Greenway Health BAA: How to Get a HIPAA Business Associate Agreement

If you use Greenway Health solutions to create, receive, maintain, or transmit patient data, you need a signed HIPAA Business Associate Agreement (BAA). This guide shows you exactly how to request, evaluate, and finalize a Greenway Health BAA while protecting Protected Health Information (PHI) and aligning with HITECH Act Compliance and the HIPAA Omnibus Rule.

Contact Greenway Health

Start by reaching out through your account manager or Greenway Health’s customer support channel. Clearly state that you are a Covered Entity or upstream Business Associate seeking a HIPAA Business Associate Agreement for your Greenway Health services.

What to include in your request

• Legal name of your organization and any affiliates that will access PHI.
• Primary contacts: privacy officer, security officer, and contracting authority.
• Description of your intended use of the platform and types of PHI involved.
• Data flows (who sends/receives PHI), hosting model, and third-party integrations.
• Requested effective date and any timeline drivers (go‑live, audits, renewals).

Provide any internal security requirements up front (e.g., encryption expectations, incident reporting windows) so Greenway Health can route your request to the right team and anticipate any BAA exhibits or amendments you may need.

Review BAA Terms

Once Greenway Health shares its standard BAA, review it for scope, responsibilities, and risk allocation. Your goal is to ensure Covered Entity Obligations and Business Associate duties are clear, enforceable, and aligned with your compliance program.

Key provisions to evaluate

• Permitted uses and disclosures: confirm “minimum necessary” access and the specific purposes for which PHI may be used to deliver services or manage the relationship.
• Subcontractors: require written, back‑to‑back BAAs with any subcontractor that handles PHI and ensure equivalent Security Safeguards.
• Safeguards: verify administrative, physical, and technical controls consistent with the HIPAA Security Rule, HITECH Act Compliance, and Omnibus Rule updates.
• Access, amendment, and accounting support: define how the Business Associate helps you fulfill patient rights requests.
• Breach Notification: set timelines, required incident details, cooperation duties, and documentation standards.
• Data return or destruction: specify timing, format, and secure disposal when the agreement ends.
• Audits and assurances: outline right-to-audit or acceptable third‑party attestations (e.g., SOC 2 summaries) and frequency.
• Term, termination, and cure: include rights to terminate for material breach and steps to mitigate risk during transition.
• Preemption and state laws: acknowledge that stricter state privacy laws may apply in addition to HIPAA.

Keep the BAA consistent with your master services agreements and statements of work. If you need bespoke security or privacy schedules, align definitions and cross-references so there are no conflicts.

Execute the Agreement

Confirm the correct legal entities, signers with authority, and the effective date. Most BAAs use an e‑signature workflow for speed and version control. Ensure all referenced exhibits (data flow diagrams, service descriptions, retention schedules) are attached before signature.

Post‑execution essentials

• Store the fully executed BAA in your contract repository with clear metadata (entities covered, effective date, renewal terms).
• Record designated privacy and security contacts for operational communications.
• Map the BAA to your control framework and vendor risk register for ongoing monitoring.
• Train staff on any process changes tied to the new obligations (e.g., incident escalation paths).

Understand PHI Handling

Protected Health Information includes individually identifiable health data, in any form, linked to identifiers such as name, address, or medical record number. Electronic PHI (ePHI) inherits the same protections. Your BAA should make “minimum necessary” access a norm across support, integrations, analytics, and data migrations.

Operational practices to reduce risk

• Role‑based access and time‑bound privileges for implementation and support activities.
• Secure methods for file exchange, ticket attachments, and remote access.
• Documented retention periods with secure deletion or return upon request.
• Use de‑identification when possible; if re‑identification is required, control it tightly and document the rationale.

Keep a current data flow map so you always know where PHI resides, who can access it, and what controls protect it.

Ensure Compliance Safeguards

Security Safeguards required by HIPAA span administrative, physical, and technical controls. Your BAA should affirm that Greenway Health implements appropriate measures, while you maintain your own safeguards as the Covered Entity.

Administrative safeguards

• Documented risk analysis and risk management plan, updated for service changes.
• Policies, procedures, workforce training, and a sanctions process.
• Vendor and subcontractor oversight with security due diligence and BAAs.
• Contingency planning, backups, disaster recovery, and tabletop exercises.

Physical safeguards

• Facility access controls, device and media controls, and secure disposal.
• Protections for mobile devices and remote workstations that may handle PHI.

Technical safeguards

• Encryption in transit and at rest, strong authentication (including MFA), and role‑based access control.
• Comprehensive logging, audit trails, and security monitoring with timely patching.
• Segregation of environments, least‑privilege service accounts, and key management.

Align these safeguards with your own standards to maintain end‑to‑end protection and clear accountability between parties.

Manage Breach Reporting

The BAA should distinguish routine security incidents from a reportable breach. Under HIPAA, a breach generally requires notification unless a risk assessment shows a low probability that PHI was compromised. Your agreement should define how that assessment occurs and who leads each step.

Timelines and required details

• Notification from Business Associate to Covered Entity without unreasonable delay and no later than 60 days after discovery; many BAAs set shorter windows—plan for them.
• Incident description, dates, types of PHI involved, number of affected individuals, and recommended mitigation.
• Ongoing cooperation for individual notices, regulatory filings, and remediation.

Because state laws can impose faster notifications or extra content requirements, ensure your internal incident response plan aligns with both the BAA and applicable state rules. Conduct and document post‑incident lessons learned to strengthen controls.

Comply with HIPAA Updates

HIPAA evolves through guidance and rulemaking, including the HITECH Act and the HIPAA Omnibus Rule. Build a change‑management process that tracks regulatory updates, evaluates impact, and amends your BAA or operational procedures when needed.

Staying current

• Review your BAA annually and after material service changes or new integrations.
• Refresh workforce training to reflect new policies, threats, and workflows.
• Re‑perform risk analysis when adding modules, data types, or third parties.

Summary: Secure a Greenway Health BAA by initiating contact early, scrutinizing terms for PHI use, safeguards, and Breach Notification, executing with complete exhibits, and instituting continuous compliance. This approach protects patients, meets Covered Entity Obligations, and reduces contractual and regulatory risk.

FAQs.

What is a Greenway Health BAA?

A Greenway Health BAA is a HIPAA Business Associate Agreement that sets the privacy, security, and Breach Notification obligations for Greenway Health when it creates, receives, maintains, or transmits your PHI to deliver contracted services.

How do I request a BAA from Greenway Health?

Contact your Greenway Health account manager or customer support and request their standard BAA. Provide your legal entity information, points of contact, intended data flows, and target effective date so the agreement can be prepared and routed for signature.

What are the key provisions in a BAA?

Focus on permitted uses/disclosures, minimum necessary access, subcontractor flow‑downs, Security Safeguards aligned to the HIPAA Security Rule, Breach Notification timelines and content, assistance with patient rights, data return/destruction, audit rights, and termination for cause.

How does a BAA protect PHI?

The BAA contractually requires appropriate administrative, physical, and technical safeguards; limits how PHI may be used or disclosed; mandates timely breach reporting and cooperation; and ensures subcontractors follow equivalent protections—creating a governed framework for safeguarding PHI end to end.