What Clauses Require Annual Subcontractor Security Reviews?

What Clauses Require Annual Subcontractor Security Reviews?

Use a hipaa annual subcontractor security review clause to require documented yearly reviews, evidence, audit access, and remediation rights.

LakeRidge Team
July 17, 2026
9 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

No HIPAA provision literally mandates an annual subcontractor review, but a hipaa annual subcontractor security review clause can contractually require one by combining Security Rule evaluation duties, subcontractor flow-down obligations, evidence requirements, audit rights, and termination remedies. For an OCR audit response, the strongest language requires a business associate to review each subcontractor that creates, receives, maintains, or transmits ePHI at least every 12 months and after a material security or operational change.

Why does a hipaa annual subcontractor security review clause need flow-down language?

HIPAA’s Security Rule evaluation standard at 45 CFR 164.308(a)(8) requires a covered entity or business associate to perform periodic technical and nontechnical evaluations and to repeat those evaluations when environmental or operational changes affect ePHI security. The rule does not set an annual interval and does not prescribe a vendor questionnaire. It does, however, create a defensible basis for requiring periodic reassessment of the security controls that protect ePHI across the service-delivery chain.

For subcontractors, the contractual foundation is equally important. Under HIPAA’s business associate contract requirements, a business associate must obtain satisfactory assurances from a subcontractor that the subcontractor will appropriately safeguard ePHI. A primary BAA that only says the business associate will “ensure compliance” leaves the covered entity with little proof that the assurance was tested after onboarding.

A flow-down provision should therefore do more than require every downstream party to sign a BAA. It should require the business associate to impose equivalent safeguards, review the subcontractor on a defined cycle, retain review records, disclose material findings, and correct unacceptable conditions. That turns a general assurance into auditable evidence.

For an MSSP analyst responding to an OCR notice or patient complaint, distinguish between these records: the signed BAA, the subcontractor inventory, the annual review evidence, remediation tracking, and management approval of accepted risk. OCR may reasonably ask how the organization knows that a cloud backup provider, managed EHR integrator, texting platform, or remote support firm still protects ePHI as represented.

For example, Harbor Spine & Rehab is a 14-provider physical therapy and chiropractic group with three locations, 48 staff members, WebPT for practice management, Microsoft 365 for email, RingCentral for communications, and Datto SaaS Protection for backups. Its MSSP may contract directly with a remote monitoring vendor and use a security information and event management platform that processes user identifiers, device names, and security-event data. The clinic’s BAA with the MSSP should require the MSSP to evaluate its own ePHI-touching subcontractors, not merely list them once during contracting.

What sample contract clauses require annual subcontractor security reviews?

The following redlined language can be inserted into a BAA, master services agreement security addendum, or subcontractor addendum. Have counsel align defined terms, state-law obligations, indemnity provisions, and the agreement’s notice periods before execution.

Subcontractor Security Evaluation and Flow-Down.

[DELETE: Business Associate shall ensure that its subcontractors comply
with applicable law.]

[ADD: Business Associate shall not permit any Subcontractor to create,
receive, maintain, or transmit Protected Health Information on behalf of
Business Associate unless Business Associate has first executed a written
agreement with that Subcontractor containing restrictions, conditions, and
safeguards no less protective than those applicable to Business Associate
under this Agreement and 45 CFR Part 164.]

[ADD: At least once during each consecutive twelve (12)-month period, and
within thirty (30) days after a material change in the Subcontractor's
services, systems, ownership, hosting environment, security incident, or
use of additional downstream parties, Business Associate shall perform and
document a technical and nontechnical security review of each such
Subcontractor.]

[ADD: The review shall evaluate, as applicable: access controls; unique user
identification; multifactor authentication; encryption in transit and at
rest; vulnerability and patch management; logging and monitoring; backup
and recovery; incident response; workforce security; subcontractor
management; and the Subcontractor's ability to support Business Associate's
obligations under 45 CFR 164.308(a)(8).]

[ADD: Upon request, Business Associate shall provide Covered Entity with a
current Subcontractor inventory, review date, reviewer, risk rating,
material findings, remediation status, and written confirmation that the
required flow-down agreement remains in effect.]

This annual subcontractor security review language is stronger when it identifies the review population. “Subcontractor” should include cloud hosting providers, ticketing and remote-support platforms, outsourced help desks, backup providers, scanning vendors, and consultants that can access ePHI or systems containing ePHI. Exclude only vendors that demonstrably cannot create, receive, maintain, or transmit ePHI and cannot access systems that do.

Also avoid a clause that relies solely on a SOC 2 report. A current SOC 2 Type II report is useful evidence, but it may not cover the exact service, system boundary, complementary user-entity controls, or HIPAA-relevant workflows at issue. The annual review should document how the evidence applies to the actual service delivered.

What should the subcontractor questionnaire ask?

A questionnaire is not the review by itself; it is a repeatable method for obtaining evidence and identifying follow-up questions. The following excerpt works well when an MSSP needs concise documentation that can be attached to an annual evaluation record.

Review question Required evidence Example acceptable response Risk if unanswered
Does the service store, process, transmit, or permit access to ePHI? Data-flow diagram and current service description “Datto SaaS Protection backs up Microsoft 365 Exchange Online mailboxes containing ePHI; backups are encrypted in transit with TLS 1.2+ and at rest with AES-256.” High: unknown ePHI boundary
Is multifactor authentication required for administrative access? Identity-access policy and configuration screenshot or attestation “Microsoft Entra ID MFA is enforced by Conditional Access for all privileged roles; legacy authentication is blocked.” High: privileged account compromise
How are critical vulnerabilities remediated? Vulnerability-management standard and three-month remediation sample “Critical internet-facing findings are remediated within 15 days; Tenable reports and ServiceNow change tickets are retained for 12 months.” High: exploitable exposed systems
What is the incident notification commitment? Incident-response plan and contract notice language “Security incidents involving customer data are reported without unreasonable delay and no later than 48 hours after confirmation.” High: delayed breach assessment
Are downstream providers used for hosting or support? Subprocessor list and subcontractor BAA confirmation “AWS hosts production workloads; the current subprocessor list was reviewed on March 4, 2026, and contractual safeguards are in effect.” Medium to high: unreviewed fourth party

For Harbor Spine & Rehab, the MSSP’s review record should identify whether the remote-support tool permits unattended access to WebPT workstations, whether technician sessions are logged, whether local clipboard and file transfer are disabled, and whether access is protected by named accounts and MFA. A generic statement that the tool is “HIPAA compliant” does not answer those operational questions.

What audit-rights language gives the customer usable evidence?

Audit rights should be proportionate. SMB customers usually do not need the right to conduct onsite audits of a major cloud provider, but they do need a contractual right to obtain evidence, ask reasonable follow-up questions, and verify remediation when a risk affects their ePHI.

Audit Cooperation and Evidence.

[ADD: Upon Covered Entity's reasonable written request, no more than once
per calendar year unless prompted by a Security Incident, material finding,
or regulatory inquiry, Business Associate shall provide evidence of its
Subcontractor security reviews.]

[ADD: Evidence shall include the applicable review questionnaire or
assessment, independent assurance reports if available, a summary of
material control exceptions, remediation plans with target dates, and
written confirmation of required subcontractor agreements.]

[ADD: Business Associate may redact information that would create a
material security risk or violate another customer's confidentiality rights,
provided that the redaction does not prevent Covered Entity from evaluating
the finding, affected systems, ePHI impact, compensating controls, or
remediation status.]

[ADD: If Covered Entity receives an OCR request, patient complaint, breach
inquiry, or other regulatory inquiry involving Business Associate or a
Subcontractor, Business Associate shall provide relevant review records and
reasonable personnel assistance within five (5) business days, or sooner
where legally required.]

A practical audit-rights provision should also define retention. Require review artifacts for at least six years when they support HIPAA compliance documentation, consistent with the Security Rule documentation retention requirement at 45 CFR 164.316(b)(2)(i). The review file should show the date, scope, evidence reviewed, decision, findings, owner, due date, and closure evidence.

When should failed subcontractor reviews become termination triggers?

Termination language should reserve immediate action for risks that cannot safely remain in the ePHI environment, while allowing a short cure period for remediable gaps. The key is to connect the trigger to the subcontractor’s access and the business associate’s failure to manage it.

Material Breach and Termination.

[ADD: Covered Entity may require Business Associate to suspend a
Subcontractor's access to ePHI immediately upon a reasonable determination
that the Subcontractor presents a material risk to the confidentiality,
integrity, or availability of ePHI.]

[ADD: A material breach includes failure to complete the required annual
subcontractor security review; failure to maintain a required subcontractor
agreement; refusal to provide required review evidence; repeated failure to
remediate a high-risk finding by the agreed target date; or an unauthorized
use or disclosure caused by the Subcontractor.]

[ADD: If Business Associate does not cure a material breach within thirty
(30) days after written notice, or such shorter period as is reasonably
necessary to protect ePHI, Covered Entity may terminate this Agreement.
Where termination is not feasible, the Parties shall document the reasons
and Covered Entity shall report the problem to the Secretary as required by
applicable law.]

For an OCR response, do not claim that an annual review occurred if the only available record is an old vendor spreadsheet. State the actual facts, preserve the signed agreements and evidence, identify the gap, and document the corrective action—such as completing a retrospective review, suspending unnecessary access, and amending the BAA with a recurring review requirement.

For your next customer audit response, map every ePHI-touching subcontractor to a signed flow-down agreement and obtain the annual review evidence before representing that the control is operating effectively.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.