The healthcare provider uses an EHR. They might have some managed service provider managing their IT assets and their EHR deployment. Two companies they have BAAs with. That EHR company could be cloud hosted, another BAA. They probably rely on other tools and contractors which might have BAAs. Later on when they go to bill they exchange that billing data through billing analysis tools (another BAA) and then submit to a clearing house (another BAA). All of those companies probably have companies they work with that potentially need BAAs as well, if they work directly with that PHI data in the role of working on behalf of that healthcare provider.

One trip to the doctor could potentially involve dozens of companies you've never heard of that might have a business use case to handle your healthcare data in some way or fashion and none of them actually sold that data or mishandled it under HIPAA.