Skip Navigation
Close Btn
Global Link Law > Blog > Red Flag: The Vendor Requested Far More PHI Than the Service Required

Red Flag: The Vendor Requested Far More PHI Than the Service Required

by Walter Marino
May 23, 2026
Newsletter cover graphic: GC Insider — Red Flag: The Vendor Requested Far More PHI Than the Service Required, by Robyn, Global Link Law.

By Robyn D. Marino | Friday, May 22, 2026

I almost gave a green light to a vendor deal in minutes. Then one line in the SOW changed what I did next.

What it actually gave the vendor access to was something else entirely.

On the surface, everything looked straightforward.

  • The MSA was clean.
  • The pricing made sense.
  • The business team was ready to move.
  • And yes, the BAA was already in place.

That’s where many teams stop — but a BAA alone doesn’t mean you’re covered.

It felt like a quick approval.

But when we looked more closely at the SOW, the picture shifted.

The vendor was requesting a significant amount of PHI, far beyond what was needed to perform the service.

Where the Real Risk Lives

That’s where the real risk started to take shape.

  • The data request didn’t align with the minimum-necessary standard under HIPAA.
  • The privacy implications were far broader than expected.
  • The operational exposure extended well beyond the contract itself.

And none of that was visible if you only looked at the MSA… or assumed the BAA was enough.

Because HIPAA compliance doesn’t stop at having a BAA in place.

It requires applying the minimum-necessary standard — only sharing the PHI that is actually needed for the service.

From Routine Engagement to Risk Decision

That moment changed how the deal was evaluated.

It wasn’t just a routine vendor engagement anymore — it became a data access and risk decision.

  • We re-scoped the data.
  • Tightened access.
  • Aligned everything with what was actually required.

The deal moved forward, but on very different terms.

Because in healthcare, risk doesn’t always sit where you expect it. Sometimes it lives in the document that gets the least attention.

For another example of how a single clause changed a healthcare deal’s trajectory, see How One Clause Rewrite Protected Their Data and Future Growth and We Caught the Contract Flaw Just Before the CFO Signed.

A Question for Your Team

How does your team approach SOW-level review when PHI is involved?

If your team is reviewing vendor agreements that involve PHI, the SOW often holds the real risk — not the MSA or BAA. At Global Link Law, we help healthcare organizations navigate HIPAA, vendor data access, and regulatory compliance from contract through execution. Our contract management team and digital health & technology practice work hand-in-hand on engagements like this one.

Learn more: Regulatory & Compliance practice area.

Book a 30-minute consultation with Robyn: https://calendly.com/rmarino-globallinklaw/30min

The analysis provided reflects general legal principles and commentary and may not apply to any specific situation. Reading this post does not create an attorney-client relationship with the author or their firm. If you have questions about how these issues may affect your organization, you should consult qualified legal counsel.

The information provided on this website is for general informational purposes only and should not be considered legal advice. No attorney-client relationship is created by accessing or using this website. Please consult with a qualified attorney before making any legal decisions. Global Link Law is not liable for any reliance on the information provided. Prior results do not guarantee a similar outcome.

Go back to blog

Strategic Legal Counsel for Healthcare & Health Technology

Your organization faces legal and regulatory complexity that demands more than outside counsel — it demands a partner who has sat on your side of the table.

From government investigations and FCPA matters to healthcare M&A and payer contracting, we’ve handled it from the inside and from the courtroom.

Whether you need fractional leadership, transactional support, or a defensible compliance framework, we deliver counsel built around what the business actually needs. What sets us apart is real-world in-house experience — our partners have served in senior legal roles within large and publicly traded companies, giving them a direct understanding of what business leaders and boards actually need from legal counsel.

Book a discovery call now