Review goals
This template helps teams capture what the vendor does, what PHI exposure exists, and what safeguards or agreements are required. It is meant for vendors that may create, receive, maintain, or transmit PHI on your behalf.
The review should answer three questions:
- Is this vendor a business associate for this use case?
- What PHI exposure or operational dependency exists?
- What contractual, security, and review steps are required before approval?
Recommended sections
- Service description
- PHI involvement and data flow
- Access model and personnel exposure
- Security controls and evidence requested
- Contract or BAA status
- Renewal review date
- Business owner and system owner
- Subcontractor or subprocessor involvement
- Incident notification commitments
- Data retention and deletion expectations
- Open risks or required mitigations
Why this matters
Business associate oversight should be visible as part of the ongoing vendor program, not rediscovered during diligence.
Suggested template
| Section | Questions to capture |
|---|---|
| Vendor purpose | What service does the vendor provide and which team uses it? |
| PHI exposure | Does the vendor create, receive, maintain, or transmit PHI? |
| Data flow | Which systems send PHI to the vendor and where does it go? |
| Access model | Which vendor personnel can access data and under what controls? |
| Safeguards | What encryption, logging, access, and monitoring controls exist? |
| Contract status | Is a BAA required, signed, or pending? |
| Incident notice | How and when will the vendor notify you of incidents? |
| Review cadence | When should the vendor be reassessed? |
Approval outcomes
Use consistent outcomes:
- Approved: all required evidence and agreements are in place.
- Approved with condition: limited use allowed while a defined action is completed.
- Blocked: PHI use cannot begin until contract or security gaps are resolved.
- Not a business associate: document the rationale and any normal vendor controls.
Evidence to preserve
Keep the BAA, security evidence, review notes, owner approval, risk tier, and renewal date together. If the vendor is later involved in an incident, customer review, or audit question, the team should not have to reconstruct the decision from email.