HIPAA business associate review template

A review structure for third parties that can create, receive, maintain, or transmit PHI on your behalf.

Sarah Jenkins

By Sarah Jenkins

Regulatory & Compliance Analyst · 6 min read

Review goals

This template helps teams capture what the vendor does, what PHI exposure exists, and what safeguards or agreements are required. It is meant for vendors that may create, receive, maintain, or transmit PHI on your behalf.

The review should answer three questions:

  • Is this vendor a business associate for this use case?
  • What PHI exposure or operational dependency exists?
  • What contractual, security, and review steps are required before approval?

Recommended sections

  • Service description
  • PHI involvement and data flow
  • Access model and personnel exposure
  • Security controls and evidence requested
  • Contract or BAA status
  • Renewal review date
  • Business owner and system owner
  • Subcontractor or subprocessor involvement
  • Incident notification commitments
  • Data retention and deletion expectations
  • Open risks or required mitigations

Why this matters

Business associate oversight should be visible as part of the ongoing vendor program, not rediscovered during diligence.

Suggested template

SectionQuestions to capture
Vendor purposeWhat service does the vendor provide and which team uses it?
PHI exposureDoes the vendor create, receive, maintain, or transmit PHI?
Data flowWhich systems send PHI to the vendor and where does it go?
Access modelWhich vendor personnel can access data and under what controls?
SafeguardsWhat encryption, logging, access, and monitoring controls exist?
Contract statusIs a BAA required, signed, or pending?
Incident noticeHow and when will the vendor notify you of incidents?
Review cadenceWhen should the vendor be reassessed?

Approval outcomes

Use consistent outcomes:

  • Approved: all required evidence and agreements are in place.
  • Approved with condition: limited use allowed while a defined action is completed.
  • Blocked: PHI use cannot begin until contract or security gaps are resolved.
  • Not a business associate: document the rationale and any normal vendor controls.
For conditional approvals, set an expiration date. Open-ended exceptions are hard to defend later.

Evidence to preserve

Keep the BAA, security evidence, review notes, owner approval, risk tier, and renewal date together. If the vendor is later involved in an incident, customer review, or audit question, the team should not have to reconstruct the decision from email.

Keep the momentum

Turn this guidance into a working program

CloudAnzen helps teams connect evidence, review failing controls, manage risk, and stay audit-ready across frameworks from one place.