AuditRubric
hipaa-or-1 High priority Organizational Requirements / Business Associate Contract Requirements

Ensure contracts or other arrangements with business associates meet HIPAA requirements and provide satisfactory assurances of ePHI protection

Covered entities are ultimately responsible for the ePHI they share with business associates. While the Business Associate Agreement (covered in Administrative Safeguards) establishes the contractual obligation, this organizational requirement addresses the substance of what those contracts must contain and how covered entities must respond if a business associate is found to be in violation. Covered entities must also ensure that group health plans have appropriate separations between plan administration and sponsor functions to protect ePHI.

4h estimated effort
hipaa business-associate contracts vendor-management

Implementation steps

  1. 1

    Ensure BAAs contain all required provisions

    Review all Business Associate Agreements to confirm they contain the required provisions: permitted and required uses and disclosures of ePHI, prohibition on unauthorized use or disclosure, obligation to implement appropriate safeguards, reporting of breaches and security incidents, ensuring subcontractors comply, return or destruction of ePHI at termination, and making records available for HHS compliance review.

    docusign excel confluence
  2. 2

    Respond to violations by business associates

    If a covered entity knows of a pattern of activity or practice of a business associate that constitutes a material breach of the BAA, the covered entity must take reasonable steps to cure the breach or end the violation. If unsuccessful, the covered entity must terminate the BAA if feasible. If termination is not feasible, the covered entity must report the problem to HHS. Document all such actions.

    confluence excel
  3. 3

    Manage business associate subcontractor obligations

    Ensure that business associates are contractually required to obtain satisfactory assurances from their subcontractors who handle ePHI. Verify that BAAs include this downstream obligation. For high-risk business associates, request evidence that subcontractor BAAs are in place.

    confluence excel

Evidence required

BAA compliance review

Evidence that BAAs contain all required provisions.

  • - BAA template or standard agreement with required provisions highlighted
  • - Legal review confirming BAA compliance
  • - BAA checklist

Business associate violation response documentation

Documentation of any known business associate violations and actions taken.

  • - Correspondence and remediation records for known violations
  • - BAA termination records where applicable

Related controls

hipaa-as-9

Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI

Business Associate Contracts

hipaa-as-1

Implement a security management process to prevent, detect, contain, and correct security violations

Security Management Process

hipaa-as-2

Designate a security official responsible for developing and implementing security policies and procedures

Assigned Security Responsibility

hipaa-as-3

Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access

Workforce Security