Smart Takes on Finance Automation | The onPhase Blog

Your AP Files Are a HIPAA Risk. Here's What to Audit Before Year-End.

Written by onPhase | Jul 8, 2026 4:25:22 PM

Ask a healthcare finance leader where their biggest HIPAA risk lives, and most will point toward the privacy office or the IT team. Accounts payable almost never makes the list. That's the blind spot, and it tends to surface at the worst possible time.

Say an auditor from the Office for Civil Rights (OCR) wants the signed business associate agreement for a billing vendor you paid eighteen months ago. They also want the approval trail behind the payments and proof the records sat under access controls. Now the clock is running, and your AP team is digging through old email threads.

Year-end is when these gaps tend to surface. Audit season runs straight into 2027 budget planning, and the documentation you assumed was airtight has to hold up. HIPAA reaches further into AP than most teams plan for, because finance owns the vendor list, the payment records, and the approval logic behind every check. That exposure is worth finding now, while there's still runway before audit prep and 2027 budgeting collide.

HIPAA lives in your vendor files, not just your patient records


HIPAA shapes how you document vendor relationships, maintain agreements, and retain the records that prove both. Any vendor that creates, receives, maintains, or transmits protected health information (PHI) on your behalf qualifies as a business associate. That status triggers a signed business associate agreement (BAA) before a single record changes hands.

Your AP team pays every one of those vendors, which puts finance at the center of vendor risk whether the org maps it that way or not. A good share of them qualify as business associates, and the usual suspects are easy to spot once you lay them out.

  • Billing and revenue cycle firms
  • Coding and transcription partners
  • Collections agencies working patient balances
  • IT and cloud providers touching clinical systems
  • Document storage and shredding vendors

Plenty of vendors you pay never touch PHI at all. A pharmaceutical distributor or a medical equipment supplier often falls outside the business associate definition entirely. Knowing which vendors need an agreement and which don't is exactly the judgment an auditor expects finance to demonstrate. Scattered records make that judgment almost impossible to prove.

Health systems rarely work from a tidy vendor list, which raises the stakes. A regional system might pay thousands of vendors across hospitals, clinics, imaging centers, and physician groups, each one onboarded at a different time by different hands. Acquisitions pile on another layer, since every deal brings inherited vendors and inherited agreements of unknown quality. AP becomes the single place where all that payment activity converges, which makes it the natural starting point for any honest vendor risk review.

The exposure is moving toward you


For finance teams, vendor risk stopped being an IT talking point a long time ago. The American Hospital Association reported that more than
80% of stolen PHI records in recent breaches came from third-party vendors and business associates rather than the hospitals themselves. Verizon's 2025 Data Breach Investigations Report sharpens the point, with the share of breaches involving a third party doubling from 15% to 30% in a single year. The exposure is moving through the supply chain, and the payment relationship is one link in that chain.

Healthcare feels that shift harder than most sectors. Business associates were tied to roughly one-third of reported healthcare breaches through 2025, which connects vendor oversight directly to your compliance standing. A covered entity stays accountable for notifying patients and regulators even when the breach starts on a vendor's side of the fence.

The financial stakes match the regulatory ones. Healthcare breaches average $7.42 million, the highest of any industry for the 14th year in a row, according to IBM's Cost of a Data Breach research. They also take an average of 279 days to identify and contain, which is a long stretch to spend reconstructing who had access to what. Stack OCR penalties for missing agreements on top of that, and a quiet gap in AP turns into a board-level problem fast.

The enforcement pattern is worth sitting with. OCR closed 2025 with 21 settlements and civil monetary penalties, its second-busiest enforcement year on record, and the recurring findings read like a list of things finance tends to overlook. No documented risk analysis, thin safeguards around sensitive records, and weak business associate oversight surface again and again. Vendor oversight isn't a side issue in those cases. It's often the heart of them, which is why the AP function deserves a real seat in the conversation.

What to pull and verify before the year closes


None of this takes a forensic accountant. Matching active vendors to signed BAAs is table stakes, so confirm that baseline and spend your real attention on the parts that trip teams up.

  • Document vendor offboarding. When a business associate relationship ends, the BAA requires that vendor to return or destroy the PHI it held, and you want documentation proving it happened. Terminated vendors are a common audit miss, since the payments stop and everyone moves on.

  • Check retention against every clock. HIPAA requires you to keep compliance documentation, BAAs included, for six years from creation or the date last in effect. Centers for Medicare and Medicaid Services and Internal Revenue Service rules push financial record retention even longer, so the same vendor can sit under several overlapping windows at once.

  • Trace inherited vendors to the right paperwork. Every acquisition brings a batch of vendors onboarded under someone else's process, and their BAAs often still carry the target company's name instead of yours. Confirm which agreements actually transferred in the deal and which ones need re-signing, since an auditor won't honor a BAA that belongs to a company you absorbed.

  • Confirm each agreement is current, not just present. Agreements drift out of date as services expand or change, and a superseded version won't satisfy an auditor. Put a review on the calendar every year and archive prior versions rather than deleting them.

  • Audit access to the records themselves. The minimum necessary standard applies to your AP files when they reference PHI or sit right beside it. Confirm that agreements, approval trails, and payment records live under defined access controls rather than a shared drive half the team can open.

  • Clean up the vendor master. Duplicate records, stale banking details, and vendors no one can quite vouch for create both fraud risk and compliance noise. Confirming each vendor is real and correctly classified tightens payment security and sharpens your BAA inventory.

  • Pull the approval trails. For any meaningful payment, you want to show who approved it, when they approved it, and against what supporting documentation. A complete trail demonstrates control, and control is what OCR and your external auditors are really testing.

That list won't take long to work through, and finishing it tells you exactly where your exposure sits before any auditor ever calls. The harder part is keeping those records audit-ready the rest of the year, which is where manual processes start to buckle.

Where automation closes the gap


Manual AP scatters the exact records an audit demands. Agreements sit in one inbox, approvals in another, payment files on a drive nobody has opened in months. Reconstructing a vendor's full history under audit pressure becomes a multi-day scramble, and scrambles are where mistakes get made.

Automated AP and document workflows pull that information into one governed system. Every invoice, approval, and payment carries a timestamped trail by default, so the who and the when get captured as work happens instead of rebuilt under deadline. Vendor records, agreements, and payment history sit together under automated document management and stay retrievable on demand.

Retention becomes a setting rather than a hope. Records hold for the required window automatically, and access controls travel with them, so the minimum necessary standard holds without anyone policing it by hand. When an auditor asks for a single vendor's documentation, you produce it in minutes rather than days.

The volume problem eases too, and in healthcare that matters more than it sounds. A health system pushing tens of thousands of invoices a month can't manually confirm a business associate agreement behind each one. Automated matching ties every payment back to its vendor record and its approvals, so your coverage scales with the invoice count instead of cracking under it.

That shift changes the whole posture of the finance team. Audit-readiness stops being a quarterly fire drill and settles into a steady state. Your people spend their energy on 2027 planning instead of digging through old folders, and the compliance exposure that used to hide inside AP simply closes.

Beat the year-end scramble


HIPAA touches far more of accounts payable than a standard payment review ever captures. Vendor agreements, approval trails, and retention all sit squarely in finance's swim lane, and year-end is when those gaps tend to surface. Reviewing them now, while audit season is still months out, is the difference between a calm year-end and a frantic one. The teams that treat AP as part of their compliance posture, not just a payment function, are the ones who walk into an audit without flinching.

The fix is rarely more effort. It's better infrastructure, the kind that captures documentation as work happens and keeps it audit-ready by design. The same logic runs through finance, where automation only earns its keep once it tightens control instead of just moving work faster. onPhase helps healthcare finance teams keep the vendor records, approval trails, and retention controls that stand up to HIPAA scrutiny and year-end audits. The platform itself is HIPAA-compliant and holds SOC 1 and SOC 2 certifications.