HIPAA BAA Checklist: HIPAA Compliance 2020

Home  »  Blog  »  Cyber Security  »  HIPAA BAA...

By Bill Minahan   |   December 22, 2020   |   12 Comments

HIPAA BAA Checklist is:

HIPAA BAA Checklist

Everything you need to know about the HIPAA Omnibus rule, BAAs, and remaining compliant.

The fines and consequences of HIPAA violations can cost you your practice.

A lack of HIPAA BAA requirements education may lead to unintentional violations

The following HIPAA BAA checklist will provide you with everything you need to know about BAA compliance.

HIPAA BAA Checklist:

  • Understand what a Business Associate Agreement (BAA) is:

Today, health care organizations commonly partner with and rely on outside business associates to perform tasks. Subsequently, this often means granting third-party companies access to protected health information (PHI). Additionally, this action increases the chance of exposure and breaches.

A business associate is an organization that creates, receives, maintains, or transmits PHI on behalf of a healthcare organization.

As a result of the HIPAA Omnibus rule, healthcare organizations that require their business associates to access PHI must have a BAA to ensure HIPAA Privacy and Security Rules are met. Read more about HIPAA Privacy and Security Rules here.

A BAA is a written arrangement between a healthcare organization and its business associates. It highlights their commitment to security and lays the groundwork for protecting patient data.

A BAA contract is not a suggestion for health care providers and their business associates; it’s the law.

If you would like us to write and manage your BAAs with your third-party business partners, then please contact us today.

Once you know what a BAA is, you can determine which businesses require one.

  • Identify Business Associates

A business associate is any organization or individual that accesses PHI on behalf of a healthcare provider. Specifically, the following are services for which health care providers could require other businesses or individuals to complete.

– Consultants: management, billing, coding, transcription, or marketing companies.
– IT contractors: data storage or document destruction companies.
– Lawyers, accountants, or malpractice insurers.

Above, is merely a brief list, but in reality, there are many more. Additionally, accurately identifying business associates is an essential part of the HIPAA BAA checklist. If health care providers don’t have a BAA in place with their business associates who access PHI, then they’re violating HIPAA. Even business associates who only have access to encrypted PHI, are still liable.

Furthermore, if a healthcare organization fails to create a BAA, then the business associate is still responsible if the PHI were to be compromised. Therefore, it is in the best interest of both partnering companies that create, maintain, or transmit PHI, to have a BAA contract.

  • Identify Exceptions

It’s also important for health care organizations to determine who does NOT need a BAA. Business Associates who are exempt from BAA contracts include, but are not limited to:

  • Internet Service Providers.
  • U.S Postal Service.
  • Other Courier Services.
  • Establish the permitted and required uses of PHI with business associates and execute the contract.

After you determine who is and isn’t a business associate, you can begin to establish their permitted uses of PHI.

The U.S Department of Health and Human Services (HHS) only allows healthcare providers to share PHI if it is used to carry out healthcare functions. HIPAA prohibits the sharing or sale of PHI for independent or marketing purposes. For example, a business associate can’t use PHI in their email campaigns.

The Business Associate Agreement must include the following information:

  • Describe the permitted and required uses of PHI by business associates.
  • Provide that business associates will not use PHI, other than what the contract allows.
  • Require business associates to use appropriate safeguards to prevent HIPAA breaches or inappropriate uses of PHI.
  • We can write your BAa for you today.
  • Conduct a Security Rule risk analysis and adopt safeguards

Under the HIPAA Security Rule, both health care organizations and the business associates they partner with must perform and document a risk analysis of their network and IT systems to find risks.

Business associates and health care organizations must identify, document, and respond to risks accordingly. Furthermore, they must implement specific technical, physical, and administrative safeguards under the Security Rule.

The policies put in place should be in writing. If you are interested in a Written Information Security Program (WISP) that covers all aspects of HIPAA Compliance, including implementation and management of BAAs, then please check out our COMPREHENSIVE HIPAA WISP.

A checklist of HIPAA Security Rule requirements is here.

All employees that have access to PHI, should receive training on cyber security best practices, HIPAA rules, and internal security policies. Despite human error being the number one cause of HIPAA data breaches, security awareness training is one aspect of the HIPAA BAA checklist that many organizations don’t take seriously.

An educated workforce that is aware of cyber threats and HIPAA regulations is less likely to violate HIPAA rules.

Furthermore, documentation of training should take place. That way if a HIPAA violation were to occur, it would be easier to avoid the accusation of willful neglect. This brings us to our final point of the HIPAA BAA checklist.

  • Keep a record of all required documents

The final, and perhaps most important point on aNetwork’s HIPAA BAA checklist, is maintaining records of your company’s HIPAA BAA compliance. Both health care organizations and business associates must keep a record of the required BAA for up to 6 years after the last effective date.

Even if you’re doing all the right things: BAA contracts, security policies, employee training, there needs to be concrete evidence of it.  If a breach happens, then the HHS evaluates how much of it could have been avoided.

If there is no evidence of all the steps you’ve taken to protect patient information. Your company will almost certainly be accused of willful neglect.

The HHS defines willful neglect as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA rules. The fines can reach up to $1,500,000 per year.

Proper documentation of risk analysis and assessments, security policies, personnel training, and safeguards, makes the accusation of willful neglect far less likely. If you are interested in a comprehensive document that covers all of the written and physical HIPAA Compliance requirements, then take a look at our HIPAA Written Information Security Program (WISP).

In conclusion, health care organizations and their business associates that handle PHI share the responsibility of keeping the data they store safe.

A BAA establishes the permitted use of PHI and helps both businesses remain compliant and avoid large fines.

Health care is the single most at-risk industry when it comes to cyber-attacks. If a data breach does occur, you want to be able to prove to your patients, HHS, and the public, that you were doing all the right things.

By following this HIPAA BAA checklist, your company has a better chance of HIPAA compliance. Unfortunately, HIPAA compliance can be challenging and time-consuming.

HIPAA compliance shouldn’t be hard, confusing, or expensive. We offer total HIPAA compliance software and solutions: audits, vulnerability scanning, risk solutions, and more.

That way, you can do your job without living in fear of HIPAA violations and fines.

Let us take the load.

Download THE Complete HIPAA Checklist 2020



May 20, 2022 | 7:27 pm

Greetings! This is my first visit to your blog! We are a group of volunteers and starting a new project in a community in the same niche. Your blog provided us useful information to work on. You have done a extraordinary job! Feel free to visit my blog post :: web site


May 14, 2022 | 4:47 am

Appreciate the recommendation. Let me try it out. My website AA lists


April 25, 2022 | 4:17 am

I am curious to find out what blog platform you are working with? I'm having some minor security problems with my latest site and I would like to find something more secure. Do you have any suggestions? My web site houston junk car buyer


April 13, 2022 | 9:37 am

I like the helpful information you provide to your articles. I will bookmark your weblog and check again right here frequently. I am reasonably certain I'll be told many new stuff right here! Best of luck for the next! how much ground coffee for 10 cups how to care for a ficus bonsai hoshizaki c 101bah ad photon xt scope night vision ar 15 pipeliner hood leather bib mil-std-1595 www jcps k12 mo us keurig infested keurig coffee maker k300 Also visit my blog: https://bunn-coffee-maker-review.blogspot.com/2015/03/bunn-coffee-pots.html

zoritoler imol

March 1, 2022 | 9:50 am

Hi, i think that i noticed you visited my website thus i got here to “return the choose”.I'm trying to to find things to improve my web site!I suppose its good enough to make use of some of your concepts!! https://www.zoritolerimol.com

gralion torile

February 16, 2022 | 11:02 am

I enjoy the efforts you have put in this, thanks for all the great posts. http://www.graliontorile.com/

zoritoler imol

February 15, 2022 | 4:03 am

Have you ever considered publishing an e-book or guest authoring on other websites? I have a blog based upon on the same information you discuss and would love to have you share some stories/information. I know my readers would value your work. If you're even remotely interested, feel free to shoot me an email. https://www.zoritolerimol.com

Curt Ebeid

January 23, 2022 | 10:18 am

Having read this I believed it was rather enlightening. I appreciate you taking the time and energy to put this short article together. I once again find myself spending a lot of time both reading and leaving comments. But so what, it was still worthwhile. http://www.X7wFVYZgcs.com/X7wFVYZgcs

zortilo nrel

November 13, 2021 | 10:42 pm

I will immediately take hold of your rss feed as I can't find your email subscription hyperlink or newsletter service. Do you have any? Please permit me know so that I could subscribe. Thanks. http://www.zortilonrel.com/

zortilo nrel

November 2, 2021 | 11:26 am

Thanks for a marvelous posting! I definitely enjoyed reading it, you will be a great author.I will remember to bookmark your blog and will come back from now on. I want to encourage you to definitely continue your great job, have a nice evening! http://www.zortilonrel.com/

buy anabolic online

October 21, 2021 | 10:21 am

Thanks for the good article, I hope you continue to work as well.

Calvin Layem

April 19, 2021 | 5:53 am

Great HIPAA checklist!