Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI
When a covered entity shares ePHI with a vendor or partner that performs functions on its behalf, that vendor is a business associate and must be bound by a Business Associate Agreement (BAA). The BAA requires the business associate to implement appropriate safeguards, report breaches, and ensure their own subcontractors comply. Healthcare organizations share ePHI with dozens of vendors: cloud providers, billing services, EHR systems, and IT managed service providers. Every one of them needs a BAA before ePHI can be shared.
Implementation steps
- 1
Identify all business associates
Inventory all vendors, contractors, and partners that create, receive, maintain, or transmit ePHI on your behalf. This includes cloud storage providers hosting ePHI, managed IT service providers with access to your systems, billing and coding services, EHR vendors, and any other third party that touches ePHI. Maintain a running business associate register.
excel confluence - 2
Execute Business Associate Agreements
Obtain a signed BAA from every business associate before sharing ePHI with them. The BAA must specify how the business associate will protect ePHI, require them to report breaches, obligate them to ensure their subcontractors comply, and address return or destruction of ePHI at contract termination. Review BAAs periodically to ensure they remain current and compliant.
docusign excel confluence - 3
Assess business associate security practices
Obtaining a BAA is necessary but not sufficient. Periodically assess whether business associates are actually implementing appropriate safeguards. This may include reviewing their security questionnaires, SOC 2 reports, or HITRUST certifications, or conducting vendor security assessments for high-risk business associates.
excel confluence onspring
Evidence required
Business associate register
A list of all business associates with ePHI access.
- - Business associate inventory spreadsheet
- - Vendor register identifying ePHI handlers
Executed Business Associate Agreements
Signed BAAs with all business associates.
- - Signed BAA documents
- - Contract management system records showing BAAs executed
Related controls
Ensure contracts or other arrangements with business associates meet HIPAA requirements and provide satisfactory assurances of ePHI protection
Business Associate Contract Requirements
Implement a security management process to prevent, detect, contain, and correct security violations
Security Management Process
Designate a security official responsible for developing and implementing security policies and procedures
Assigned Security Responsibility
Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access
Workforce Security