The BAA Is a Floor, Not a Plan
Every practice has a stack of Business Associate Agreements. They cover the EHR, the clearinghouse, the e-prescribing service, the patient portal, the claims processor, the IT MSP, the cloud backup, the answering service, and at least a dozen smaller tools that touch PHI in the course of a day. The BAAs are necessary, and HIPAA-required, but they are also a frequently misunderstood document. They define the legal allocation of responsibility for protecting PHI. They do not, by themselves, keep the practice running when a vendor's systems are unavailable.
The last two years made that distinction concrete. National-scale clearinghouse outages, ransomware events at large healthcare service providers, and a procession of smaller vendor incidents have left practices unable to bill, unable to verify eligibility, unable to process prescriptions, sometimes for weeks at a time. In none of those cases did the BAA, however well drafted, restore service. The BAA was the cleanup document. The resilience plan, where one existed, was what kept the doors open.
What “Vendor Outage” Actually Looks Like in Practice
The textbook version of vendor risk assumes a clean ransomware-or-not binary: either a vendor is operating normally, or it is not. The lived version is messier.
- Hard outage. The vendor's systems are entirely unavailable. Your staff cannot log in, cannot transmit, cannot retrieve data. Easy to detect, hardest to wait out.
- Soft outage. The vendor is up, but degraded. Submissions queue but never confirm. Reports run but return empty. APIs return errors that look transient but persist for hours. Easy to miss, easy to lose data inside.
- Selective outage. The vendor is up for some customers and not others, often based on a region or a feature flag the vendor controls. Easy to dismiss as a local problem until your peers post the same complaint.
- Compromise without outage. The vendor is operating normally and may not yet know it is compromised. The first signal is sometimes an ambiguous notice from the vendor, sometimes a press report, sometimes nothing at all until the breach disclosure arrives months later. This is where the line into a software supply chain incident blurs.
A real vendor resilience plan has to handle all four. The BAA, on its own, addresses the eventual breach disclosure for the fourth scenario and not much else.
The Resilience Layer
What does a real resilience layer look like for a small or mid-size healthcare practice? It is not a six-figure DR project. It is a small set of disciplines applied to the vendors that matter most.
Tier the vendors
Not every vendor on the BAA list is operationally critical. Sort them. Tier 1 is the vendors that, if down, stop patient-facing work in 24 hours: EHR, clearinghouse, e-prescribing. Tier 2 is the vendors that cause real pain in 72 hours: patient portal, statements, payment processor. Tier 3 is everything else. The resilience plan is built around Tier 1 and Tier 2.
Identify the manual fallback for each Tier 1 vendor
For every Tier 1 dependency, write down what your practice does for 48 hours if it is unavailable. Paper superbills? Direct insurer portals for eligibility? A second clearinghouse account on warm standby? A locked-down read-only EHR cache for the clinical team? The answer does not have to be fancy. It has to exist before the outage.
Cross-check the vendor's own resilience claims
Most vendors will tell you they are SOC 2 certified, redundant, geographically distributed, and so on. Ask one question: when was the last time you actually failed over in production? The good answers are recent and specific. The bad answers are vague.
Stand up a parallel detection signal
Do not rely solely on a vendor to tell you when its own systems are down. Status pages lag the actual incident. Build a tiny independent check — a synthetic transaction, a daily test, a status-aggregator alert — that pings the vendor's critical paths from your side. The first practice to know a vendor is degraded is the one with the shortest mean-time-to-decide.
Plan the communication
Patients, referring providers, insurers, and your own staff all need fast and consistent messaging during a vendor outage. Pre-draft three things: the patient-facing notice, the referring-provider notice, and the internal staff briefing. Outage day is not the day to write copy.
What This Has to Do With Compliance
OCR enforcement actions in vendor-related incidents repeatedly cite the same gaps: incomplete vendor inventories, missing BAAs, no documented incident response coordination, and no evidence of independent verification of the vendor's controls. None of those are about the outage itself. All of them are about the practice's posture going into the outage.
The enforcement record on multi-million-dollar HIPAA settlements shows that the most expensive violations almost always have a vendor or third-party angle. A practice that can produce a current vendor inventory, current BAAs, a tiering rationale, manual fallback documentation, and a communication plan is in a fundamentally different position when the regulator asks “What did you do to manage third-party risk?”
Special Case: AI and Inference Vendors
The newer wave of vendors most likely to surprise a practice are the AI scribes, ambient listening tools, and LLM-backed assistants now embedded in clinical workflows. The vendor resilience questions are the same, but they get sharper. Where does the audio go? Where does the transcript live? What happens to your workflow if the vendor disables the model tomorrow? See the AI tools and HIPAA primer for the longer version of those questions.
The Day After: Treat It as an Incident
Whether or not the vendor outage results in a confirmed breach, treat it like an incident on your side. Document the timeline, the impact, the workarounds used, the data exposed (if any), and the conclusion of any breach risk assessment. The same discipline you apply to a credential leak response applies here. The work you do in the calm of the post-mortem is what makes the next outage shorter.
Related Reading
- Software supply chain security for healthcare practices
- AI tools, ambient scribes, and HIPAA in 2026
- The credential leak response playbook
- Five HIPAA violations that cost millions
Call to Action
See how HIPAA Security Suite keeps your vendor inventory, BAA expirations, and incident log on one page — so when a vendor goes sideways, the questions about your posture answer themselves.