Annual Vendor Privacy & Security Review Template

Why Annual Vendor Reviews Are a HIPAA Requirement

Covered entities and hybrid entities are required under the HIPAA Privacy Rule (45 CFR §164.504(e)) and the Security Rule (45 CFR §164.314(a)(1) and §164.308(a)(1)) to obtain satisfactory assurances that their business associates are appropriately safeguarding protected health information and to implement ongoing risk management activities. Signing a business associate agreement is the starting point — not the end of the obligation.

OCR audit protocols and resolution agreements consistently document that covered entities with active BA relationships but no systematic oversight process are exposed to significant compliance risk. A completed annual review, retained as required by 45 CFR §164.316(b)(2)(i) for a minimum of six years, is the evidence that your oversight program is operating.

This template gives you a complete, regulation-grounded form for conducting that review. It covers all eight areas a thorough annual BA oversight review should address, from BAA provision compliance through security controls, incident history, risk disposition, and formal approvals.

What Is Included

• ›Section 1 — Vendor Profile: Vendor name, services provided, contract ID, primary contact, and a full PHI and system access summary field documenting what data the vendor accesses and how.
• ›Section 2 — Contractual and HIPAA Status: Business associate classification checkboxes, BAA execution and date tracking, and a 14-row provision checklist covering all required BAA elements under 45 CFR §164.504(e)(2) and the HHS sample BAA provisions — including permitted uses and disclosures, individual rights support, HHS access to records, and termination authority.
• ›Section 3 — Security and Privacy Controls Review: An 11-row controls assessment table with Adequate, Gap Identified, and N/A columns, plus an evidence notes field. Control areas include access controls, MFA, encryption, audit logging, security incident response, vulnerability management, workforce training, subcontractor oversight, data disposal, physical safeguards, and business continuity. Each row includes its governing Security Rule citation.
• ›Section 4 — Incidents and Breaches: Incident-free attestation checkbox, incident occurrence field with summary reference, and attestation basis documentation.
• ›Section 5 — Risk Rating and Disposition: Low, Moderate, and High risk rating fields with four disposition options: Accept, Accept with Conditions, Remediate, and Replace or Terminate.
• ›Section 6 — Corrective Actions: Required actions, target completion date, and responsible party fields.
• ›Section 7 — Approvals: Three-signature approval block for the reviewer, Privacy Officer or designee, and IT or Security Reviewer.
• ›Section 8 — Attachments Checklist: Six-item checklist for current BAA, security questionnaire, SOC 2 or HITRUST reports, incident summaries, corrective action plans, and other supporting documentation.

Regulatory Basis

This template is built directly on the requirements of the HIPAA Privacy Rule (45 CFR §164.504(e)) and the HIPAA Security Rule (45 CFR §§164.308, 164.310, 164.312, and 164.314). The BAA provision checklist reflects all required contract elements identified in the HHS sample business associate agreement provisions published January 25, 2013, and confirmed against the current Electronic Code of Federal Regulations. The six-year minimum retention requirement stated in the instructions is drawn directly from 45 CFR §164.316(b)(2)(i). Each Security Rule citation appears inline with its corresponding control row.

The Security and Privacy Controls section reflects the Security Rule’s required and addressable implementation specifications under the Administrative Safeguards (45 CFR §164.308), Physical Safeguards (45 CFR §164.310), and Technical Safeguards (45 CFR §164.312) standards, including vulnerability management under the Security Management Process standard, which OCR has identified as a primary focus of its current audit and enforcement activity.