hipaa-as-9 Critical priority Administrative Safeguards / Business Associate Contracts

Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI

When a covered entity shares ePHI with a vendor or partner that performs functions on its behalf, that vendor is a business associate and must be bound by a Business Associate Agreement (BAA). The BAA requires the business associate to implement appropriate safeguards, report breaches, and ensure their own subcontractors comply. Healthcare organizations share ePHI with dozens of vendors: cloud providers, billing services, EHR systems, and IT managed service providers. Every one of them needs a BAA before ePHI can be shared.

Implementation steps

  1. 1

    Identify all business associates

    Inventory all vendors, contractors, and partners that create, receive, maintain, or transmit ePHI on your behalf. This includes cloud storage providers hosting ePHI, managed IT service providers with access to your systems, billing and coding services, EHR vendors, and any other third party that touches ePHI. Maintain a running business associate register.

    excel confluence
  2. 2

    Execute Business Associate Agreements

    Obtain a signed BAA from every business associate before sharing ePHI with them. The BAA must specify how the business associate will protect ePHI, require them to report breaches, obligate them to ensure their subcontractors comply, and address return or destruction of ePHI at contract termination. Review BAAs periodically to ensure they remain current and compliant.

    docusign excel confluence
  3. 3

    Assess business associate security practices

    Obtaining a BAA is necessary but not sufficient. Periodically assess whether business associates are actually implementing appropriate safeguards. This may include reviewing their security questionnaires, SOC 2 reports, or HITRUST certifications, or conducting vendor security assessments for high-risk business associates.

    excel confluence onspring

Evidence required

Business associate register

A list of all business associates with ePHI access.

  • - Business associate inventory spreadsheet
  • - Vendor register identifying ePHI handlers

Executed Business Associate Agreements

Signed BAAs with all business associates.

  • - Signed BAA documents
  • - Contract management system records showing BAAs executed

Related controls