HIPAA Vendor Risk Assessment Requirements Explained: What Covered Entities Must Do

HIPAA Risk Assessment Requirement

You must evaluate how every third party that creates, receives, maintains, or transmits electronic protected health information affects your risk posture. The HIPAA Security Rule requires an enterprise-wide risk analysis and ongoing risk management, and vendors handling ePHI are in scope. A vendor review is not optional or a one-time task—it is a core element of your security program.

What the Security Rule expects

Conduct a thorough risk analysis to identify reasonably anticipated threats, vulnerabilities, and the likelihood and impact of harm. Then implement security measures to reduce risk to a reasonable and appropriate level, document those decisions, and maintain them over time as part of risk analysis and management.

Include all safeguard categories

Your assessment should address administrative safeguards (policies, workforce training, access management), technical safeguards (authentication, encryption, audit logging, integrity controls), and physical safeguards (facility access, device and media controls). Vendors influence each safeguard category and must be reviewed accordingly.

Governance and documentation

Define roles, decision rights, and an approval workflow for vendor onboarding and ongoing reviews. Keep a vendor inventory, capture assessment evidence, and record decisions, exceptions, and remediation plans. Store artifacts so you can demonstrate due diligence during audits.

Vendor Risk Assessment Process

A consistent, repeatable process helps you compare vendors and remediate issues quickly. Use the steps below to build a defensible approach.

Step 1: Scoping and data flow mapping

• Identify what ePHI the vendor will handle, how it flows, where it’s stored, and who can access it.
• Classify the integration type (hosting, transmission, analytics, support) and business criticality.

Step 2: Due diligence questionnaire and evidence

• Collect policies and procedures covering administrative, technical, and physical safeguards.
• Request reports and attestations (e.g., SOC 2 Type II, HITRUST, ISO 27001), recent penetration tests, vulnerability scan summaries, and incident response plans.

Step 3: Control testing and gap analysis

• Validate encryption in transit and at rest, access controls, MFA, logging, and backup/restore tests.
• Evaluate staffing, training, and sanction policies for workforce members who access ePHI.

Step 4: Risk scoring and treatment

• Score inherent risk (before controls) based on data sensitivity and exposure; then assess residual risk after controls.
• Define remediation actions, owners, and deadlines; accept, mitigate, transfer, or avoid risks as appropriate.

Step 5: Contracting and onboarding

• Execute business associate agreements and security exhibits that reflect identified risks and required safeguards.
• Set service levels, breach notification timelines, audit rights, and compliance monitoring obligations.

Business Associate Agreements

When a vendor will create, receive, maintain, or transmit ePHI on your behalf, a business associate agreement is mandatory. The BAA operationalizes HIPAA by requiring specific safeguards and reporting duties.

Core BAA provisions to include

• Permitted and required uses and disclosures of ePHI, including minimum necessary expectations.
• Agreement to implement administrative, technical safeguards, and physical safeguards to protect ePHI.
• Obligation to report breaches and security incidents within defined timeframes and to cooperate in investigations.
• Flow-down requirement ensuring subcontractors agree to the same restrictions and safeguards.
• Support for individual rights: access, amendment, and accounting of disclosures, as applicable.
• Availability of records to regulators, plus return or destruction of ePHI upon termination when feasible.
• Right to terminate for material breach and obligation to cure or implement corrective action plans.

Common pitfalls to avoid

• Relying on a BAA without performing a risk assessment or ongoing compliance monitoring.
• Missing details on encryption, breach notification windows, audit logging, and right-to-audit clauses.
• Failing to require subcontractor compliance or transparency about downstream service providers.

Periodic Vendor Risk Assessments

Risks change as vendors evolve, systems update, and threats emerge. You should reassess vendors periodically based on risk tier and whenever key changes occur.

Frequency by risk tier

• High risk (stores or processes ePHI; mission-critical): assess at least annually.
• Moderate risk (transmits limited ePHI; compensating controls in place): every 18–24 months.
• Low risk (no ePHI or only de-identified data; minimal access): every 24–36 months.

Out-of-cycle triggers

• Security incidents or breaches; significant architecture or ownership changes; new products or features.
• Regulatory updates affecting administrative, technical, or physical safeguards.

Evidence to refresh

• Updated SOC/HITRUST reports, penetration tests, business continuity and disaster recovery tests.
• Training completion rates, policy revisions, asset inventories, and vulnerability management metrics.

Vendor Compliance Monitoring

Assessment at onboarding is not enough. Ongoing compliance monitoring ensures controls remain effective and issues are remediated promptly.

Continuous oversight practices

• Require periodic attestations, metrics, and event reporting aligned to your risk classification.
• Review SLAs and KPIs for system availability, backup success, patch timelines, and incident response.
• Exercise audit rights through document reviews, interviews, and, if needed, onsite assessments.

Issue management and remediation

• Log findings in a risk register with owners, due dates, and expected outcomes.
• Track corrective and preventive actions (CAPA) and verify closure with evidence.

What to monitor

• Access changes, privileged account reviews, encryption posture, and key management practices.
• Vulnerability backlogs, critical patch aging, failed backups, and recovery test results.
• Security incident volumes, root-cause trends, and lessons learned.

Vendor Security Practices Evaluation

Evaluate whether the vendor’s safeguards align with HIPAA’s standard of reasonable and appropriate protections. Look beyond policies to demonstrated practice and outcomes.

Administrative safeguards to verify

• Security governance, risk analysis and management processes, and documented procedures.
• Workforce screening, role-based access, training, and sanctions for violations.
• Third-party management, change control, and secure software development lifecycle practices.

Technical safeguards to verify

• MFA for administrative and remote access; least-privilege and periodic access reviews.
• Encryption of ePHI in transit and at rest; strong key management and HSM usage where appropriate.
• Audit logging, centralized monitoring, and alerting; integrity controls and anti-malware.
• Network segmentation, secure configurations, vulnerability scanning, and timely patching.

Physical safeguards to verify

• Facility access controls, visitor management, and surveillance appropriate to data sensitivity.
• Device and media controls, secure disposal, and hardware asset inventories.
• Environmental protections and data center resilience for hosted services.

Resilience and incident readiness

• Documented incident response plans with exercised playbooks and defined notification timelines.
• Business continuity and disaster recovery strategies with successful restoration tests and RTO/RPO targets.

Vendor Subcontractor Compliance

Many vendors rely on cloud, support, or analytics subcontractors. HIPAA requires that business associates ensure their subcontractors protect ePHI with the same restrictions and safeguards.

Flow-down obligations

• Require the vendor to disclose all subcontractors handling ePHI and execute BAAs with flow-down terms.
• Ensure downstream parties implement administrative, technical, and physical safeguards equivalent to yours.

Oversight and transparency

• Mandate prior approval for new subcontractors, breach notification, and right-to-audit provisions.
• Assess high-impact subcontractors directly or review independent assurance reports.

Practical tips

• Map full data flows, including storage, processing, and support paths.
• Include subcontractors in your vendor inventory and risk tiering.
• Set contractual caps on data residency changes and require timely notice of material changes.

Bringing it all together: include vendors in your enterprise risk analysis, execute strong business associate agreements, right-size the depth and frequency of reviews, and use compliance monitoring to keep safeguards effective over time.

FAQs.

What is required in a HIPAA vendor risk assessment?

You must evaluate how the vendor’s services interact with ePHI, identify threats and vulnerabilities, and determine whether administrative, technical, and physical safeguards are reasonable and appropriate. Collect evidence (policies, security testing, certifications), score inherent and residual risk, document findings, and implement risk treatment plans before onboarding and throughout the relationship.

How often should vendor risk assessments be conducted?

Set frequency by risk tier: annually for high-risk vendors that store or process ePHI, every 18–24 months for moderate risk, and every 24–36 months for low risk. Perform out-of-cycle reviews after incidents, major system or ownership changes, new features, or regulatory updates.

What must be included in business associate agreements?

BAAs must specify permitted uses and disclosures, require safeguards for ePHI, mandate breach and incident reporting, flow down obligations to subcontractors, support individual rights (access, amendment, accounting), provide for regulator access, require return or destruction of ePHI at termination when feasible, and grant termination rights for material breach.

How can covered entities ensure vendor subcontractor compliance?

Require full subcontractor transparency, BAAs with equivalent protections, and prior approval for changes. Include right-to-audit and reporting duties, assess high-impact subcontractors, and monitor metrics like access reviews, patch timeliness, backup success, and incident trends. Incorporate subcontractors into your inventory, risk tiering, and continuous compliance monitoring.