HIPAA Vendor Risk Assessment Checklist: Step-by-Step Guide & Template

Vendor Inventory and Classification

Start by building a complete, living inventory of every third party that touches your operations. Record who has access to Protected Health Information (PHI), what data they handle, and why. This foundation lets you focus controls where risk is highest and prove diligence with a clear Compliance Audit Trail.

Step-by-step

• Compile a master vendor list from procurement, finance, IT, legal, and department owners.
• For each vendor, document services provided, systems integrated, PHI data elements, data flows, and hosting locations.
• Identify role: Business Associate, Covered Entity peer, or non-PHI service provider.
• Assess Vendor Subcontractor Compliance: list subcontractors and whether PHI is shared downstream.
• Classify risk level using objective criteria: PHI volume/sensitivity, access method (networked/system admin vs. file transfer), criticality to care/operations, and history of security events.
• Assign a vendor owner and review cadence based on risk tier.

Template

• Vendor name | Service | Owner | BA status (Y/N) | PHI types | Data flows | Hosting (cloud/on‑prem) | Subcontractors (Y/N) | Risk tier (High/Med/Low) | Review frequency

Business Associate Agreements

A Business Associate Agreement (BAA) is the contractual backbone for sharing PHI with vendors. It sets permissible uses, required safeguards, Breach Notification Procedures, and flow-down duties to subcontractors, forming a defensible Compliance Audit Trail.

Step-by-step

• Determine if the vendor creates, receives, maintains, or transmits PHI on your behalf; if so, a BAA is required before data exchange.
• Confirm core BAA terms: permitted use/disclosure, minimum necessary, Security Rule safeguards, breach/incident reporting, subcontractor obligations, right to audit, and termination with return or destruction of PHI.
• Route for legal review and signature; store the countersigned BAA centrally with version control.
• Verify Vendor Subcontractor Compliance by requiring BAAs with any downstream entities that handle your PHI.

Template

• BAA status (Pending/Executed/Expired) | Effective date | Parties | Scope of PHI | Safeguards summary | Breach reporting SLA | Subcontractor flow-down (Y/N) | Audit rights | Termination/return-destroy terms | Repository link/ref ID

Security and Compliance Assessments

Evaluate each vendor’s controls with a structured Security Controls Assessment. Combine questionnaires, document reviews, and evidence sampling to validate that administrative, physical, and technical safeguards protect PHI to HIPAA standards.

Step-by-step

• Request artifacts: security policies, network diagrams, data flow maps, encryption details, access control standards, vulnerability/patch management, logs/monitoring, incident response plan, business continuity/disaster recovery, training records, and recent audits.
• Test key technical controls: MFA and unique IDs, least privilege, encryption in transit/at rest, key management, configuration baselines, secure SDLC and change control, endpoint protection, logging with alerting, backups and restore tests.
• Review administrative/physical safeguards: workforce training, background checks, facility access, environmental protections, and device/media handling.
• Check Vendor Subcontractor Compliance evidence: contracts, BAAs, and oversight process for downstream providers.
• Document findings with severity, evidence, and ownership; capture outcomes in your Compliance Audit Trail.

Template

• Control domain | Requirement | Evidence reviewed | Gaps/risks | Severity (H/M/L) | Remediation actions | Owner | Due date | Status

Risk Assessment and Mitigation

Translate assessment results into a prioritized Risk Mitigation Plan. Estimate likelihood and impact for each risk to PHI, determine residual risk after existing controls, and approve treatment decisions before go‑live or renewal.

Step-by-step

• Create a risk register covering threats such as unauthorized access, misconfiguration, insecure data transfer, lost media, and ransomware.
• Score inherent risk, list current controls, and recalculate residual risk to focus effort where it matters most.
• Select treatment: mitigate (add controls), transfer (insurance/contract), avoid (change scope), or accept (documented sign‑off).
• Publish the Risk Mitigation Plan with owners, milestones, and acceptance criteria; require closure for high risks before PHI sharing.
• Log all decisions and approvals to maintain a complete Compliance Audit Trail.

Template

• Risk ID | Description | Inherent (L/I) | Existing controls | Residual (L/I) | Treatment | Action items | Owner | Target date | Approval/sign‑off

Ongoing Monitoring and Auditing

Risk management does not end at contract signature. Establish monitoring that matches vendor risk tier and keeps your Compliance Audit Trail current, demonstrating continuous diligence over PHI.

Step-by-step

• Set cadence: High risk—quarterly reviews; Medium—annual; Low—biennial, or sooner after major changes or incidents.
• Collect periodic attestations and metrics: vulnerability closure rates, patch timelines, access recertifications, backup/restore results, and incident summaries.
• Track contract and BAA expirations; re‑assess after scope, system, or subcontractor changes.
• Sample evidence: logs for privileged access, encryption settings, and training completion for staff handling PHI.
• Escalate exceptions and require corrective actions with deadlines; verify completion before renewing services.

Template

• Vendor | Risk tier | Review date | Items checked | Findings | Actions | Owner | Next review | Artifacts archived (Y/N)

Incident Response and Breach Notification

Prepare for vendor incidents with clear Breach Notification Procedures. Your BAA and runbooks should define who is notified, how quickly, what evidence is provided, and how corrective actions are verified.

Step-by-step

• Define 24–72 hour vendor notification SLAs for suspected or confirmed incidents affecting PHI, with 24/7 contacts and escalation paths.
• Require immediate containment steps, preliminary impact assessment, indicators of compromise, and data elements potentially exposed.
• Coordinate response: forensics, root‑cause analysis, remediation, and validation testing before returning to normal operations.
• Document regulatory considerations and public communications per policy and contract; record all steps in the Compliance Audit Trail.
• Conduct a post‑incident review and update controls, training, and contracts as needed.

Template

• Trigger | Time discovered | Vendor contact | Your incident lead | Affected PHI | Containment actions | Notifications sent | Root cause | Corrective actions | Closure date

Data Retention and Disposal Policies

Vendors must retain PHI only as long as necessary and dispose of it securely. Define retention schedules, storage locations, and approved sanitization methods to prevent unauthorized access or recovery.

Step-by-step

• Specify retention periods for each PHI data type and legal/business requirement; include backups and archives.
• Mandate secure disposal: cryptographic erasure, NIST‑aligned media sanitization, and verified destruction for paper and hardware.
• Require Certificates of Destruction and chain‑of‑custody records for decommissioned media and terminated services.
• Ensure return or destruction of PHI at contract end, as set in the Business Associate Agreement.
• Periodically test restoration and deletion processes to confirm effectiveness.

Template

• PHI type | System/location | Retention period | Disposal method | Proof required | Owner | Review date

Conclusion

By following this HIPAA Vendor Risk Assessment Checklist—from inventory and BAAs through controls testing, a concrete Risk Mitigation Plan, and strong Breach Notification Procedures—you create a repeatable, evidence‑backed program that safeguards Protected Health Information and stands up to audits.

FAQs.

What is included in a HIPAA vendor risk assessment?

A complete assessment covers vendor inventory, BAAs, a Security Controls Assessment (administrative, physical, technical safeguards), a documented risk register with a Risk Mitigation Plan, ongoing monitoring requirements, incident response expectations, and data retention/disposal controls—each logged to your Compliance Audit Trail.

How do you classify vendors by risk level?

Score objective factors: PHI volume and sensitivity, access type (privileged/systemic vs. limited), integration depth and network exposure, service criticality, history of security issues, and Vendor Subcontractor Compliance complexity. Map totals to High/Medium/Low tiers with defined review cadences.

What is the role of a Business Associate Agreement in vendor management?

The Business Associate Agreement authorizes limited PHI use, requires safeguards, sets Breach Notification Procedures, enforces subcontractor flow‑downs, and defines termination/return‑destroy terms. It establishes audit rights and evidentiary artifacts that underpin your Compliance Audit Trail.