Back to Case Studies
Healthcare
CarePoint Health Systems
8,500 employees
2 min read
23 views
April 11, 2026

How CarePoint Health Systems Achieved HIPAA Vendor Compliance Across 200+ BAAs

A regional health system managing 200+ business associate agreements deployed ThirdSentry to automate vendor risk assessments, close remediation gaps, and maintain continuous HIPAA compliance — reducing their OCR audit exposure by 75%.

Key Results

100%

BAA vendor assessment coverage

47

critical findings remediated in Q1

3 days

assessment completion time

75%

OCR audit exposure reduction

4 hours

incident response time

Customer Profile

CarePoint Health Systems operates 12 hospitals, 45 outpatient clinics, and a health plan across the mid-Atlantic region. With 8,500 employees and $3.2B in annual revenue, CarePoint relies on 200+ vendors with business associate agreements (BAAs) — from EHR systems and telehealth platforms to medical device manufacturers and billing services.

The Challenge

After a peer health system suffered a $4.75M OCR settlement tied to a business associate breach, CarePoint's CISO launched an urgent review of their vendor risk program. The findings were concerning:

  • Only 40% of BAA vendors had been assessed in the past 24 months
  • No systematic tracking of vendor security controls against HIPAA Security Rule requirements
  • Evidence of vendor compliance was scattered across departmental SharePoint sites
  • Three vendors had unresolved critical findings dating back 18+ months
  • The security team had no visibility into which vendors handled the highest volume of ePHI
  • Incident response plans didn't account for vendor-originating breaches

The Solution

CarePoint deployed ThirdSentry with a phased approach — critical BAA vendors first, then expanding to the full vendor portfolio over 90 days:

HIPAA-Aligned Assessment Templates

Pre-built questionnaires mapped to HIPAA Security Rule administrative, physical, and technical safeguards. AI scoring weighted by ePHI exposure level ensures the most sensitive vendor relationships receive the deepest scrutiny.

Evidence Vault

Centralized repository for vendor SOC 2 reports, penetration test results, BAA amendments, and security certifications — linked directly to assessment findings. Eliminated 15+ departmental SharePoint sites.

Risk-Based Tiering

AI-driven inherent risk scoring classified vendors by ePHI volume, access type, and criticality to patient care — ensuring assessment depth matched actual risk exposure.

Remediation Workflows

Every finding assigned to a vendor contact with defined SLAs. Automatic escalation to CarePoint's vendor management office when deadlines approach.

Compliance Calendar

Automated tracking of BAA renewal dates, annual assessment due dates, and evidence expiration across all 200+ vendors.

The Results

CarePoint's vendor risk posture transformed within the first quarter:

  • Achieved 100% BAA vendor assessment coverage within 90 days (up from 40%)
  • Identified and remediated 47 critical findings across 23 vendors in Q1
  • Average assessment completion time reduced from 4 weeks to 3 days
  • Evidence collection centralized — eliminated 15+ departmental SharePoint sites
  • OCR audit exposure reduced by 75% based on independent compliance assessment
  • Vendor-originating incident response time improved from 72 hours to 4 hours

Before ThirdSentry, our BAA compliance was a liability we couldn't quantify. Now we have continuous visibility into every vendor's security posture, and more importantly, we can prove it to OCR. The platform paid for itself when we identified a critical vulnerability in a vendor that handles 2 million patient records.

Dr. James Okafor

CISO, CarePoint Health Systems

Related Topics

HIPAA vendor compliancehealthcare TPRMBAA managementOCR audit preparationhealthcare vendor riskePHI vendor oversight