HIPAA Security Rule Update Get ahead of the rule.

    Loading...

    A Signed BAA Isn't "Satisfactory Assurance" — What HIPAA Vendor Due Diligence Requires

    > TL;DR: HIPAA lets you share PHI with a vendor only if you obtain "satisfactory assurances" that the vendor will safeguard it — that's the regulation's exact language (45 CFR 164.308(b)(1) and 164.502(e)(1)(i)). A signed Business Associate Agreement is a contract. It is not, by itself, assurance that the safeguards actually exist. When a vendor's gap surfaces, the covered entity is the one exposed. This guide covers what "satisfactory assurance" really means, the evidence gap a folder of signed BAAs leaves, and how to vet and document vendors so the assurance is real.

    Every practice has a stack of signed BAAs in a folder somewhere. It feels like the vendor box is checked.

    Here's the uncomfortable part. A BAA is a promise. It is not proof that the promise is being kept.

    HIPAA is specific about this, and people miss it because the language is quiet. The rule doesn't say "get a signed agreement." It says obtain satisfactory assurances. Those two words carry the whole obligation, and a signature alone doesn't satisfy them.

    What the rule actually says

    The phrase appears in two places, and it's worth reading the exact words.

    Then, separately, you have to document those assurances through a written contract — 45 CFR 164.308(b)(3) (Source: 45 CFR 164.308). Notice the order. The assurance comes first. The contract documents it. A signed BAA with no assurance behind it documents nothing real.

    So "satisfactory assurance" is the requirement. A questionnaire or attestation isn't named in the rule — it's simply the practical way you obtain that assurance, verify it, and keep a record of it. The rule sets the standard; the due diligence is how you meet it.

    Why this lands on you

    This is where the framing matters, and where it's easy to point fingers. I won't, because it isn't a story about bad actors.

    Most vendors and MSPs are smart, well-intentioned shops. Many sign BAAs the way they'd sign any service agreement — a routine sales formality. What often goes unsaid is that a BAA is a regulatory document attesting to specific safeguards, not a sales document. When the safeguards aren't there and it surfaces, the covered entity that shared the PHI is the one holding the exposure.

    That's the system problem. Both sides assumed the paperwork meant coverage. Neither side verified. And verification is exactly what "satisfactory assurance" asks for.

    The evidence gap

    Here's the question to sit with. If OCR asked today — show me how you determined each vendor that touches your PHI actually safeguards it — could you point to anything beyond a signature?

    For most organizations, the honest answer is no. They have signed BAAs. They don't have evidence of due diligence. A folder of contracts proves vendors agreed to safeguard PHI. It doesn't prove anyone checked whether they do.

    That's the gap. The assurance is supposed to be obtained and verified, not assumed at signing and never revisited — especially since vendor risk changes as their systems, staff, and subcontractors change.

    How Live Compliance closes it

    Live Compliance builds the vendor assurance process into the platform. It sends each business associate a structured attestation questionnaire, collects and tracks their responses, and keeps the record that turns a signature into actual due diligence. It automates the part most teams never get to — chasing the responses, documenting what was obtained, and flagging when it's time to revisit. The result is the thing a folder of BAAs can't give you: evidence you vetted your vendors, not just papered them.

    And because it lives alongside your risk assessment, the vendor risk you surface feeds the analysis it's supposed to inform, in one place.

    We've spent 15 years watching the gap between what a BAA promises and what a vendor actually does — across 500+ organizations, with a 100% audit success rate — and closing it before it surfaces. See how the platform fits together, or talk to us about what's behind the BAAs in your folder.

    > Accuracy & legal note. This article is a plain-language summary of HIPAA requirements as of June 2026, based on the HIPAA Rules (45 CFR Part 164) and HHS guidance current as of that date. Regulations, OCR guidance, and enforcement priorities change. This is general educational information, not legal advice — verify current requirements at hhs.gov/hipaa or with your compliance counsel before acting. Platform capabilities described reflect Live Compliance as of the publish date. Last updated: June 2026.