How Small Clinics Should Track Vendor BAAs

Most clinics do not lose track of BAAs because the contract law is hard. They lose track because no one owns the live vendor list after the first onboarding rush.

What the tracker needs to answer

For each vendor, the clinic should be able to answer:

• does the vendor touch PHI as part of the service
• is a BAA required
• has it been requested, signed, or escalated
• where is the executed agreement stored
• when is the next review due
• who owns follow-up

If the tracker only says “signed” or “not signed,” it is too thin to drive real oversight.

Which vendors belong on the list

Include any vendor that creates, receives, maintains, or transmits PHI for the clinic. That often includes obvious systems like the EHR and billing vendors, but it also includes less obvious categories such as transcription, cloud storage, managed IT, patient messaging, and some task or form tools.

The list should also preserve “not required” decisions with a reason. That way the clinic does not revisit the same conduit or non-PHI questions every quarter from scratch.

A workable field set

Small clinics do not need a procurement suite here. They do need a few consistent fields:

• vendor name
• service category
• PHI involvement
• BAA status
• signed date
• last review date
• next review date
• owner
• notes on subcontractors or open questions

Those fields are enough to run renewals and identify stalled follow-up.

The operational rule that matters most

Update the tracker when the vendor relationship changes, not only during annual review. New pilot tools, expanded service scope, acquisitions, and contract renewals all change the risk picture. The list should move with the environment.

What to do next

If your clinic’s BAA list lives in an annual audit folder, it is already drifting. Move it into a live operating record with an owner and recurring review dates.