Vendor sprawl: how the average dental practice shares PHI with 27 third parties

We spent eight weeks with forty independent dental practices, instrumenting their networks at the gateway with a passive observer and counting the third-party services that received PHI or PHI-adjacent data over the course of a typical workweek. We were testing a hypothesis we'd heard from compliance consultants for years: that the average independent practice has many more vendor relationships than its BAA list reflects. The hypothesis turned out to be conservative.

The median practice in our sample exchanged data with twenty-seven distinct external services. The interquartile range was twenty-one to thirty-four. The minimum was eleven; the maximum was forty-six. Of the twenty-seven median, the practice had a current, executed BAA with nine. Two of the remaining eighteen had a BAA on file that had expired. The other sixteen were unknown to the practice's compliance program — many of them unknown to the practice's leadership entirely.

This is the vendor-sprawl problem, and it's the single largest gap between what an independent practice's compliance program describes and what the practice's actual operations look like. Closing it is harder than it sounds. The first step is seeing the problem.

What we observed

The forty practices in our sample ranged from solo offices with two staff to multi-location groups with twenty-plus staff across three sites. We deployed passive monitoring at each network gateway for between five and ten business days, classified outbound connections that carried personally-identifiable patient data or its proxies (appointment metadata, billing identifiers, demographic queries to external systems), and built a vendor inventory per practice from the resulting traffic.

The categories of services that appeared were predictable in kind, surprising in count.

Practice management and EHR. Every practice had at least one. Most had two — a primary EHR plus a practice-management system that integrated. Five practices had three, because they were mid-migration between EHRs and the old system was still active. All BAAs we observed were current for these primary vendors.

Imaging and diagnostic systems. Median two. Range zero to five. Cone-beam CT vendors, intraoral camera systems, perio-charting software, X-ray cloud-storage providers. About sixty percent had a BAA in place. The most common gap: the cloud-storage provider that the imaging vendor used as a sub-processor was not separately under BAA, and the practice didn't know about the sub-processor relationship.

Billing, insurance, and revenue cycle. Median three. Range one to seven. Clearinghouses, insurance verification services, statement printers, collection-agency software. BAAs were generally in place for the named vendor; sub-processors were generally not separately accounted for.

Patient communication. Median four. Range one to nine. Appointment-reminder services, two-way SMS platforms, patient-portal vendors, reputation-management services that solicited reviews after visits. About forty percent had any BAA at all. The reputation-management vendors were the most consistent gap; many of them transmit appointment confirmations or post-visit identifiers without practices realizing the data they're handling counts as PHI.

Marketing and analytics. Median three. Range one to eight. Website analytics, ad pixels, email-marketing services, CRM tools. We classified PHI exposure here narrowly — only flows that included identifiable patient data. Even by that narrow measure, eighty-five percent of practices had at least one marketing-stack flow that exposed PHI to a vendor without a BAA.

Office operations. Median four. Range two to eleven. HR systems, accounting platforms, IT-management software, supply ordering, equipment maintenance vendors with remote access. BAA coverage was inconsistent. The most consistent gap: IT-management vendors with remote support tools running on workstations that touch PHI.

Communications and collaboration. Median three. Range one to six. Email providers, video conferencing, internal chat, file storage. BAA coverage was high for primary email but consistently low for the secondary tools — practices that signed a Workspace BAA often had no BAA with the file-sharing or chat-collaboration tools their staff also used.

Other. Median three. Range zero to eight. Form-builders, scheduling tools, payroll add-ons, local network-attached storage with cloud backup, miscellaneous browser extensions installed on practice workstations.

Why the count is what it is

Twenty-seven feels high until you list them out by category. Then it feels obvious. The compounding effect that produces these numbers is the same one that produces enterprise-IT sprawl in Fortune 500 companies — except the independent practice has no IT department to track it and no architecture team to gate it.

Each individual decision to adopt a tool was reasonable. The patient-communication vendor was added because patients wanted SMS reminders. The marketing CRM was added because the practice needed to manage referral relationships. The video conferencing was added because the practice expanded into telehealth in 2020 and never undid the change. None of these decisions, in isolation, would draw scrutiny. The compounding result, in aggregate, is the practice quietly developing a data-flow architecture that nobody designed and nobody fully understands.

The compliance program documents the relationships that the compliance officer knows about. The relationships that nobody asked the compliance officer about don't appear. The aggregator services — the platforms that other vendors use as their backend — are particularly invisible because the practice's relationship is with the named vendor, not the sub-processor handling the actual data.

What this means for the compliance program

A practice with twenty-seven vendor relationships and nine BAAs is, on paper, in violation of HIPAA's business-associate requirements for the eighteen relationships without coverage. In practice, OCR enforcement targets practices selectively — usually after a breach. The eighteen-vendor gap is the latent risk that becomes the actual risk when one of those vendors has an incident.

This is not a documentation problem; the documentation will reflect reality once you know reality. It's a discovery problem. The eighteen relationships are real. The data is flowing. The compliance officer doesn't know.

Three approaches to closing the gap

Network-level discovery, repeated quarterly. The most reliable way to find the vendor list is to look at the network traffic. Modern firewalls and gateway appliances can categorize outbound connections by destination service. A quarterly review of that report — not by IT alone, but by the compliance officer with IT — surfaces the new vendors that staff added since the last review. The cost is operational time, not new tooling. The discipline is what matters; the tools are usually already in place.

Procurement gate. A policy that no software is installed on a practice workstation, no service is signed up for, and no integration is added to an existing system without compliance review and BAA execution. This is harder to operate than to write — staff will resist a process that adds friction to their work — but it's the structural fix. Every practice in our sample that had a procurement gate also had a substantially smaller delta between actual vendor count and known vendor count.

Sub-processor inventory. A request to every primary vendor for their current sub-processor list, captured in a spreadsheet, refreshed annually. Most major SaaS vendors publish this list voluntarily. For the ones that don't, the BAA itself usually entitles the practice to ask. The result is a downstream-of-vendors view that the practice's own compliance program will never see directly.

What independent practices should do this month

Look at your gateway traffic for one week and count the unique external services that appear. If you don't have access to that report, ask your IT vendor for one — most can produce it from their existing tools in an afternoon. Compare the count to your BAA list. The number you find will not be the number you thought.

Then pick the highest-PHI-exposure category that surprised you, and start there. The most common starting point in our sample was patient-communication services — practices were consistently surprised by how many notification, reminder, and review-request platforms had been added incrementally without BAA coverage.

Vendor sprawl isn't a moral failing. It's the predictable result of small organizations adopting tools at the speed software gets cheap and easy. The fix isn't asking staff to stop adopting tools. The fix is having a process that catches them when they do.