BAA Review Guide: Step-by-Step Checklist for Reviewing HIPAA Business Associate Agreements

Identification of Parties

Begin by confirming exactly who is bound by the BAA and how each party handles Protected Health Information (PHI). Clear role definitions prevent gaps in responsibility and ensure your downstream vendors cannot claim they are outside the agreement.

Checklist

• Verify the legal names and addresses of the Covered Entity and Business Associate, including any affiliates or agents that will access PHI.
• Confirm a precise description of services involving PHI, the data flows, and systems used.
• Identify all workforce members, agents, and any subcontractors who will touch PHI.
• Ensure the effective date, term, and governing documents (MSA, SOW, order forms) are referenced consistently.
• Designate contacts for privacy, security, and incident response communications.

Red Flags

• Ambiguous party names (e.g., trade names without legal entities) or broad “affiliate” definitions.
• Assignments or subcontracting permitted without notice or consent where PHI is involved.
• Vendors attempting to disclaim Business Associate status despite PHI access.

Documentation Tips

• Maintain a vendor roster mapping BAAs to services and data types.
• Align definitions across documents to avoid conflicting obligations.

Permitted Uses and Disclosures of PHI

Scope the vendor’s access tightly and apply the Minimum Necessary Standard. Uses must align with the HIPAA Privacy Rule and be limited to clearly articulated purposes needed to perform contracted services.

Checklist

• State permitted uses and disclosures (e.g., service delivery, support, TPO where applicable, de-identification, and BA’s internal management as allowed).
• Require adherence to the Minimum Necessary Standard for all access, use, and disclosure.
• Prohibit marketing, sale of PHI, or any use requiring patient authorization unless expressly authorized by you.
• Address aggregation, de-identification, and analytics (if allowed), including method and ownership of outputs.
• Require documentation and support for accounting of disclosures when requested.

Red Flags

• Catch‑all language like “any lawful purpose” that exceeds operational need.
• Silent or vague terms on de-identification or further use of derived data.

Documentation Tips

• Map each permitted use to a service in the SOW and record who can access what data and why.

Safeguards and Security Measures

Demand explicit Security Rule Compliance, not generic “industry standard” security. Require proof that the BA performs ongoing risk management and can evidence controls in practice.

Checklist

• Require administrative, physical, and technical safeguards appropriate to the risks.
• Mandate encryption in transit and at rest, strong access controls, MFA, and audit logging.
• Obligate documented security awareness training and workforce sanctions for violations.
• Require Risk Analysis Documentation and a risk management plan reviewed at defined intervals.
• Specify incident response, business continuity, and disaster recovery expectations.
• Provide a right to receive security summaries, attestations, or to conduct assessments.

Red Flags

• Security obligations framed only as “commercially reasonable” without Security Rule anchoring.
• No requirement for periodic risk analysis, penetration testing, or log review.
• Legacy or weak encryption standards with no upgrade commitments.

Evidence to Request

• Recent risk assessment summaries, remediation plans, and policy excerpts.
• Independent security attestations (e.g., SOC 2) or equivalent control mappings.

Subcontractor Requirements

Any downstream vendor that creates, receives, maintains, or transmits PHI must be bound by a written Subcontractor Agreement with the same restrictions and conditions that apply to the BA.

Checklist

• Require prior notice and, ideally, approval before engaging subcontractors with PHI access.
• Flow down all privacy, security, and Breach Notification Requirements to subcontractors.
• Mandate due diligence and ongoing monitoring of subcontractors’ controls.
• Maintain an up-to-date list of subcontractors with services and PHI types accessed.
• Prohibit offshore storage or access without explicit written consent, if applicable.

Red Flags

• Right to use any subcontractor at the BA’s discretion without notice.
• Subcontractor terms weaker than those in your BAA or silent on breach reporting.

Oversight Tips

• Request copies or summaries of each Subcontractor Agreement and associated risk reviews.

Termination and Return or Destruction of PHI

Plan the end from the beginning. Your BAA must define when you can terminate for cause and exactly how PHI will be returned or destroyed, including backups and archives.

Checklist

• Include a right to terminate for material breach with a defined cure period.
• Require prompt return or secure destruction of PHI within a set timeframe after termination.
• Address infeasibility: if destruction is not possible, require continued protections and restricted uses.
• Mandate certificates of destruction/return, covering production, backups, and logs.
• Require assistance with data transition and verification of access revocation.

Red Flags

• Indefinite retention of PHI or vague promises to delete “when feasible.”
• Excessive fees or conditions placed on data return that impede patient care or compliance.

Practical Steps

• Create a deprovisioning checklist for accounts, keys, integrations, and shared repositories.

Breach Notification

Clear Breach Notification Requirements protect patients and your organization. Your BAA should define what constitutes an incident, how quickly the BA must notify you, and what details the report must include.

Checklist

• Define “security incident” and “breach of unsecured PHI” and require immediate internal escalation.
• Set a short BA-to-CE notification deadline (e.g., within 5 business days) to enable regulatory timelines.
• Require ongoing status updates, mitigation steps, and cooperation with investigations.
• Mandate preservation of logs, forensic artifacts, and evidence of corrective actions.

What the Report Should Include

• Event timeline, systems affected, and types of PHI involved.
• Number of individuals impacted, likelihood of misuse, and mitigation performed.
• Results of the BA’s risk assessment and planned preventive measures.

Red Flags

• Notification only after “confirmed breach,” ignoring probable incidents under investigation.
• No requirement to share forensics or to support patient and regulator notifications.

Compliance with HIPAA Regulations

Embed obligations that demonstrate day‑to‑day compliance with the HIPAA Privacy Rule and Security Rule. Go beyond paper promises by requiring operational proof and continuous improvement.

Checklist

• Affirm compliance with applicable HIPAA provisions and related guidance.
• Require policies for access, amendment, restrictions, and accounting of disclosures.
• Mandate workforce training, sanction policies, and periodic program reviews.
• Require current Risk Analysis Documentation and evidence of Security Rule Compliance.
• Provide audit and inquiry cooperation rights, including responses to regulator requests.

Ongoing Monitoring

• Schedule periodic attestations, security summaries, and tabletop exercises.
• Track remediation of findings and align timelines with business risk.

Conclusion

A disciplined BAA review protects patients and your organization. By tightening scope, proving safeguards, managing subcontractors, defining clean exits, and enforcing rapid breach reporting, you convert contractual words into measurable, auditable compliance.

FAQs

What are the key elements to review in a BAA?

Focus on clear party identification, tightly scoped permitted uses, robust safeguards tied to Security Rule Compliance, strong subcontractor flow‑downs, precise termination and data disposition steps, detailed Breach Notification Requirements, and operational proof such as Risk Analysis Documentation. Together, these elements align the agreement with the HIPAA Privacy Rule and daily practice.

How should breaches of PHI be reported under a BAA?

The BAA should require prompt BA-to-CE notification within a short, defined window, continuous updates, and a detailed report describing the event, affected PHI, individuals impacted, mitigation, and corrective actions. It should also require preservation of evidence and cooperation so you can meet regulatory deadlines and patient communication obligations.

What are the termination obligations concerning PHI under a BAA?

Upon termination, the BA must return or securely destroy all PHI—production copies, backups, and logs—by a set deadline, then provide certification. If destruction is infeasible, the BA must continue to protect PHI, restrict uses to limited purposes, and confirm ongoing safeguards until final disposition.