You’ve probably noticed the shift. Leadership is asking about vendor agreements. They want to know whether your Business Associate Agreements are current, whether they cover what they need to cover, and whether anyone has actually looked at them since they were signed.
This feels like one more item on a list that already includes Part 2 consent redesigns, access control audits, MFA rollouts, and training overhauls. It is. But this particular ask is different, because you probably already know where most of the gaps are. You’ve been living with them.
You’ve Known About These Gaps for Years
Every compliance coordinator, IT lead, and program manager carries institutional knowledge that no contract review or regulatory scan can replicate. You know which vendor relationships have drifted from what’s on paper. The telehealth platform adopted during COVID that never went through formal procurement. The billing processor whose BAA was signed by someone who left two years ago, for a scope of service that has since expanded without anyone updating the agreement. The IT managed service provider with broad system access that nobody has revisited since onboarding. The AI documentation tool a clinical supervisor started using because it saved an hour a day, and nobody asked whether a BAA existed.
You’ve known about these things. Mostly, nobody asked.
The proposed HIPAA Security Rule changes that dynamic. HHS published a proposed rule in January 2025 that would eliminate the distinction between “required” and “addressable” safeguards, making virtually all security implementation specifications mandatory (HHS OCR, 2025). Finalization remains on OCR’s regulatory agenda for mid-2026. Among the most significant changes are new requirements for what BAAs must contain and how covered entities must evaluate their vendors.
The old framework treated a signed agreement as sufficient. The proposed framework treats it as a starting point requiring ongoing proof. An actively managed BAA is a protection. An unmanaged one is a liability (Xpio Health, 2025). The proposed rule would make that distinction enforceable.
The people closest to vendor relationships have always known where the gaps live. The proposed rule just made that knowledge matter on paper.
Three Questions Every Agreement Should Answer
You don’t need to memorize the proposed rule’s 400 pages to evaluate your vendor agreements. You need three questions.
Does this agreement specify how fast the vendor must notify us if something goes wrong? The proposed rule would require business associates to notify covered entities within 24 hours of activating a contingency plan (Federal Register NPRM, 2025). Many agreements currently on file use language like “reasonable time” or “without unreasonable delay.” Under the proposed rule, that language falls short.
Does it require the vendor to prove their safeguards work, or just promise they exist? Annual written verification, validated by a cybersecurity subject matter expert and certified by someone with authority at the vendor organization. That’s the proposed standard. A general assurance that the vendor “maintains appropriate safeguards” would no longer satisfy it.
Are we evaluating that proof before renewing? The proposed rule would require covered entities to assess the risk of entering or maintaining a BAA based on the vendor’s written verifications (HHS OCR NPRM Factsheet, 2025). Vendor due diligence becomes a continuous obligation.
Apply these to the vendor categories you manage daily: cloud EHR hosting, telehealth platforms, billing and claims processors, IT managed service providers, AI-assisted documentation tools. If you’re already doing access control reviews and Part 2 consent audits, you’re already touching these vendor relationships. Adding an agreement check to that review extends existing work. It doesn’t create a new workstream.
These three questions are the difference between an agreement that’s been filed and one that’s actually functioning.
Turning What You Know into Something Leadership Can Act On
Knowing a gap exists and communicating it in a format leadership can act on are different skills. Most organizations never teach the second one. This is where your institutional knowledge becomes organizational protection.
When you find a vendor relationship that has drifted from what’s documented, or an agreement that doesn’t address the proposed requirements, translate it into a short escalation. Name the vendor. Identify the specific gap. Estimate the PHI exposure. Reference which proposed requirement it would fall short of. That’s one paragraph, not a research project. A program manager who discovers that a telehealth vendor’s BAA was signed in 2022 and contains no encryption or MFA requirements can communicate that finding in three sentences. Leadership doesn’t need a regulatory brief. They need a clear signal that a specific agreement needs attention and why.
Based on our work with behavioral health organizations, the teams that surface vendor gaps effectively share one trait: they frame findings around risk exposure, not regulatory citation. The goal is to build the vendor inventory from the ground up, using the knowledge that already lives in the heads of the people doing the work. Leadership designs the governance framework. You build the map it runs on.
This lands during a period of sustained compliance acceleration, and the fatigue is real and earned. But the BAA review connects to the cleanup already underway. Every Part 2 consent audit touches vendor relationships. Every access control review reveals vendor access patterns. The gaps are already surfacing in work you’re doing today. This step makes them visible and gives them a path to resolution before the proposed rule makes them enforceable.
The most valuable compliance work happening right now is the work that connects what frontline staff already know to what leadership needs to see.
The informal knowledge you’ve carried about which agreements are current, which vendors have drifted, and which relationships were never formally documented is the foundation the audit depends on. The proposed rule is catching up to what you’ve known. Making that knowledge visible now, while the preparation window is still open, converts years of quiet awareness into organizational protection.
Which vendor relationship in your organization has drifted the furthest from what’s on paper? Xpio Health helps behavioral health teams build vendor inventories, evaluate agreement gaps, and create the escalation frameworks that connect frontline knowledge to leadership action. Contact Xpio Health to start the conversation.
#BehavioralHealth #PeopleFirst #XpioHealth
References
- HHS Office for Civil Rights. HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information. HHS.gov. 2025. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
- HHS Office for Civil Rights. HIPAA Security Rule NPRM Factsheet. HHS.gov. 2025. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
- HHS. HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. Federal Register. 2025. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
- Xpio Health. What a BAA Actually Protects and Why You Should Care. Xpio Health. 2025. https://xpiohealth.com/articles/what-a-baa-actually-protects-and-why-you-should-care
