BAA Review Checklist
Systematic workflow for reviewing Business Associate Agreements. Covers vendor identification, required provisions, prohibited terms, and gap remediation. Based on 45 C.F.R. § 164.502(e) and § 164.504(e).
Why BAAs Matter
Under 45 C.F.R. § 164.502(e), a covered entity may not disclose PHI to a business associate or allow a business associate to create or receive PHI unless there is a written agreement that meets the requirements of § 164.504(e). Missing or non-compliant BAAs are among the most common findings in OCR audits and enforcement actions. In 2024, OCR settled multiple cases specifically for BAA failures, with penalties ranging from $100,000 to over $1 million.
Step 1: Identify All Business Associates
Inventory every vendor, contractor, and third party that creates, receives, maintains, or transmits PHI on your behalf
Include IT service providers, cloud hosting, EHR vendors, billing companies, shredding services, and consultants
Do not overlook attorneys, accountants, and accreditation organizations that access PHI
Map subcontractor relationships: your business associates may have their own business associates
Review accounts payable records for vendors you may have missed
Document the nature and scope of PHI each business associate handles
Compliance tip: A common audit finding is organizations that fail to identify all business associates. If a vendor touches PHI in any form, they are likely a business associate. When in doubt, treat them as one.
Step 2: Verify a BAA Exists for Each Business Associate
Cross-reference your business associate inventory against executed BAAs on file
Confirm each BAA is signed by authorized representatives of both parties
Verify the BAA was executed before PHI was first shared (not retroactively)
Check that no BAA has expired or been superseded without a replacement
Flag any business associate operating without a current BAA as a critical gap
Maintain a centralized BAA tracking register with execution dates and renewal dates
Compliance tip: Sharing PHI with a vendor that does not have a signed BAA is itself a HIPAA violation, regardless of whether a breach occurs. OCR has imposed penalties specifically for missing BAAs.
Step 3: Review Required BAA Provisions
Permitted uses and disclosures: BAA must specify what the business associate is allowed to do with PHI and prohibit all other uses
Safeguards: BAA must require the business associate to implement appropriate administrative, physical, and technical safeguards
Reporting: BAA must require reporting of any use or disclosure not permitted, including security incidents and breaches
Subcontractor requirements: BAA must require the business associate to impose the same restrictions on any subcontractors
Individual rights: BAA must require cooperation with individual access requests and amendment requests
Availability of records: BAA must make internal practices, books, and records available to HHS for compliance determination
Return or destruction: BAA must require return or destruction of all PHI at termination, or extend protections if return is infeasible
Termination: BAA must authorize the covered entity to terminate the contract if the business associate violates a material term
Compliance tip: Every one of these provisions is required by regulation. A BAA that omits any of them does not satisfy HIPAA, even if both parties signed it. Template BAAs from vendors frequently omit subcontractor and termination provisions.
Step 4: Check for Prohibited or Problematic Terms
Reject terms that allow the business associate to use PHI for its own marketing or sales purposes
Reject terms that limit the business associate's breach notification obligations beyond what HIPAA requires
Flag terms that cap the business associate's liability for breaches at unreasonably low amounts
Flag indemnification clauses that shift all breach costs to the covered entity regardless of fault
Reject terms that allow the business associate to de-identify PHI and retain it for its own use without explicit authorization
Flag terms that give the business associate broad discretion to determine what constitutes a 'security incident' for reporting purposes
Reject any term that attempts to waive the covered entity's right to terminate for material breach
Compliance tip: Vendor-drafted BAAs are written to protect the vendor, not your organization. Every BAA should be reviewed by counsel who understands HIPAA. Pay particular attention to liability caps, indemnification, and breach notification timelines.
Step 5: Assess BAA Compliance Gaps
Compare each BAA against current regulatory requirements (HITECH amendments may not be reflected in older BAAs)
Verify the BAA addresses the Omnibus Rule requirements (effective 2013): breach notification, subcontractor obligations, direct liability
Confirm the BAA reflects the actual scope of PHI the business associate now handles (scope may have expanded since execution)
Review whether the business associate has provided any required compliance certifications or audit reports
Check whether any breach or security incident reports from the business associate triggered remediation obligations
Document all identified gaps with severity ratings and remediation timelines
Compliance tip: BAAs executed before the 2013 Omnibus Rule may be missing critical provisions. If you have BAAs older than 2013 that have not been updated, they almost certainly have compliance gaps.
Step 6: Remediate and Re-Execute
Prioritize gaps: missing BAAs first, then BAAs with missing required provisions, then problematic terms
Draft BAA amendments or replacement agreements for each identified gap
Negotiate with business associates: if a vendor refuses to sign a compliant BAA, you cannot share PHI with them
Obtain signatures from authorized representatives on both sides
Update your BAA tracking register with new execution dates and next review dates
Establish a recurring review cycle (at least annually or upon contract renewal)
If a business associate refuses to cure a material breach: terminate the arrangement and stop sharing PHI
Compliance tip: If you discover a business associate has materially violated the BAA, you are required to take reasonable steps to cure the breach. If the breach cannot be cured, you must terminate the arrangement. Continuing to share PHI with a non-compliant business associate creates liability for your organization.
Is This Vendor a Business Associate?
Does the vendor create, receive, maintain, or transmit PHI on behalf of your organization?
Continue to next question
Likely not a business associate. But verify: does the vendor provide any service described in 45 C.F.R. § 160.103?
Does the vendor perform a function or activity regulated by HIPAA on your behalf? (Claims processing, billing, data analysis, utilization review, quality assurance, benefit management, practice management, repricing)
The vendor IS a business associate. A BAA is required before sharing PHI.
Continue to next question
Does the vendor provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services where the vendor requires access to PHI?
The vendor IS a business associate. A BAA is required.
Continue to next question
Is the vendor a conduit (like the postal service or an internet service provider) that merely transports PHI but does not access it in any meaningful way?
Not a business associate. The 'conduit exception' applies. No BAA required.
If none of the above apply but the vendor still accesses PHI, consult counsel. The definition is broad and OCR interprets it expansively.
Is the vendor a member of your workforce (employee, volunteer, trainee under your direct control)?
Not a business associate. Workforce members are covered under your own HIPAA policies. No BAA needed.
If the vendor accesses PHI and is not workforce, they are almost certainly a business associate. Execute a BAA.