How to Keep a HIPAA BAA Compliance Log (Vendor Tracking Template)
By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ A BAA tracking log is the practical foundation of your HIPAA compliance program for vendor management
- ✓ Log all current and former business associates — including terminated relationships — for 6 years
- ✓ A spreadsheet is sufficient; you do not need specialized software for most small practices
- ✓ OCR auditors specifically request a list of business associates and executed BAAs — a log makes this instant
A BAA compliance log is not a nice-to-have — it is the operational foundation of your HIPAA vendor management program. When OCR auditors ask for documentation of your business associate relationships, the log is what you hand them. Understanding who qualifies as a business associate determines who goes on the list.
Why You Need a BAA Tracking Log
Without a log, you cannot reliably answer questions that come up regularly in HIPAA operations:
- Do we have a signed BAA with every vendor who handles PHI?
- Which vendors were in place before our last compliance review?
- We just terminated our relationship with Vendor X — when was our BAA signed and where is the executed copy?
- Our EHR vendor was acquired — do we have the new entity's name on a BAA?
- OCR is requesting our BA inventory — where is the list?
In an OCR compliance review, the inability to produce a current and historical BA inventory — with executed BAAs for each — is itself a finding. Organizations that can immediately produce this documentation demonstrate a functioning compliance program, which materially affects OCR's enforcement response.
What to Include in Your BAA Log
The following table shows the recommended fields for a BAA tracking log, with sample rows:
| Field | Example: Active Vendor | Example: Terminated Vendor |
|---|---|---|
| Vendor name (common name) | Acme Billing Services | OldEHR Corp |
| Vendor legal entity name | Acme Medical Billing LLC | OldEHR Corporation |
| Service description | Medical billing and coding | Electronic health records system |
| PHI types involved | Claims data, diagnosis codes, patient demographics | Full clinical record, including notes and labs |
| Date BAA signed | 2024-03-15 | 2021-06-01 |
| BAA provided by | Covered entity (our form) | Vendor (their form) |
| Amendments | None | Amendment 1: 2022-11-10 (added subcontractor) |
| Storage location | /Compliance/BAAs/Acme-BAA-2024.pdf | /Compliance/BAAs/OldEHR-BAA-2021.pdf |
| Last review date | 2025-11-01 | N/A (terminated) |
| Status | Active | Terminated 2024-05-31 |
| PHI disposition (if terminated) | N/A | Data export confirmed 2024-06-15; deletion cert on file |
| Retain until | Ongoing | 2030-06-15 (6 years from termination) |
How Long to Retain BAA Records
Under 45 CFR § 164.530(j), documentation of HIPAA policies, procedures, and compliance must be retained for 6 years from the date of creation or the date it was last in effect — whichever is later.
For BAAs specifically:
- Active BAAs: Retain the executed BAA for as long as the relationship is active, plus 6 years after termination
- Terminated BAAs: Retain for 6 years from the termination date (or the date the BAA was created, if later)
- Amendments: Retain each amendment for 6 years from its effective date or from the BAA termination, whichever is later
- The BAA log itself: Retain indefinitely as a compliance record; historical entries for terminated vendors should remain visible (do not delete rows) until the 6-year retention period expires for each entry
The practical implication: do not delete terminated vendors from your log. Mark them as "Terminated" with the date and PHI disposition. Set a "Retain Until" date in the log so you know when the record can be archived or destroyed.
How to Audit Your BAA Log Annually
An annual BAA audit means systematically confirming every entry in your log is accurate and every vendor relationship has current, complete documentation. A practical annual process:
- Pull the full vendor list from your accounts payable, IT procurement, and contract management systems — not just from your BAA log. New vendors are often added without a compliance review.
- For each vendor on the list, determine: does this vendor access, create, or maintain PHI? If yes, is there a signed BAA in place?
- For vendors with a BAA: confirm the executed copy is in its logged storage location, the vendor name matches the current legal entity, and the services described still match actual use.
- Flag any gaps: vendors who access PHI without a BAA, BAAs that describe outdated services, or BAAs with vendor entities that have since been acquired.
- Update the log: record the review date and outcome for each entry.
Log the audit itself — the date conducted, who conducted it, findings, and remediation steps taken. This audit documentation supports your HIPAA compliance program record. See the HIPAA BAA audit readiness guide for what OCR looks for specifically.
Tools for Tracking BAAs
| Tool Type | Best for | Limitations |
|---|---|---|
| Spreadsheet (Excel, Google Sheets) | Small practices (under 20 vendor BAAs); low cost; easy to start immediately | No automated reminders; requires manual updates; version control risk |
| Contract management software (e.g., Ironclad, Juro) | Organizations with many contracts; built-in reminders and version control | Overkill for small practices; not HIPAA-specific |
| HIPAA compliance platforms (e.g., Compliancy Group, Healthicity) | Practices that want integrated compliance management including BA tracking, risk assessments, and training | Higher cost; more features than needed for BA tracking alone |
| EHR compliance modules | Practices whose EHR includes compliance features | Limited to EHR vendor's feature set; may not cover all BA types |
Frequently Asked Questions
How long must you keep HIPAA BAA records?
Under 45 CFR § 164.530(j), BAA records must be retained for 6 years from the date of creation or the date the document was last in effect — whichever is later. For terminated BAAs, retain for 6 years from the termination date. Do not delete terminated vendors from your log — mark them as terminated and set a retention expiration date.
What should a BAA tracking log include?
At minimum: vendor name and legal entity name, service description, PHI types involved, BAA signature date, which party provided the form, location of the executed copy, amendment history, last review date, status (active/terminated), PHI disposition if terminated, and the date through which the record must be retained.
Do I need special software to track BAAs?
No. A well-structured spreadsheet is sufficient for most small and mid-size practices. The key is maintaining it consistently — adding new vendors before they access PHI, recording amendments promptly, and conducting an annual audit. Special HIPAA compliance software adds features (automated reminders, audit trails) but is not required by HIPAA.
Generate complete, audit-ready BAA documentation
Our generator produces properly structured BAAs with the metadata you need to populate your tracking log.
Generate BAA for Free →