Business Associate (BA)/Vendor name

Reviewer initials

Internal AP account # (if applicable)

Date reviewed

Date of original contract/agreement

Remediation pending? [Y/N]

Renewal/expiration date of original contract/agreement

Initial review status

Internal Business Lead/Department Overseeing Vendor/BA

Final review status

Type of service provided by vendor/BA

Risk level of vendor/BA

Business Associate Agreement (BAA) on-file? (Y/N)

Format of BAA (hard copy, electronic)

Is the BAA fully executed? (Y/N, if no, describe deficiency)

If yes to BAA, date executed by CE & Name of Designee

If yes to BAA, date executed by BA & Name of Designee

Do the parties executing the BAA still represent the organizations? (Y/N)

Is the contact information for notifications accurate for both parties? (Y/N)

What is the time frame for the BA to notify the CE of a security incident or breach of PHI?

What is the method of notification? (U.S. mail, fax, hand delivery, overnight, etc.)

Is the BAA boilerplate (HHS OCR Sample Template, no special provisions)? (Y/N)

If the BAA contains special/custom terms, do the terms include indemnification for losses? If yes, how much?

If the BAA contains special/custom terms, do the terms include cyberinsurance? If yes, how much?

Other custom terms?

Are there terms in the Master Services Agreement or contract that potentially conflict with the BAA? (Y/N)

If yes to conflicting terms, provide examples.