Vendor Risk Assessment
The process of evaluating a vendor's security and privacy posture before sharing PHI or granting system access.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
The HIPAA Security Rule does not specify a vendor risk assessment but it is a defensible practice. SIG / SIG Lite questionnaires, SOC 2 reports, and HITRUST certifications are common inputs.
How it shows up in your practice
Tier vendors by risk (PHI access, system access, financial). Higher-tier vendors get deeper review and annual re-validation.
Sources
- NIST SP 800-66 Rev. 2https://csrc.nist.gov/pubs/sp/800/66/r2/final
- HHS — Business Associateshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Run vendor assessments in the Compliance Binder
Open compliance binder →Related terms
- HIPAA & PrivacyBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- HIPAA & PrivacyBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- SecuritySecurity Risk AnalysisThe accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI required by the HIPAA Security Rule.
- SecurityThird-Party Risk Management (TPRM)The broader program of identifying, assessing, monitoring, and mitigating risks introduced by third-party relationships.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossarySecurity Risk AnalysisThe accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI required by the HIPAA Security Rule.
- GlossaryBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- GlossaryBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- GlossaryThird-Party Risk Management (TPRM)The broader program of identifying, assessing, monitoring, and mitigating risks introduced by third-party relationships.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- RegulationNIST Cybersecurity Framework 2.0The 2024 update to the NIST CSF added the Govern function alongside Identify, Protect, Detect, Respond, and Recover — providing a common language for organizational cybersecurity risk management.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.