HITECH Act Compliance Checklist for Business Associates: BAAs, Security, and Reporting

This HITECH Act compliance checklist helps you, as a business associate, put the right agreements, Security Rule Safeguards, and reporting practices in place to protect Protected Health Information (PHI) and demonstrate readiness for a HIPAA Compliance Audit.

Business Associate Agreements Execution

A Business Associate Agreement (BAA) is mandatory before you create, receive, maintain, or transmit PHI on behalf of a covered entity. Execute BAAs with every covered entity client and flow down equivalent terms to all subcontractors that handle PHI.

Checklist

• Confirm the relationship involves PHI and identify all services where PHI is touched (including ePHI within tools or logs).
• Execute a Business Associate Agreement (BAA) before any PHI is shared; prohibit PHI use until fully signed.
• Include required elements: permitted uses/disclosures, Security Rule Safeguards, breach and incident reporting, subcontractor flow-down, access/amendment/accounting support, return or destruction of PHI, and HHS access to records.
• Apply the minimum necessary standard and prohibit unauthorized marketing, sale of PHI, or other non-permitted uses.
• Map who will perform notifications if a breach occurs (the covered entity, you, or shared responsibilities).

Operational Tips

• Maintain a central BAA repository with version control, renewal dates, and points of contact.
• Verify subcontractor BAAs mirror your obligations; no subcontractor should touch PHI until their BAA is executed.
• Align BAAs with your internal policies so operational practices match contractual promises.

Implementing Security Safeguards

The Security Rule uses a risk-based approach. Implement and document administrative, physical, and technical measures appropriate to your size, complexity, and the sensitivity of PHI you handle.

Administrative safeguards

• Perform a risk analysis and maintain a living Risk Management Plan with prioritized remediation.
• Assign a security officer; define roles, responsibilities, and separation of duties.
• Adopt policies for access management, workforce screening, sanction policy, incident response, and contingency planning.
• Require BAAs for subcontractors with security due diligence and ongoing vendor monitoring.

Physical safeguards

• Control facility access, visitor management, and secure areas where systems with ePHI reside.
• Harden workstations; prevent shoulder surfing; enforce clean desk and secure storage.
• Inventory, track, and sanitize or destroy devices/media that store ePHI before reuse or disposal.

Technical safeguards

• Enforce unique user IDs, least-privilege access, strong authentication (preferably MFA), and automatic logoff.
• Encrypt ePHI in transit and at rest; protect keys and disable weak protocols and ciphers.
• Enable audit controls: centralized logging, time sync, retention, and regular review for anomalies.
• Maintain integrity controls (hashing, checksums) and robust patch and vulnerability management.

Ongoing monitoring

• Continuously monitor critical systems, alerts, and backups; test restores regularly.
• Integrate change management so new systems or features receive security review before go-live.

Breach Notification Procedures

Under the Breach Notification Rule, you must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery of a breach. Your BAA may assign additional duties, including preparing draft notices or notifying individuals on the covered entity’s behalf.

Response workflow

• Contain and investigate immediately; preserve logs and evidence.
• Complete the four-factor risk assessment: nature/extent of PHI, unauthorized person, whether the PHI was actually acquired/viewed, and mitigation performed.
• If a breach is confirmed, notify the covered entity promptly with known details and updates as they emerge.
• Provide report content: incident description and dates, types of PHI involved, steps individuals should take, mitigation actions, and your contact information.
• Track all incidents in a breach log; maintain proof of notifications and decisions.

Timing and coordination

• Use internal targets (for example, same-business-day escalation, 72-hour preliminary report) to stay well within the 60-day outer limit.
• If a breach involves 500 or more residents of a state or jurisdiction, coordinate with the covered entity on additional media and HHS reporting obligations identified in the BAA.
• Feed post-incident lessons into your Risk Management Plan and Workforce Training Documentation.

Conducting Risk Assessments

Risk analysis is the foundation of Security Rule compliance and informs your controls, budget, and roadmap. Treat it as an ongoing program, not a one-time project.

How to perform the assessment

• Scope all ePHI: systems, apps, data flows, administrators, vendors, and locations (including backups and logs).
• Identify threats and vulnerabilities; rate likelihood and impact; document existing controls.
• Determine residual risk and prioritize remediation in a time-bound Risk Management Plan.
• Validate with technical testing (vulnerability scans, configuration reviews, and targeted penetration testing where warranted).

Frequency and triggers

• Review formally at least annually and whenever you introduce major changes in systems, vendors, or processes.
• Reassess after incidents, new regulations, or material growth in data volume or access patterns.
• Use results to demonstrate HIPAA Compliance Audit readiness.

Staff Training and Awareness

Your workforce—employees, contractors, temps—must understand how to handle PHI securely. Training reduces risk and evidences compliance.

Program essentials

• New-hire onboarding covers HIPAA, appropriate use, incident reporting, and handling of Protected Health Information (PHI).
• Provide annual refresher training plus role-based modules for admins, developers, support, and sales.
• Run simulated phishing, insider threat awareness, and secure data handling exercises.
• Reinforce policies: clean desk, minimum necessary, sanction policy, and breach escalation.

Workforce Training Documentation

• Record attendance, dates, curricula, and scores; retain artifacts and acknowledgments.
• Tie training objectives to risks identified in the risk analysis; measure and report completion rates.

Documentation and Reporting Requirements

Thorough documentation proves your program is real and operating. Maintain and retain records (commonly six years) and keep them audit-ready.

Maintain these records

• Executed BAAs and subcontractor agreements with change history.
• Policies and procedures, versioned with approval dates and distribution logs.
• Risk analyses, Risk Management Plan, remediation evidence, and acceptance of residual risks.
• Security incident and breach logs, investigation files, and notification packages.
• System inventories, diagrams, configurations, audit logs, and access reviews.
• Contingency plans, backup/restore tests, and business continuity results.
• Workforce Training Documentation, attestations, and sanctions when applied.

Reporting cadence

• Provide periodic security metrics to covered entities as agreed in the BAA (e.g., training completion, patching, vulnerability trends).
• Notify covered entities promptly about material changes that affect PHI protection (system migrations, new vendors, architecture shifts).
• Prepare an audit-ready package to streamline any HIPAA Compliance Audit or due diligence review.

Conclusion

By executing strong BAAs, implementing fit-for-purpose Security Rule Safeguards, rehearsing breach notification steps, running disciplined risk assessments, training your workforce, and keeping impeccable records, you satisfy the HITECH Act compliance checklist for business associates and prove that PHI is protected in practice—not just on paper.

FAQs

What are the requirements for business associate agreements under the HITECH Act?

A BAA must be in place before PHI is shared and must specify permitted uses and disclosures, required Security Rule Safeguards, breach and incident reporting, subcontractor flow-down, assistance with individual rights (access, amendment, accounting), return or destruction of PHI at termination, and the right for HHS to access relevant records. It should also assign who does what during breach notifications and reinforce the minimum necessary standard.

How should business associates report a PHI breach?

Notify the covered entity without unreasonable delay and no later than 60 days after discovery. Include what happened and when, the types of PHI involved, steps affected individuals should take, mitigation performed, and contact information. Coordinate responsibilities per the BAA, maintain a breach log, and update your Risk Management Plan based on lessons learned.

What security measures are mandated for protecting PHI?

You must implement administrative, physical, and technical Security Rule Safeguards suited to your risk profile. Core controls include risk analysis, a maintained Risk Management Plan, access controls and MFA, encryption in transit and at rest, audit logging and reviews, device/media controls, contingency planning with tested backups, workforce training, and vendor management with subcontractor BAAs.

How often must risk assessments and staff training be conducted?

Conduct a formal risk analysis at least annually and whenever significant changes occur (new systems, vendors, or incidents). Provide new-hire training at onboarding, refreshers at least annually, and role-based training as duties evolve. Keep thorough Workforce Training Documentation to evidence completion and effectiveness.