Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Third-Party Vendor Risk Management: What the MOVEit Litigation Tells Every Practice About BAAs and Vendor Oversight

Vendor risk management in healthcare isn't a one-time checkbox — courts are now holding covered entities liable alongside their software vendors when PHI flows through inadequately vetted tools.

Patient Protect ResearchJune 30, 2026First reported in HIPAA Pulse →

The control gap

Business associate relationships carry shared legal liability — and federal courts are now making that explicit in tort, not just contract. When a covered entity transmits protected health information through a third-party file-transfer or managed-file-exchange tool, it does not transfer its duty of care to the vendor; it extends its own compliance perimeter to include that vendor's security posture. The MOVEit multi-district litigation, in which a federal court recently rejected defendants' second attempt to dismiss negligence claims, illustrates exactly this dynamic: organizations that deployed the tool are named alongside the software vendor, facing discovery and potential damages for failing to document adequate due diligence. First reported in HIPAA Pulse →(https://hipaapulse.com/moveit-breach-defendants-lose-2nd-bid-to-toss-negligence-claims-d8dbd92e)

The pattern is consistent across large-scale supply-chain breaches: the vendor's vulnerability becomes the customer's liability exposure when the customer cannot demonstrate it vetted, monitored, and contractually protected the relationship.

The HIPAA Security Rule provision in play

§164.308(a)(1) — Risk Analysis and Risk Management — requires covered entities to assess risks to ePHI across all systems and relationships, including third-party tools. §164.314(a) — Business Associate Contracts — requires that BAAs allocate security responsibilities, breach notification obligations, and permitted uses of PHI. Together, these provisions create the documented framework courts and OCR examine when a vendor-side breach reaches a covered entity's data. Absent a current, written risk assessment and a BAA that specifies patch timelines, audit rights, and indemnification, the covered entity stands exposed on both the regulatory and litigation tracks.

How Patient Protect addresses this

  • BAA Management tracks the execution status, renewal dates, and coverage scope of every business associate agreement in your practice — flagging stale or missing agreements before they become a liability gap.
  • Security Risk Assessment (SRA) generates a documented, addressable risk analysis that includes third-party data-handling relationships, creating the written record that both OCR and courts expect to see as evidence of due diligence.
  • Information Systems Inventory catalogs every tool and integration that touches ePHI, making it straightforward to identify which vendor relationships require review when a vulnerability disclosure — or a litigation filing — appears.
  • Autonomous Compliance Engine continuously recalculates your compliance posture as your vendor roster and configurations change, rather than treating vendor selection as a one-time administrative event.
  • HIPAA Assistant (PIPAA) provides on-demand guidance on BAA requirements, vendor risk questions, and Security Rule obligations — so practice administrators can act on emerging situations without waiting for outside counsel.

Practical next steps

  • Audit your active vendor list this week. Identify every tool that transmits or stores ePHI — billing platforms, lab integrations, imaging portals, clearinghouses — and confirm a current, executed BAA exists for each.
  • Review BAA language for patch and notification obligations. Agreements predating 2023 may not specify vendor patch timelines or your right to audit security controls. Update language before the next contract renewal.
  • Run or refresh your Security Risk Assessment. Document the risk rationale behind each vendor relationship. A written analysis is both a HIPAA requirement and a litigation defense.
  • Establish a process for monitoring vendor security advisories. Designate a responsible staff member to track critical patch releases for any internet-facing vendor tool handling PHI.
  • Confirm vendors carry adequate cyber liability coverage. Request certificates of insurance and confirm coverage limits are sufficient to backstop indemnification claims if a vendor-side breach exposes your patients' data.

Try Patient Protect

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/moveit-breach-defendants-lose-2nd-bid-to-toss-negligence-claims-d8dbd92e