthcare clearinghouses 

Freelance medical transcriptionists

Pharmacy benefits managers

What are HIPAA Obligations for HIPAA Vendors

HIPAA vendors have an obligation to ensure the confidentiality, integrity, and availability of PHI by implementing administrative, technical, and physical safeguards.

Administrative: Include creating policies and procedures dictating the proper use and disclosure of PHI. PHI should only be used or disclosed to complete a specific job function, known as the minimum necessary standard

Physical: Include securing areas that contain PHI. Physical safeguards may include installing alarm systems, locks on doors and cabinets storing patient information, CCTV cameras, etc. 

Technical: Include securing devices that have access to electronic protected health information (ePHI). ePHI is protected health information in electronic form. Technical safeguards may include encryption, firewalls, antivirus, multi-factor authentication (MFA), etc.

To ensure that safeguards are adequately protecting patient information, it is necessary to conduct self-audits. HIPAA vendors are required to complete six self-audits annually. By completing self-audits, gaps in the HIPAA vendor’s safeguards are identified. 

To address gaps, HIPAA vendors must implement remediation plans. Failure to implement remediation plans leaves patient information vulnerable and puts HIPAA vendors at risk of costly fines.

HIPAA Vendors and Business Associate Agreements

To work with healthcare clients HIPAA vendors must sign business associate agreements (BAAs) with each of their healthcare clients. A BAA is a legal agreement that states that each signing party agrees to be HIPAA compliant, and they are responsible for maintaining their compliance. A BAA also determines which party is responsible for reporting a breach, should one occur.

Compliancy Group HIPAA Vendor

Although not technically a HIPAA vendor, as in not a business associate, Compliancy Group is a healthcare software vendor that enables HIPAA vendors to implement and track their HIPAA compliance program. Everything HIPAA vendors need to address their HIPAA requirements is built into our cloud-based compliance tracking software, The Guard. 

Not only does our software facilitate tracking, but our expert Compliance Coaches monitor your progress, guiding you throughout the entire HIPAA compliance implementation process. Even better, our Audit Response Program supports clients that are subject to a HIPAA audit; we have a proven track record, our clients have never failed an audit! Compliancy Group gives clients confidence in their compliance, validating and verifying their good faith effort towards compliance.

See How It Works