Defense · Vendor Risk Scanner

Know which vendors are protecting you. And which aren't.

Evaluates every business associate against your current standing. The vendor risk picture stays current as your BAAs and their behavior do.

Start 14-day free trial Or book a demo

Included in Core·Starting at $39/mo

Patient Protect — Vendor Risk Scanner

HIPAA mapping

What this satisfies in the Security Rule.

4 citations, each with the specific Vendor Risk Scanner behavior that satisfies it. The mapping is the receipt — what you can show an auditor without assembling anything new.

§164.308(b)(1)

Business associate contracts

Permits BAs to create, receive, maintain, or transmit PHI on the covered entity's behalf only with satisfactory written assurances. The Scanner enforces this — messaging is gated on BAA state.

§164.502(e)

Disclosures to business associates

Permits disclosure to a BA only with the BAA in place. State-aware enforcement makes this architecturally true.

§164.504(e)

Business associate contracts

Specifies required BAA contents. The platform's BAA templates align to §164.504(e); uploaded third-party BAAs are checked for the standard provisions.

§164.314(a)

Business associate contracts (technical)

Includes Security Rule provisions. The platform's templates include the technical safeguard requirements.

What it does

Vendor risk made visible.

Most HIPAA enforcement actions trace back to a vendor — a business associate that wasn't covered by an active BAA, or a vendor that experienced an incident the practice never knew about until OCR called. Vendor risk is the largest source of unmonitored exposure in independent practice compliance.

The Vendor Risk Scanner watches the relationships you depend on. Every business associate is tracked through a six-state BAA lifecycle. Every state change generates evidence. Every gap is visible — including the gap nobody talks about, where a vendor relationship started before the BAA was executed.

The Scanner's most valuable behavior is the gap detection it forces. A vendor relationship that started before the BAA was executed produces an alert with the specific dates. A vendor whose BAA expired six months ago that no one noticed shows up prominently. The Scanner won't let these stay invisible.

How it works

6 mechanisms keep Vendor Risk Scanner working.

Six-state BAA lifecycle.

Every BAA moves through six states: None (no BAA exists), Staging (template being prepared), Pending (sent for signature), Active (executed and in force), Expired (reached expiration without renewal), Revoked (explicitly ended). State transitions are timestamped and audit-logged.

Vendor risk scoring.

Each vendor carries a risk score derived from BAA state, ePHI scope, time since last BAA review, vendor's own reported incidents, and behavior signals. The score is comparable across vendors — the Scanner lets you see which relationships need attention first.

Pre-execution gap detection.

The Scanner specifically flags relationships where ePHI activity preceded BAA execution. The alert is direct: “ePHI was exchanged with Acme Billing on 2026-01-15. BAA was not executed until 2026-02-03. 19-day gap.” This is exactly the kind of finding that escalates in OCR investigations.

Expiration trajectory.

BAAs approaching expiration generate graduated alerts — 90, 60, 30, 14, and 7 days out. The alerts route to the workforce member managing the vendor relationship with renewal workflow ready to launch.

Network signals (connected vendors).

When a connected vendor (one with their own Patient Protect account) experiences a material event — an incident report, a BAA template update, an ownership change — every connected practice receives a signal. Stories of “we never knew our vendor had a breach” become rare with this signal layer in place.

One-click BAA workflows.

The Scanner includes the workflows for moving vendors through the lifecycle: initiate a BAA, send for signature, upload a third-party BAA, renew, revoke. Workflow completion updates the state automatically.

Who this is for

Built for the practices that need it most.

Practices with more than five vendors.

Most independent practices have between 5 and 20 business associates — billing services, transcription, IT vendors, EHR hosting, secure messaging providers, lab interfaces. Tracking these manually fails by month three. The Scanner is the operational alternative.

Practices that have inherited vendor relationships.

Practice acquisitions and changes-of-hands often arrive with a folder of BAAs of unknown vintage. The Scanner is the import flow plus the audit — uploading the existing BAAs creates the records, then the platform tracks them forward.

Practices that have ever asked “do we have a BAA with them?”

The question itself is the symptom. The Scanner removes the question.

Connected to

No module is an island.

Vendor Risk Scannerworks because it's connected. Every signal feeds another module; every closure becomes evidence somewhere else.

Network layer

Secure Messaging

Messaging to vendors is gated on BAA state; the Scanner's data drives the gate.

Learn more

Defense layer

Security Alerts

Vendor events generate alerts in the central alert stream.

Learn more

Intelligence layer

Data Flow Mapper

The Scanner feeds vendor data into the PHI flow visualization; the flow shows where vendors fit in your data architecture.

Learn more

What you get

6outcomes you'll feel in week one.

No invisible vendor relationships.

Every vendor that touches your ePHI is tracked.

No expired BAAs missed.

Graduated alerts before expiration; the renewal workflow loads ready.

No pre-BAA exposure.

Gap detection catches the relationships where activity preceded paperwork.

Network signals.

When a connected vendor has an incident, your office knows.

§164.504(e) template alignment.

Issued BAAs include required provisions; uploaded BAAs are checked.

Portfolio view.

Across-portfolio risk visibility — which relationships need attention first.

FAQ

What people ask first.

6 questions cover most first-time evaluations. See all FAQs →

Does Patient Protect require my vendors to be on the platform?

No. Vendors can be on Patient Protect (which enables network signals and connected workflows) or off-platform (which still provides full BAA tracking, just without the connected features).

Can I upload our existing BAAs?

Yes. Upload PDF BAAs with metadata; the platform records them in the Active state from the upload date forward. Useful for practices migrating onto Patient Protect with existing vendor relationships.

What about subcontractors of our business associates?

Direct BAAs with subcontractors are not your responsibility — your BAA with the BA obligates them to manage their own subcontractor BAAs (under §164.308(b)(2)). The Scanner tracks your direct relationships; the BAs handle their own chains.

How does the platform know when a BAA expires?

Expiration date is a field in every BAA record. Most BAAs are indefinite (no expiration); some have specific terms. For indefinite BAAs, the Scanner uses the office's policy review cadence (typically annual) to schedule periodic re-review even without expiration.

Can the Scanner draft BAAs?

Yes. Patient Protect's BAA template (aligned to §164.504(e)) generates a pre-filled BAA from your office and vendor information. You review, edit if needed, and send for e-signature. Or upload a vendor-supplied BAA instead.

What if a vendor refuses to sign a BAA?

Then the relationship cannot involve ePHI. The Scanner enforces this — messaging stays gated, and the relationship surfaces in the portfolio view as None state. Most vendors will sign; the ones that won't are not viable BAs for your practice.

Continue exploring

Related features in the platform.

Network

Secure Messaging

Six-state BAA lifecycle controls messaging access automatically. No manual intervention. No accidental ePHI to a vendor without a BAA. The gate is the architecture.

Learn more

Defense

Security Alerts

Every alert maps to a specific compliance gap. You know what changed, what's at risk, and what to do — immediately.

Learn more

Intelligence

Data Flow Mapper

Visual map of every place PHI flows in your practice. Vendors. Systems. Workforce. Find concentration risk before it concentrates into a breach.

Learn more

Next step

Every vendor visible. Every BAA tracked. Every gap surfaced.

Most practices import their existing vendor list inside the first hour. The Scanner takes over forward.

Start 14-day free trial →or book a demo

No contracts. No consultants. Starting at $39/mo.