BAA Vendor Tracking Template
TLDR
Every vendor that touches PHI needs a signed BAA, and most small clinics cannot tell you which vendors have one. Only 24% of small practices have evaluated all their BAAs. Missing BAAs are cited in the majority of OCR enforcement actions. This template gives you a single tracker for vendor name, PHI access type, BAA status, execution dates, renewal dates, and risk tiers so you can answer an auditor's questions in under five minutes.
What This Template Tracks and Why
Only 24% of small medical practices have evaluated all their Business Associate Agreements (NueMD, 2014). Missing BAAs are among the most common HIPAA violations, cited in OCR enforcement actions resulting in median penalties of $20,000–$35,000.
A Business Associate Agreement is a contract between your practice (the covered entity) and any vendor (the business associate) that creates, receives, maintains, or transmits protected health information on your behalf. Under HIPAA, you are liable if a business associate mishandles PHI and you do not have a signed BAA in place.
Most small clinics know they need BAAs with their EHR vendor and their billing service. What they miss are the dozen other vendors who also touch PHI: the IT support company with remote access to your network, the cloud storage service where a staff member uploaded a spreadsheet with patient names, the answering service that takes after-hours calls with patient details.
This template creates a single source of truth for every vendor relationship that involves PHI. It tracks:
- Vendor identification and contact information
- What service they provide and what PHI they access
- BAA execution status and dates
- Risk classification
- Review and renewal schedule
Update this tracker whenever you onboard a new vendor, and review it quarterly to catch expired agreements and new vendors that slipped through without a BAA.
The Vendor Tracking Table
This is the core of the template. One row per vendor.
| # | Vendor Name | Service Provided | PHI Access Type | BAA Status | Execution Date | Renewal/Review Date | Risk Tier | Notes |
|---|---|---|---|---|---|---|---|---|
| 1 | [EHR vendor] | Electronic health records | Full patient records, demographics, clinical data | Signed | [Date] | [Date] | High | Cloud-hosted, primary clinical system |
| 2 | [Billing service] | Medical billing and coding | Patient demographics, insurance info, diagnosis codes | Signed | [Date] | [Date] | High | Third-party billing company |
| 3 | [IT support] | Network and system maintenance | Potential access to all ePHI on network | Pending | — | — | High | Has remote access to servers |
| 4 | [Cloud storage] | File storage | Varies by what staff upload | Not requested | — | — | Medium | Staff may store documents with PHI |
| 5 | [Answering service] | After-hours phone support | Patient names, callback numbers, reason for call | Signed | [Date] | [Date] | Medium | |
| 6 | [Shredding service] | Document destruction | Paper records with PHI | Signed | [Date] | [Date] | Low | Certificate of destruction on file |
| 7 | [Email provider] | Email hosting | Any PHI transmitted via email | Signed | [Date] | [Date] | High | Verify encryption capabilities |
BAA Status values:
- Signed: executed BAA on file
- Pending: BAA requested but not yet returned
- Not requested: vendor has been identified as needing a BAA but the request has not been sent
- Not required: vendor does not meet the business associate definition (document why)
- Refused: vendor declined to sign a BAA (requires a decision: find an alternative vendor or accept the risk)
BAA Vendor Tracking Template
A tracking template for managing Business Associate Agreements across all vendors that access PHI, with status tracking, renewal dates, risk tiers, and audit-ready documentation.
No spam, ever. Unsubscribe anytime.
Q&A
What does the BAA Vendor Tracking Template include?
The template provides a single tracker for vendor name, PHI access type, BAA status, execution dates, renewal dates, and risk tiers. It covers the dozen-plus vendor relationships most small clinics miss beyond their EHR and billing service, including IT support, cloud storage, and answering services that handle patient details.