Document ID: OPS-SOP-009 | Version: 1.0 | Date: March 2026 | Owner: Operations | Status: Draft — Pending Leadership Review
OPS-SOP-009 — Vendor Onboarding & BAA Execution
How Unity approves, onboards, and executes agreements with new vendors — including required BAAs for any PHI-touching entity.
Why this exists: Every vendor with access to protected health information (PHI) must have a signed Business Associate Agreement (BAA) before any data is shared. Onboarding without a BAA is a HIPAA violation. This SOP ensures every vendor is properly vetted, approved, and documented before engagement begins.
1. Vendor Categories & Triggers
| Vendor Type |
BAA Required? |
Examples |
| TPA / PBM |
Yes — mandatory |
Allied Benefits, ProAct Rx |
| Clinical risk / analytics tools |
Yes — mandatory |
Gradient AI |
| COBRA administrator |
Yes — mandatory |
Varipro |
| FSA / HSA administrator |
Yes — mandatory |
Health Equity |
| ERISA / Legal counsel |
Yes — mandatory |
Dickinson Wright |
| Captive management |
Yes — mandatory |
SRS (Strategic Risk Solutions) |
| Marketing / advertising |
No (no PHI access) |
Dash Activate |
| Technology / dev |
Only if accessing plan data |
Quadratics / Flat World |
| Actuarial consultants |
Yes — if accessing claims data |
Davies Group |
| Finance / accounting |
Only if accessing claims data |
TBD |
CRITICAL: No claims data, member data, or PHI of any kind may be shared with a vendor until a BAA is fully executed and on file. This includes sending Excel files, report exports, Gradient AI uploads, or analytical datasets.
2. Onboarding Workflow
Step 1 — Request Initiated
Operations identifies need for new vendor. Documents in Asana task: vendor name, type, purpose, PHI access (yes/no), estimated annual cost, and requested start date.
Step 2 — W-9 Collection
Request W-9 from vendor contact before creating vendor record. W-9 required for Acumatica vendor setup. No vendor ID can be created without it. Attach W-9 to Asana task.
Step 3 — New Vendor Add/Change Form
Complete the Vendor Add/Change Request Form (Excel template). Required fields: entity name, TIN, contact name, address, phone/email, purpose, GL account and sub-account, approvals (Operations + Finance + Director). Submit to Finance for Acumatica entry.
Step 4 — Contract / MSA Review
Route vendor agreement to Compliance for review. For ERISA-adjacent vendors (TPA, PBM, captive management, actuarial): also route to ERISA Legal Counsel. Flag any indemnification, liability cap, data ownership, or termination clauses for legal sign-off. Do not sign until Compliance clears.
Step 5 — BAA Execution (if PHI)
If vendor touches PHI: obtain BAA before any data sharing. BAA must be signed by authorized signer (Operations Director or above). File signed BAA in BAA Registry (see Section 4). Update BAA Registry log. Notify ERISA Legal that BAA is executed.
Step 6 — Approvals & GL Coding
Operations Director approves all vendor onboardings. Engagements over $10,000/year require Primary Approver (Dr. Greg) sign-off. GL account assigned at setup — Finance confirms correct account before first invoice is processed.
Step 7 — Acumatica Vendor Record Created
Finance creates vendor record in Acumatica using approved Vendor Add/Change Form. Confirms vendor ID assigned. Notifies Operations. No invoices can be processed until vendor ID exists.
Step 8 — Onboarding Complete — Notify Stakeholders
Operations confirms vendor is active. Updates Asana task to Awaiting AJ Approval. Documents: Vendor Add Form, W-9, signed contract, signed BAA (if applicable), GL assignment.
3. Approval Authority
| Engagement Type |
Required Approver(s) |
Threshold |
| Any new vendor (routine) |
Operations Director |
Under $10K/year |
| New vendor (significant) |
Operations Director + Primary Approver |
$10K/year or more |
| Any vendor with PHI access |
Operations Director + Compliance |
All amounts |
| ERISA-adjacent vendors (TPA, PBM, captive, actuarial) |
Operations Director + Compliance + ERISA Counsel |
All amounts |
4. BAA Registry
Maintain a running log of all executed BAAs. Stored in: [TBD — secure file location]
| Vendor |
BAA Status |
Executed Date |
Renewal / Review Date |
Notes |
| Allied Benefits (TPA) |
Pending — confirm |
TBD |
Annual |
Embedded in Allied ASA |
| ProAct Rx (PBM) |
Pending — CIF execution |
TBD |
Annual |
BAA likely in CIF |
| Varipro (COBRA) |
Confirm on file |
TBD |
Annual |
|
| Health Equity (FSA/HSA) |
Confirm on file |
TBD |
Annual |
|
| SRS (Captive Mgmt) |
Confirm on file |
TBD |
Annual |
|
| Dickinson Wright (ERISA Legal) |
Confirm on file |
TBD |
Annual |
|
| Davies Group (Actuarial) |
Confirm on file |
TBD |
Annual |
Required before claims data shared |
| Gradient AI |
NOT CONFIRMED — REQUIRED |
TBD |
Annual |
Do NOT share claims data until BAA executed |
| Unity Care Solutions, LLC |
Confirm on file |
TBD |
Annual |
Program Administrator BAA |
ACTION REQUIRED: Gradient AI BAA status is unconfirmed. Do not share any claims data or member-level information with Gradient AI until a signed BAA is on file. Contact Davies Group or Gradient AI directly to obtain their standard BAA.
5. Required Documents Checklist
| Document |
All Vendors |
PHI-Touching Vendors |
| W-9 | ✔ Required | ✔ Required |
| Vendor Add/Change Form (completed) | ✔ Required | ✔ Required |
| Signed vendor agreement / MSA | ✔ Required | ✔ Required |
| Compliance review sign-off | ✔ Required | ✔ Required |
| Signed BAA | Not required | ✔ Required — before any data sharing |
| ERISA Legal review sign-off | Not required | Required for TPA/PBM/captive/actuarial |
| Primary Approver sign-off | If $10K+/year | If $10K+/year |
Version History: v1.0 — March 2026 (initial draft). BAA Registry TBD entries require audit by Operations and Compliance before this SOP is marked Active.
OPS-SOP-009 | Unity Care Solutions, LLC — Internal / Confidential
⚑ Flag an Issue