Third-party risk
Every vendor that touches your environment, and the legal paperwork that needs to follow.
Missing BAAs
1
Out of 4 vendors handling PHI.
Expiring within 60 days
0
Schedule renewals now to avoid gaps.
Current BAAs
3
No action required.
| Vendor | Category | PHI | Risk | BAA status | Expires |
|---|---|---|---|---|---|
Athenahealth ba@athenahealth.example | EHR | Handles PHI | High | Current | Dec 6, 2026 |
Microsoft 365 compliance@microsoft.example | Productivity | Handles PHI | High | Current | May 30, 2027 |
Datto SIRIS Backup ba@datto.example | Backup | Handles PHI | High | Current | Aug 8, 2026 |
TwilioSendGrid ba@twilio.example | Handles PHI | Medium | BAA missing | Apr 8, 2026 | |
Stripe compliance@stripe.example | Payments | No PHI | Medium | BAA not required | — |
Bitdefender GravityZone channel@bitdefender.example | Security | No PHI | Medium | BAA not required | Mar 1, 2027 |
SonicWall TZ470 support@sonicwall.example | Network | No PHI | Medium | BAA not required | — |
Why this matters during an audit
HIPAA §164.308(b)(1) requires a signed Business Associate Agreement with every third party that creates, receives, maintains, or transmits PHI on the clinic’s behalf. A single missing BAA will fail this control — and it’s the #1 finding in clinic audits.