In my experience, covered entities are really serious about signing BAAs with any of their hosting vendors and partners, as afaik the liability falls on the covered entity if they didn't have an agreement in place and data leaked from a vendor/partner.
See https://www.hhs.gov/hipaa/for-professionals/covered-entities... and https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-...
In my experience, covered entities are really serious about signing BAAs with any of their hosting vendors and partners, as afaik the liability falls on the covered entity if they didn't have an agreement in place and data leaked from a vendor/partner.