Six vendors, six BAAs: the hidden cost of telehealth sprawl

Nobody sets out to build a twelve-vendor stack. It happens one urgent problem at a time: a telehealth tool for COVID, a new patient messaging app because the EHR’s portal is unusable, a billing add-on because claims started failing, a documentation assistant because clinicians are underwater. Each purchase solves a narrow pain. Together they create a system no one would design on purpose—multiple logins, conflicting source of truth, and a compliance footprint that grows every time legal reviews another Business Associate Agreement.

This essay is about the full cost of that sprawl: not just dollars, but time, risk, and cognitive load. It is also a playbook for consolidation that respects reality—your staff cannot stop seeing patients while you replatform the universe. We will talk about phasing, integrations first, how to measure success, and what “one platform” should mean so you do not trade six vendors for one vendor that still outsources half your PHI to unnamed subprocessors.

The hidden line items on the spreadsheet

Direct subscription fees are obvious. Less obvious is legal review hours, security questionnaire cycles, duplicate training, SSO exceptions, and the operational tax of reconciliation: billing pulling from one system, clinical documentation in another, scheduling in a third. Every month finance closes books by stitching spreadsheets. That work is not free; it is just invisible until someone quits or an auditor finds a gap.

Breach surface scales worse than linearly. Six vendors mean six incident response playbooks, six notification clauses, six places where an API key can leak. Insurance and enterprise customers know this—they increasingly ask not “are you HIPAA compliant” but “how many BAAs does it take to deliver a telehealth visit end-to-end?”

When “best-of-breed” becomes worst-of-operations

Best-of-breed made sense when integration was cheap. In regulated healthcare, integration is never cheap: every hop is a potential HIPAA event, every sync job is a delay, every CSV export is a mistake waiting to happen. The organizations that win are not the ones with the best point solutions—they are the ones with the fewest seams.

Phase one: integrations and truth, not rip-and-replace

The least risky consolidation path starts with making systems talk before you delete one. HL7 v2 and FHIR bridges, reliable webhooks, and a single encounter ID that propagates from scheduling through documentation to billing. That work is unglamorous; it is also what lets you run parallel traffic without lying to patients about what is in their chart.

Parallel runs are how you earn trust: pick a cohort of providers, run the new workflow alongside the old, measure discrepancies, and only cut over when rollback is still boring. If your vendor insists on a single weekend where everything changes, ask why they are not confident in incremental migration.

Consolidation is a risk reduction exercise disguised as a software purchase.

Phase two: contract consolidation and BAA posture

Once data flows, you can collapse vendor count without losing capabilities. The goal is one coherent story for legal: who touches PHI, where it lives, how long it is retained, and what subprocessors are allowed. If your platform vendor still hides five AI subprocessors behind vague “may use service providers” language, you have not consolidated risk—you have concentrated it.

How teleclinicos thinks about “one platform”

We are not trying to be every EHR; we are trying to be the operating layer where telehealth, AI-assisted documentation, messaging, and revenue workflows share one scope of control, on infrastructure you can name. Fewer BAAs, fewer midnight spreadsheets, fewer apologies to patients when something breaks because the video vendor blames the scheduling vendor.