Healthcare Vendor Risk Assessment Template + Tier Matrix (45 CFR § 164.502(e), § 164.504(e))
12 min read · Last reviewed May 23, 2026
A healthcare vendor risk assessment is the documented evaluation of every business associate or vendor that touches ePHI, sized to the data flow. The federal baseline is 45 CFR § 164.502(e) (BAA required), 45 CFR § 164.504(e) (BAA content), and the risk-management requirement at § 164.308(a)(1)(ii)(B).
What HHS actually requires
The HIPAA rule trifecta on vendors:
- § 164.502(e) — covered entities may disclose PHI to a business associate only with satisfactory assurances that the BA will appropriately safeguard the information. The "satisfactory assurance" is the BAA.
- § 164.504(e) — the BAA must include specific clauses: permitted PHI uses, no further use or disclosure, appropriate safeguards, breach reporting, subcontractor flow-down, access by HHS, and termination.
- § 164.308(a)(1)(ii)(B) — the risk management implementation specification requires reducing risks and vulnerabilities to a reasonable and appropriate level. Vendor risk is a category of risk.
In our analysis of 400+ d3rx client binders, vendor inventories underestimate scope by 30-50%. The EHR and PM are always listed; the fax-to-email gateway, the transcription service, the appointment-reminder vendor, the cloud backup, the IT support contractor, the document-shredding vendor, and the medical waste vendor (which sees patient-identified labels) are often missing. OCR Resolution Agreements implicating vendor management: Raleigh Orthopaedic Clinic ($750K, no BAA with a contracted image conversion vendor), Care New England ($400K, no BAA), CHCS ($650K, no BAA with the cloud vendor), and Anthem ($16M, vendor patch management failures contributing).
The four entities every credible vendor risk assessment references: the HHS Office for Civil Rights (OCR), NIST SP 800-161 Rev. 1, the HITRUST CSF, and AICPA SOC 2 Type II.
Tier matrix
| Tier | Definition | Assessment depth | Reassess | |---|---|---|---| | Tier 1 — Critical | Vendor processes >10K records OR has standing privileged access OR core clinical workflow depends on it (EHR, PM, identity provider, RCM, lab interface, telehealth) | Full questionnaire + SOC 2 Type II + HITRUST or equivalent + sub-processor inventory + breach-notice clause ≤ 30 days + DR/BCP attestation + pen-test summary | Annually | | Tier 2 — Significant | Vendor processes 1K-10K records OR has scoped PHI access (transcription, secure messaging, document management, eFax, imaging cloud, appointment reminders with PHI) | Short questionnaire + SOC 2 Type II or HITRUST + breach-notice clause ≤ 45 days + encryption attestation | Every 18 months | | Tier 3 — Standard | Vendor incidental access or limited PHI (shred service, medical waste, IT break-fix without remote access, payment processor for non-PHI fields) | Brief questionnaire + BAA + insurance certificate | Every 2 years | | Tier 4 — De minimis | No PHI access despite physical proximity (commercial cleaning, HVAC, snow removal) — no BAA required if PHI access is incidental and reasonable safeguards in place | Confidentiality acknowledgement; no formal assessment | On change |
Template — section by section
Section 1 — Vendor inventory tab (Appendix A)
The core artifact. One row per vendor. This is the single document OCR investigators ask for first when reviewing vendor management.
| Vendor | Service | PHI flow | Records (~) | Tier | BAA on file (date / version) | SOC 2 / HITRUST | Sub-processors | Encryption attestation | Breach-notice window | Last reassessed | Next due | Owner | |---|---|---|---|---|---|---|---|---|---|---|---|---| | <EHR vendor> | EHR | Both | full pop | 1 | 2024-06-01 / v3 | SOC 2 II + HITRUST r2 | AWS, Twilio | AES-256 at rest, TLS 1.3 | 30 d | 2026-04-15 | 2027-04-15 | Sec Officer | | <PM vendor> | PM/billing | Both | full pop | 1 | 2024-08-01 / v2 | SOC 2 II | AWS | AES-256 / TLS 1.2+ | 30 d | 2026-04-15 | 2027-04-15 | Sec Officer | | <Cloud backup> | Backup | Stored | full pop | 1 | 2025-01-15 / v1 | SOC 2 II + ISO 27001 | own DC | AES-256 / TLS 1.2+ | 30 d | 2026-05-01 | 2027-05-01 | Sec Officer | | <Transcription> | Dictation | Both | dictating providers | 2 | 2024-09-01 / v2 | SOC 2 II | Azure | AES-256 / TLS 1.2+ | 45 d | 2025-12-01 | 2027-06-01 | Privacy | | <Telehealth> | Video visits | Transmit | encounters | 2 | 2024-11-01 / v2 | HITRUST i1 | own + Twilio | E2E + AES-256 | 30 d | 2026-03-15 | 2027-09-15 | Sec Officer | | <Secure msg> | Clinical msg | Both | active users | 2 | 2024-07-01 / v1 | SOC 2 II | AWS | AES-256 / TLS 1.2+ | 45 d | 2025-11-15 | 2027-05-15 | Sec Officer | | <Reminder svc> | Patient SMS | Transmit | active patients | 2 | 2025-02-01 / v2 | SOC 2 II | Twilio | TLS 1.2+ | 45 d | 2026-02-15 | 2027-08-15 | Privacy | | <Fax-to-email> | Fax gateway | Both | inbound vol | 2 | 2024-10-01 / v1 | SOC 2 II | own | AES-256 / TLS 1.2+ | 45 d | 2025-12-15 | 2027-06-15 | Sec Officer | | <Shred service> | Doc destruction | Physical | shredded daily | 3 | 2024-12-01 / v1 | none | n/a | n/a | 60 d | 2025-12-01 | 2027-12-01 | Office mgr | | <IT break-fix> | Workstation support | Both | as needed | 2 | 2025-03-01 / v1 | SOC 2 II | n/a | n/a | 30 d | 2026-03-01 | 2027-09-01 | Sec Officer | | <Medical waste> | Reg waste | Physical (labeled) | pickups | 3 | 2024-09-15 / v1 | none | n/a | n/a | 60 d | 2025-09-15 | 2027-09-15 | Office mgr |
Section 2 — Vendor Security Questionnaire (Appendix B, short form)
Send this to every Tier 1 and Tier 2 vendor on initial onboarding and at every reassessment.
``` HEALTHCARE VENDOR SECURITY QUESTIONNAIRE
Section A — Identity and Scope A1. Legal entity name and address: ____________________________ A2. Primary security contact (name, title, email, phone): ________ A3. Services provided to [Practice Name]: ______________________ A4. PHI elements processed (check all): □ name □ DOB □ MRN □ SSN □ payment info □ diagnoses □ medications □ images □ encounter notes □ lab results □ insurance info A5. PHI flow: □ Created □ Received □ Stored □ Transmitted A6. Estimated annual record volume: ____________________________ A7. Geographic location(s) where PHI is stored: ________________
Section B — Compliance Certifications B1. Current SOC 2 Type II report? □ Yes (period: _______) □ No B2. Current HITRUST CSF certification? □ i1 □ r2 □ No B3. Most recent independent penetration test (date): _____________ B4. ISO 27001 or other certifications: __________________________ B5. Any open enforcement actions or government investigations? □ No □ Yes (explain): ______________________________________
Section C — Sub-processors and Supply Chain C1. Critical sub-processors used to deliver this service: ________________________________________________________ C2. Sub-processor BAAs or equivalent on file? □ Yes □ No C3. Sub-processor change notification commitment to practice: □ 30 d □ 60 d □ 90 d □ No commitment
Section D — Encryption D1. Algorithm at rest: __________________________________________ D2. Key management: □ vendor-managed □ customer-managed (BYOK) D3. Algorithm in transit: _______________________________________ D4. FIPS 140-2/140-3 validated module? □ Yes □ No
Section E — Access Controls E1. MFA required for all employees with PHI access? □ Yes □ No E2. Least-privilege access reviewed how often: _____________ E3. Privileged-account session recording? □ Yes □ No E4. Joiner/mover/leaver SLA: _____________________________
Section F — Logging and Monitoring F1. Audit logs retained how long: _____________________________ F2. Customer log export available? □ Yes □ No F3. 24×7 SOC? □ in-house □ outsourced (name): ___________
Section G — Incident Response and Breach Notice G1. Documented IR plan tested how often: _______________________ G2. Last tabletop date: ______________________________ G3. Commitment to notify [Practice Name] of a breach within: □ 24h □ 48h □ 72h □ 7d □ 30d □ Other: _____________
Section H — Business Continuity / Disaster Recovery H1. RPO for our data: _____________________________ H2. RTO: _____________________________ H3. Last DR test date: _____________________________ H4. SLA uptime commitment: _____________________________
Section I — Workforce I1. Background checks on workforce with PHI access? □ Yes □ No I2. Annual HIPAA training for all workforce? □ Yes □ No I3. Sanction policy applied to workforce? □ Yes □ No
Section J — Termination J1. Data return or destruction commitment on termination? □ Return □ Destroy □ Either at practice election J2. Data return / destruction SLA: ____________________________ J3. Certificate of destruction provided? □ Yes □ No
Section K — Insurance K1. Cyber liability coverage limit: ____________________________ K2. E&O coverage limit: ________________________________________
Completed by: ____________________ Title: ________________ Vendor representative signature: ____________________________ Date: ____________________ ```
Section 3 — Risk scoring
``` VENDOR RISK SCORE Vendor: ____________________________ Tier: __
Scoring (1 = low risk, 5 = high risk): PHI volume: __ Privileged access level: __ Geographic risk (data location): __ Sub-processor exposure: __ Certification posture (5 = none, 1 = SOC2+HITRUST): __ Encryption posture: __ Incident history (24 mo): __ Termination data-return: __
Inherent risk score (sum): __
Mitigating controls (subtract): BAA executed with breach window ≤ 30d: -2 Annual reassessment in last 12 mo: -1 Practice-side network segmentation: -1 Least-privilege role enforced: -1
Residual risk score: __
Decision: □ Approved as-is □ Approved with remediation (see plan below) □ Conditional — re-review at __________ □ Reject — vendor change required
Remediation plan: ________________________________________________________________ Approving officer: ____________________ Date: ________ ```
Section 4 — Vendor offboarding (Appendix C)
``` VENDOR OFFBOARDING CHECKLIST Vendor: ________________ Termination effective: ________
□ Written termination notice sent (date: ______) □ Sub-processor termination cascade confirmed □ Data return requested in vendor-readable format □ OR data destruction requested □ Certificate of destruction received (date: ______) □ Vendor accounts disabled in practice systems □ Access tokens / API keys revoked □ Inbound/outbound network rules removed □ Final invoice processed □ BAA filed as terminated in vendor inventory □ Practice records archived; retention clock started
Completed by: ____________________ Date: ________ ```
How to deploy
The deployment sequence: open the practice's accounts-payable register for the last 18 months and list every vendor; classify each by data flow into tiers; verify a BAA exists for every Tier 1, 2, and 3 vendor; send the Vendor Security Questionnaire to every Tier 1 and Tier 2 vendor without a refresh in the last 12 months; complete the inventory tab; score residual risk for the top-10 vendors first; book the annual cadence on the calendar.
The fastest measurable improvement is the AP-register walk. Most practices we work with discover three to seven vendors that touch ePHI and were missing from the existing inventory. Closing the BAA gap on those vendors removes the highest-EV OCR exposure category in vendor management.
Common gaps
The five most common defects from binder review:
- Inventory missing 30-50% of in-scope vendors. Transcription, fax-to-email, RCM, IT support, document management, appointment reminders, medical waste — at least one is usually missing.
- BAA in file but no underlying assessment. The legal contract exists; the diligence record does not. OCR investigators read this as relying on the contract alone.
- SOC 2 Type II in the file is stale. The report covers an audit period that ended 14 months ago; no current report has been requested.
- No sub-processor disclosure. The Tier 1 vendor's BAA flows down to sub-processors per § 164.502(e)(1)(ii); the practice has no inventory of who those sub-processors are.
- Termination workflow undefined. Vendor is replaced; old vendor's access tokens are never revoked; access logs continue to show activity from the replaced vendor for months.
Maintenance cadence
- Monthly: review the AP register for new vendors; intake any new vendor through the questionnaire before granting access.
- Quarterly: spot-check 3 vendors at random for BAA currency and SOC 2 date.
- Annually: full Tier 1 reassessment; refresh the inventory tab; review the residual-risk scores against any incidents during the year.
- Every 18 months: Tier 2 reassessment.
- Every 2 years: Tier 3 reassessment.
- On any vendor breach: immediate reassessment regardless of cadence; trigger the breach-risk-assessment workflow under § 164.402.
- On every termination: offboarding checklist within 14 days.
State preemption note: Multiple states layer obligations on top of HIPAA's vendor framework. California's CMIA treats vendor disclosure as a CMIA event with stricter consent rules. NY SHIELD requires written agreements with vendors handling private information. Texas HB 300 and Florida FIPA layer breach-notice timelines independent of HIPAA's 60-day window. A vendor breach can trigger four notification clocks at once.
How d3rx fits
The d3rx compliance binder generates the vendor inventory, the tier matrix, the security questionnaire, the risk scoring rubric, and the offboarding checklist with § 164.502(e), § 164.504(e), and NIST SP 800-161 cited inline. The practice's Security and Privacy Officers remain responsible for evaluating vendor responses, deciding tier assignments, and executing offboarding.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Healthcare Vendor Risk Assessment Template + Tier Matrix (45 CFR § 164.502(e), § 164.504(e)). We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Do I need a vendor risk assessment for every BAA, or just the EHR?
Every vendor that creates, receives, maintains, or transmits ePHI on the practice's behalf is in scope under [§ 164.502(e)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502). Risk assessment scope and depth tier by ePHI volume and access type. The EHR vendor (Tier 1) gets full SOC 2 + HITRUST + penetration test review; the appointment-reminder vendor (Tier 3) gets a shorter security questionnaire plus BAA. What practices most often miss is the transcription vendor that touches every dictation, the fax-to-email gateway, and the RCM vendor with full claims-data access — all Tier 1 or Tier 2 by data flow.
Is a SOC 2 Type II report sufficient evidence of vendor security?
It is necessary for Tier 1 and Tier 2 vendors and not sufficient on its own. SOC 2 Type II reports demonstrate the vendor's controls operated effectively over a period (typically 6-12 months), but they do not include a healthcare-specific control set. For a HIPAA-relevant assessment, pair the SOC 2 Type II with a HITRUST CSF certification, a HIPAA mapping, or a completed Vendor Security Questionnaire (Appendix B). HITRUST i1 or r2 certifications add the HIPAA mapping the SOC 2 lacks.
How does NIST SP 800-161 supply chain risk fit in?
[NIST SP 800-161 Revision 1](https://csrc.nist.gov/publications/detail/sp/800-161/r1/final) is the federal cybersecurity supply chain risk management (C-SCRM) standard. HHS does not require it by name. OCR investigators treat it as the framework for evaluating fourth-party (sub-processor) risk — the cloud vendor your EHR depends on, the email provider your secure-messaging vendor depends on. Tier 1 vendors should disclose their critical sub-processors; the practice's assessment includes a sub-processor inventory row in the vendor file.
What if a critical vendor refuses to sign a BAA or refuses the security questionnaire?
Two paths. First, evaluate whether an alternative vendor with a BAA is available; switching cost is almost always lower than the OCR exposure from running an unsigned-BAA vendor. Second, if no alternative exists (rare for clinical software), document the decision under [§ 164.308(a)(1)(ii)(B)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308), restrict the vendor's PHI access to the minimum necessary, and escalate to counsel. OCR's enforcement record disfavors knowingly running ePHI through a vendor without a BAA — Care New England ($400K) and Raleigh Orthopaedic ($750K) both involved missing BAAs.
How often should I reassess a vendor?
Tier 1 annually with a full questionnaire refresh and current SOC 2 or HITRUST in file. Tier 2 every 18 months. Tier 3 every two years or on material change. On any vendor breach (the vendor itself reports an incident), reassess immediately regardless of cadence. Practices most often miss the cadence on long-tenured Tier 1 vendors — the EHR vendor signed a BAA in 2018, no one has refreshed the file since, the SOC 2 in the binder is six years stale.
Does a vendor's HITRUST certification replace my own risk assessment?
No. The vendor's certification documents the vendor's controls; the practice's risk assessment documents how the practice's data and workflows interact with the vendor. The questions the practice owns: minimum-necessary scope of access, off-platform PHI flows (exports, support tickets, screenshots), sub-processor disclosure, breach-notification timeline tighter than HIPAA's, termination data-return procedure. HITRUST does not answer those for the specific practice; the practice's assessment must.
What's the difference between a BAA and a vendor risk assessment?
The BAA is the contract under [§ 164.504(e)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504); the vendor risk assessment is the diligence file that supports the contract. The BAA is a yes/no audit element — either it exists or it does not. The risk assessment is the evidence that the practice has evaluated the vendor's controls and is not relying on the contract alone.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.502(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
- 45 CFR § 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504
- § 164.308(a)(1)(ii)(B)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- NIST SP 800-161 Rev. 1https://csrc.nist.gov/publications/detail/sp/800-161/r1/final
- § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
- California's CMIAhttps://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=1.&title=&part=2.6.&chapter=&article=
- NY SHIELDhttps://ag.ny.gov/internet/data-breach
- Texas HB 300https://www.hhs.texas.gov/regulations/rules/hb-300-medical-records-privacy
- Florida FIPAhttp://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Business Associate Agreement Template (2026) + Counterparty Tracker
10 min readCompliance FoundationsSecurity Risk Analysis Template (2026): What Auditors Actually Want
8 min readCompliance FoundationsHIPAA Encryption Policy Template (45 CFR § 164.312(a)(2)(iv) + (e)(2)(ii))
9 min readRelated across the archive
- ComplianceBusiness Associate Agreement Template (2026) + Counterparty TrackerA 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.
- ComplianceHIPAA Encryption Policy Template (45 CFR § 164.312(a)(2)(iv) + (e)(2)(ii))2026 HIPAA encryption policy template — 45 CFR § 164.312(a)(2)(iv) at-rest, § 164.312(e)(2)(ii) in-transit, NIST SP 800-111 algorithms, key management.
- ComplianceSecurity Risk Analysis Template (2026): What Auditors Actually WantA 2026 HIPAA Security Risk Analysis template auditors actually read: NIST SP 800-30 scoring, ePHI asset inventory, every required 164.308 field, threat list.
- ComplianceRecent OCR Settlements: What HHS Actually Penalizes (2025)Risk Analysis Initiative, ransomware, right-of-access. The deficiency patterns driving recent OCR Resolution Agreements and what they cost.
- SRACMS Promoting Interoperability and the Security Risk Analysis AttestationHow the CMS Promoting Interoperability program (formerly Meaningful Use) requires a HIPAA Security Risk Analysis for each EHR reporting period, what the attestation actually claims, and how CMS audits it after the fact.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- Glossary60-Day Overpayment RuleACA requirement that Medicare and Medicaid overpayments be reported and returned within 60 days of identification.