Annual Vendor Privacy & Security Review – Expanded Edition

Covered entities and hybrid entities are required under the HIPAA Privacy Rule and Security Rule to conduct annual oversight reviews of every active business associate relationship. This template gives you a structured, documentation-ready tool for completing that review in a way that holds up to OCR scrutiny and produces a defensible record for each vendor and each review cycle.

The Annual Vendor Privacy & Security Review Expanded Edition is built directly on 45 CFR Part 164, the HHS Sample BAA Provisions (January 25, 2013), and the OCR Audit Protocol. It also incorporates monitoring language tied to the HIPAA Security Rule NPRM (90 FR 898, January 6, 2025) so your oversight process reflects where federal enforcement is heading, not just current minimum standards.

What This Template Covers

Section 1 covers vendor profile, risk tier assignment, and system access detail. You document every PHI category the vendor touches, how access occurs, authentication methods, subcontractors with PHI access, and the number of user accounts. Getting this section right eliminates the access blind spots that most audit findings trace back to.

Section 2 walks through a line-by-line check of all 13 required BAA provisions under 45 CFR 164.504(e)(2). Every provision includes its regulatory citation and practical guidance notes to help you spot absent or deficient language. A BAA Gap Summary table captures every missing element and the required remediation path.

Section 3 reviews 14 security and privacy control areas, each tied to a specific Security Rule standard or implementation specification. Control areas include access controls and minimum necessary, multi-factor authentication, encryption at rest and in transit, integrity controls, audit logging and activity review, incident response, vulnerability and patch management, assigned security responsibility, workforce security and sanctions, subcontractor management, data retention and disposal, physical safeguards, business continuity and disaster recovery, and periodic security evaluation. Each area uses a four-level gap severity scale with defined remediation timeframes.

Sections 4 through 10 cover AI and automated processing review, incident and breach history for the prior 12 months, overall risk rating and disposition decision, prior-year and current-year corrective action tracking, and a standalone assessment summary designed for leadership or compliance committee reporting. An approvals block supports four-signatory sign-off for high-risk vendor relationships.

Key Features

Complete BAA verification checklist with all 13 required provision elements, individual regulatory citations, and guidance notes for identifying deficient or missing contract language.

14-control security review matrix covering every major Security Rule standard and implementation specification, with evidence guidance referencing SOC 2, HITRUST, ISO 27001, penetration testing, and vendor attestation.

Dedicated AI and automated processing section with a BAA provision checklist specific to AI use, coverage of model training restrictions, AI subprocessor flow-down requirements, and operational human-review controls. This is an area most vendor review templates built before the current AI environment do not address.

Structured corrective action tracking with prior-year completion review and current-year action plan tables, gap severity ratings, responsible party fields, and target dates tied to the remediation timeframe scale.

NPRM forward-looking guidance on proposed requirements including mandatory MFA, six-month vulnerability scanning intervals, annual penetration testing, and a 72-hour critical system restoration standard. These are referenced as monitoring items that reflect proposed, not finalized, requirements.

Regulatory Foundation

Every checklist item and guidance note in this template is grounded in a specific HIPAA regulatory citation. The template draws from the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), the HIPAA Security Rule (45 CFR Part 164, Subpart C), the HHS Sample BAA Provisions (January 25, 2013), and the OCR Audit Protocol. Retention guidance references both 45 CFR 164.316(b)(2)(i) and 164.530(j)(2), which require completed review records to be retained for a minimum of six years from the date of creation or the date last in effect.