What Business Associates Must Include in HIPAA Policies and Procedures

As a business associate handling Protected Health Information (PHI), you must operationalize HIPAA through clear, enforceable policies and procedures. This means translating legal requirements into day-to-day practices your workforce can follow, monitor, and audit.

This guide outlines what business associates should document to achieve Security Rule Compliance, honor privacy obligations, and meet Breach Notification Requirements. Use it to benchmark your current program and close any gaps.

Privacy Policies and Procedures

Scope and purpose

Your privacy policies should restrict PHI uses and disclosures to what your contract and Business Associate Agreement (BAA) permit or what the law requires. Define the “minimum necessary” standard, role-based access to PHI, and when to de-identify data before secondary use.

Core elements to document

• Permitted and prohibited uses/disclosures of PHI aligned to the Business Associate Agreement (BAA) and applicable law.
• Minimum necessary decision-making: how you limit PHI fields, user roles, and disclosure frequency.
• Individual rights support: processes to help covered entities with access, amendment, and accounting of disclosures within agreed timelines.
• Subpoenas and legal requests: verification, review, and approval steps before any disclosure of PHI.
• Third-party management: diligence, onboarding, and flow-down BAA requirements for subcontractors that touch PHI.
• Complaint handling and sanctions: how you receive, investigate, and resolve privacy complaints and apply workforce sanctions.
• Data lifecycle governance: retention, archival, and secure disposal standards for PHI in all formats.

Designate a privacy lead, define approval authorities for exceptions, and require periodic policy reviews to keep procedures current as your services evolve.

Business Associate Agreement

Required clauses to include and operationalize

• Permitted uses and disclosures of PHI and explicit prohibitions (e.g., marketing without authorization).
• Safeguard obligations: Administrative Safeguards, Physical Safeguards, and Technical Safeguards for ePHI.
• Reporting duties: prompt reporting of security incidents and breaches, including content and timelines.
• Subcontractor flow-down: require subcontractors to sign agreements with the same restrictions and safeguards.
• Support for individual rights: assistance with access, amendments, and accounting of disclosures.
• Audit and oversight: making internal practices and records available to the covered entity or regulators.
• Termination and transition: return or destruction of PHI at contract end and steps if destruction is infeasible.

Operational practices

• Maintain a BAA inventory mapped to systems, data flows, and service lines.
• Standardize breach-reporting SLAs (e.g., internal notice within 24 hours; external notice “without unreasonable delay” and no later than 60 days if required by the BAA).
• Define how you handle media retention, backups, and certificate/key ownership after termination.
• Review indemnification, insurance, and subcontractor obligations alongside Security Rule Compliance.

Workforce Training

Program design

Workforce HIPAA Training must reflect your actual workflows. Cover PHI handling fundamentals, minimum necessary, secure messaging, device use, remote work, phishing, incident reporting, and breach escalation paths. Provide role-based modules for developers, support staff, and leadership.

Frequency and documentation

Train new hires promptly and refresh “as necessary and appropriate,” including when policies or systems change. Many organizations adopt annual refreshers as a best practice. Keep signed attestations, quiz results, schedules, and rosters as part of your training records.

Safeguards to Protect PHI

Administrative Safeguards

• Risk analysis and risk management with documented remediation plans and deadlines.
• Information access management: role-based access, approvals, and periodic access reviews.
• Security awareness: ongoing phishing simulations, reminders, and just-in-time tips.
• Workforce security: background checks as appropriate, onboarding/offboarding controls, and sanctions.
• Security incident procedures: intake, triage, containment, and escalation paths.
• Evaluation: periodic technical and non-technical assessments to validate Security Rule Compliance.

Technical Safeguards

• Access controls: unique user IDs, strong authentication (preferably MFA), and automatic logoff.
• Encryption: TLS in transit and strong encryption at rest for ePHI, backups, and portable media.
• Audit controls: centralized logging, retention standards, and routine log review for anomalous activity.
• Integrity controls: hashing/checksums, change management, code reviews, and tamper-evident storage.
• Endpoint and network protections: patching, EDR, allowlisting, segmentation, DLP, and secure VPN.
• Key management: restricted access to keys, rotation schedules, and secure HSM or vault usage.

Physical Safeguards

• Facility access controls: visitor management, access badges, and surveillance where appropriate.
• Workstation standards: screen privacy, automatic locking, and secure workstation placement.
• Device and media controls: inventory, secure storage, encryption, chain of custody, and verified destruction.

Document exceptions and compensating controls, and tie all safeguards to identified risks and data flows to demonstrate Security Rule Compliance.

Breach Notification Procedures

Detection, assessment, and decisioning

• Define what constitutes a “security incident” versus a “breach” of unsecured PHI.
• Require immediate internal reporting and evidence preservation (logs, images, emails, tickets).
• Perform a risk assessment: what happened, types of PHI, likelihood of re-identification, and mitigation taken.

Breach Notification Requirements for business associates

• Notify the covered entity without unreasonable delay and within the BAA’s SLA (never later than 60 days from discovery when the BAA so states).
• Provide required details: incident description, dates, number of affected individuals, PHI elements, mitigation steps, and contact information.
• Coordinate with the covered entity on notifications to individuals, regulators, and media when applicable.
• Document all decisions, communications, and corrective actions to support audits and lessons learned.

Documentation and Record Retention

What to maintain

• Policies and procedures, risk analyses, risk treatment plans, and safeguard configurations.
• BAAs and subcontractor agreements, inventories, and due-diligence records.
• Training materials, schedules, attendance, and assessment results.
• Security incidents, breach risk assessments, notifications, and corrective action plans.
• Access reviews, audit logs, change records, and testing evidence for contingency plans.

How long to retain

Retain HIPAA-required documentation for at least six years from the date of creation or when it was last in effect, whichever is later. If state law, payer contracts, or your BAA require longer retention, follow the most stringent requirement. Ensure records are secure, backed up, and readily retrievable.

Incident Response and Contingency Planning

Incident response lifecycle

• Preparation: playbooks, contact trees, tooling, and tabletop exercises.
• Detection and analysis: alert triage, severity classification, and forensic preservation.
• Containment and eradication: isolate systems, revoke access, and remove malicious artifacts.
• Recovery: restore from known-good backups, validate integrity, and monitor for recurrence.
• Post-incident: root cause analysis, corrective actions, and policy/training updates.

Contingency planning requirements

• Data backup plan: tested backups for all systems storing ePHI, including offsite copies.
• Disaster recovery plan: prioritized restoration steps, roles, and communication protocols.
• Emergency mode operations: how you continue critical functions while operating under degraded conditions.
• Business impact analysis with RTO/RPO targets aligned to customer SLAs and clinical risk.
• Regular testing and revision: exercises for failover, restoration, and manual downtime procedures.

Conclusion

For business associates, HIPAA compliance hinges on clear policies, enforceable BAAs, routine Workforce HIPAA Training, and layered safeguards that match real risks. Document your decisions, test your plans, and refine them after every change or incident. That discipline turns regulatory requirements into reliable protection for PHI.

FAQs

What are the key elements of a Business Associate Agreement?

A strong BAA defines permitted uses/disclosures of PHI; requires Administrative, Physical, and Technical Safeguards; mandates prompt incident and breach reporting; flows obligations to subcontractors; supports access, amendment, and accounting requests; allows oversight by the covered entity or regulators; and specifies termination steps, including return or destruction of PHI.

How often must workforce HIPAA training be conducted?

HIPAA requires training “as necessary and appropriate” for each role and whenever policies or systems materially change. Best practice is training at hire with annual refreshers, plus targeted updates after incidents, audits, or major technology changes. Always document attendance and comprehension.

What steps should be taken after a PHI breach?

Act immediately: contain the incident, preserve evidence, and perform a documented risk assessment. Notify the covered entity without unreasonable delay within the BAA’s timeline, provide required breach details, coordinate on individual and regulatory notifications, mitigate harm, and complete corrective actions with leadership review.

How long must HIPAA compliance documentation be retained?

Maintain required HIPAA documentation for at least six years from creation or last effective date, whichever is later. Keep BAAs, policies, training records, risk analyses, incident files, and contingency test results. If state law, payer contracts, or your BAA set longer timelines, follow the longer requirement.