Compliance & Legal

How to run a vendor risk assessment as Independent Clinic Owner-Operators

Compliance & LegalFor Independent Clinic Owner-Operators4 apps11 steps~22 min to set up

Every independent clinic has a stack of vendor contracts no one has fully read since signing: the EHR subscription you auto-renewed, the billing clearinghouse agreement that has a 90-day termination window buried in section 14, the medical waste disposal contract that quietly rolled over at a 12% price increase, and the HIPAA Business Associate Agreements your malpractice carrier keeps asking you to produce on short notice. You don't have a general counsel. The contracts live in a Google Drive folder, a filing cabinet, or someone's email. When a vendor relationship goes sideways — or a payer audit asks for documentation — you spend a Tuesday afternoon reconstructing what you actually agreed to.

Build this on Starch → See the apps used
Compliance & LegalFor Independent Clinic Owner-Operators4 apps11 steps~22 min to set up
Outcome

What you'll set up

A living vendor registry that tracks every active contract, BAA status, renewal date, and termination window — pulled from your inbox and documents, not rebuilt from scratch each time
Automated alerts the week a renewal window opens or a vendor certification lapses, so you're deciding whether to renew instead of discovering you already auto-renewed
A repeatable vendor intake checklist that runs every time you add a new software tool, staffing agency, or service provider — including a browser-automated HIPAA compliance check against the vendor's public documentation
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Contract Lifecycle Management Email Agent Knowledge Management Task Manager
Data sources & config

Starch syncs your Gmail data on a schedule to scan for existing contracts and BAA correspondence. For vendor websites — checking published HIPAA compliance pages, security certifications, or terms of service — Starch automates that through your browser, no API needed. Your vendor registry and checklist templates live in the Knowledge Management app. Task Manager tracks open action items (get BAA signed, request certificate of insurance) with due dates and P1–P4 priority. Contract Lifecycle Management — coming soon — will handle formal contract drafting, e-signature collection, and a searchable clause library once it launches; in the meantime the registry and email scanning cover triage and tracking.

Prompts to copy
Build me a vendor risk registry that tracks vendor name, contract type (EHR, billing, staffing, supplies, BAA), contract start and end date, auto-renewal window, termination notice period, risk tier (high/medium/low based on whether they handle PHI), and last review date. Alert me 60 days before any renewal window opens.
Scan my Gmail inbox for any emails with attachments containing 'agreement', 'contract', 'BAA', or 'Business Associate' in the subject line from the last three years and summarize each one: vendor name, what we agreed to, and whether it has an expiration date.
Create a vendor onboarding checklist in my knowledge base: every new vendor who touches patient data needs a signed BAA, proof of cyber liability insurance, and a HIPAA compliance review before we go live. Flag any vendor in the registry missing these.
Every Monday, show me any vendor contracts expiring in the next 90 days, any BAAs not yet countersigned, and any open vendor risk tasks past their due date.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Connect Gmail to Starch (scheduled sync). Tell Starch: 'Scan my inbox for the last three years and pull every email thread containing a contract, agreement, or BAA attachment. For each one, extract: vendor name, contract type, effective date, expiration or auto-renewal date, and termination notice period.' This surfaces the contracts you know you have and a few you forgot about.
2 Build the vendor risk registry as a Starch app. Prompt: 'Create a vendor registry table with columns for vendor name, category (clinical software, billing, staffing, facilities, supplies), PHI access (yes/no), BAA on file (yes/no), cyber insurance on file (yes/no), contract end date, auto-renewal window, termination notice days, risk tier, and last review date. Pre-populate it with what you found in my inbox.'
3 Set up a browser automation for vendor compliance checks. Prompt: 'For each vendor in my registry marked as PHI access = yes, go to their website and find their HIPAA compliance page, privacy policy, or security documentation. Summarize what you find and flag any vendor with no public compliance documentation.' Starch automates this through your browser — no API required for any of those vendor sites.
4 Wire up the Knowledge Management app with your vendor onboarding SOP. Prompt: 'Create a page called Vendor Onboarding Checklist. Required before any vendor with PHI access goes live: (1) signed BAA on file, (2) proof of cyber liability insurance minimum $1M, (3) browser compliance check complete, (4) owner-operator review and sign-off. Auto-assign this checklist as a Task Manager task every time I add a new PHI-access vendor to the registry.'
5 Build the renewal alert automation. Prompt: 'Every Sunday night, check the vendor registry for any contract with an auto-renewal window opening in the next 60 days or a termination notice deadline in the next 30 days. Create a P1 Task Manager task for each one with the vendor name, the deadline, and whether the default action is renew or cancel.'
6 Build the BAA gap report. Prompt: 'Show me every vendor in the registry where PHI access = yes and BAA on file = no. For each one, draft a short email requesting they send us a countersigned BAA, addressed from me, that I can review and send from Gmail.'
7 Run a one-time vendor risk tier assignment. Prompt: 'For each vendor in the registry, assign a risk tier: High = handles PHI or has billing system access; Medium = has access to scheduling or contact data but not clinical records; Low = no patient data access at all. Show me the full tiered list so I can review and override any.'
8 Set up a quarterly vendor review automation. Prompt: 'On the first Monday of every quarter, generate a vendor review summary: list all High-tier vendors, flag any whose last review date is more than 12 months ago, and create a P2 Task Manager task to schedule a review call or documentation update for each one.'
9 Use the Email Agent to handle ongoing vendor correspondence. Prompt: 'Any inbound email from a vendor that includes an attachment with contract, amendment, addendum, or renewal in the subject — flag it as high priority, summarize what they're asking me to sign or agree to, and add a task to review within 5 business days.'
10 When Contract Lifecycle Management launches (coming soon), connect the vendor registry to the CLM so every new contract gets drafted from a template with your standard termination language and BAA requirements baked in, routes to you for signature, and automatically updates the registry on execution.
11 Before any payer audit or malpractice carrier request, run: 'Pull all vendors in the registry where PHI access = yes, show me BAA status, last review date, and a link to the email thread where the BAA was exchanged. Export as a summary I can send to my attorney or carrier.' This takes two minutes instead of a Tuesday afternoon.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

April 2026 Vendor Risk Sweep — Three-Provider Family Medicine Clinic

Sample numbers from a real run
EHR (Jane App) — PHI access, BAA on file1
Billing clearinghouse (Waystar) — PHI access, BAA not countersigned1
Medical waste disposal (Stericycle) — auto-renewal in 22 days, termination window closing1
Answering service (PatientConnect) — PHI access, no cyber insurance on file1
IT managed services (local MSP) — PHI access, BAA expired 8 months ago1

The clinic owner ran the Gmail scan on a Wednesday morning. Starch surfaced 31 vendor-related email threads, and the registry pre-populated with 9 vendors. The browser automation ran against all 5 PHI-access vendors and came back with one flag: PatientConnect had no publicly visible HIPAA compliance documentation on their website. The renewal alert fired for Stericycle — the 30-day termination notice window was closing in 22 days, which no one had noticed. The owner had assumed the contract auto-renewed month-to-month; it actually locked in for another two years at a 9% price increase if no action was taken. A task was created automatically at P1. The BAA gap report found the Waystar BAA had been sent but never countersigned — Starch drafted the follow-up email in one prompt. The IT MSP BAA had a 2017 effective date with no renewal clause; the owner created a P2 task to get an updated agreement executed. Total time to go from 'contracts in a folder' to a complete risk registry with action items: about 90 minutes, most of it reviewing outputs rather than hunting documents.

Measurement

How you'll know it's working

% of PHI-access vendors with a current, countersigned BAA on file (target: 100%)
Days of advance notice before a contract auto-renewal window closes (target: 60+ days)
Number of High-tier vendors reviewed in the last 12 months
Time to produce BAA documentation on audit request (target: under 10 minutes)
Number of open vendor risk tasks past their due date (target: zero at any given Monday)
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Google Drive folder + calendar reminders
Most clinics are already doing this; it has no gap detection, no BAA status tracking, and the reminders require someone to set them manually — which only works until the person who set them leaves.
DocuSign + spreadsheet
Good for signature collection but doesn't scan your existing inbox for unsigned agreements, doesn't tier vendors by PHI risk, and requires manual upkeep of the tracking spreadsheet.
Ironclad or Contractbook (enterprise CLM)
Purpose-built for contract management but priced and scoped for companies with a legal team; overkill if you have 8–12 vendor relationships and no one whose job title includes 'counsel'.
Practice management consultant (annual audit)
Catches things you missed but costs $2,000–5,000 per engagement, produces a PDF you file away, and doesn't alert you when the next renewal window opens three months later.
Doing nothing until the malpractice carrier asks
The most common approach; works until a payer audit, a data breach, or an auto-renewal you didn't budget for makes it expensive.
On Starch RECOMMENDED

One platform — contract lifecycle management, email agent, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

My EHR handles patient data — does Starch connect to Jane or SimplePractice?
Starch doesn't have a scheduled sync with EHR platforms like Jane or SimplePractice today. For vendor risk assessment specifically, you don't need to pull live EHR data — you're working with contracts and emails, which come from Gmail (scheduled sync) and your document storage. If your EHR has a web interface you log into, Starch can automate specific tasks through your browser. And if Jane or SimplePractice is in Starch's 3,000+ app integration catalog, the agent can query it live when your app runs.
Is Starch HIPAA-compliant? Can it actually read my vendor emails and contracts?
Starch is not SOC 2 Type II certified today — that's an honest limitation worth knowing before you connect it to anything containing PHI. For vendor risk assessment, you're primarily working with contracts and correspondence about vendors, not patient records. That's a meaningfully different risk profile than connecting your EHR. Evaluate this with your privacy counsel based on what data you're actually routing through Starch.
Can Starch automatically request a BAA from a vendor and track whether they've signed it?
Yes, with a combination of the Email Agent (to draft and send the request from Gmail) and the Task Manager (to track the follow-up). Contract Lifecycle Management — coming soon — will add formal e-signature collection and countersignature tracking. Until then, Starch can draft the outbound email, remind you in 7 days if you haven't seen a reply, and let you mark the BAA as received in the registry manually.
What if a vendor's contract is a PDF in my filing cabinet, not in my email?
The Gmail scan only catches what's in your inbox. For contracts that exist only as physical documents or scanned PDFs stored locally, you'd upload those to a connected storage location — Google Drive, for example, which Starch can reach from its integration catalog — and then prompt Starch to extract the key terms. It's a one-time step for older contracts, and new contracts you receive by email get captured automatically going forward.
How often does the vendor registry update?
The registry itself is a Starch app you build and own — it updates when you or an automation writes to it. The Gmail sync runs on a schedule, so new vendor emails are picked up regularly. The renewal alert automation runs on whatever cadence you set (weekly is typical for a clinic of your size). You're not refreshing a dashboard manually; the alerts come to you when something needs attention.
What if the vendor's website has no HIPAA compliance page to check?
That's actually the finding — the browser automation flagging 'no public compliance documentation found' is more actionable than a clean result. When that happens, Starch creates a task to request their compliance documentation directly. Some legitimate vendors (especially small answering services or local MSPs) don't publish this publicly but will provide it on request. The absence of a public page is a prompt to ask, not automatically a disqualifier.

Ready to run run a vendor risk assessment on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.