HIPAA Business Associate Compliance

Evaluate compliance with HIPAA Business Associate Agreement requirements for vendors and service providers handling Protected Health Information (PHI)

BiotechHealthcare18 minutes20 questions

1. BAA Requirements & Execution

Do you have signed Business Associate Agreements with all covered entities you serve?*

§164.502(e): BAA required before PHI can be disclosed to business associate

Do your BAAs include all required provisions per §164.314(a)?*

Permitted uses, safeguards, subcontractor requirements, reporting, termination

Are BAAs reviewed and updated when regulations or business relationships change?*

BAAs must reflect current HIPAA requirements and services provided

2. Permitted Uses & Disclosures

Do you only use and disclose PHI as permitted by the BAA and as necessary to perform services?*

§164.504(e)(2)(i): Limited to purposes specified in BAA

Do you refrain from using or disclosing PHI for your own marketing or commercial purposes?*

§164.504(e)(2)(i): Prohibited uses and disclosures

Do you apply minimum necessary standards when using or disclosing PHI?*

§164.514(d): Only minimum PHI necessary for intended purpose

3. Safeguards & Security

Do you implement administrative, physical, and technical safeguards to protect PHI?*

§164.308-164.312: HIPAA Security Rule applies to business associates

Is PHI encrypted both in transit and at rest using FIPS 140-2 validated encryption?*

Safe harbor: AES 256-bit encryption for data at rest, TLS 1.2+ in transit

Do you conduct annual HIPAA Security risk assessments?*

§164.308(a)(1)(ii)(A): Risk analysis required at least annually

Are workforce members trained on HIPAA requirements and your policies?*

§164.308(a)(5): Training on HIPAA and PHI handling procedures

4. Subcontractor Management

Do you have signed BAAs with all subcontractors that handle PHI?*

§164.504(e)(2)(ii): Subcontractor BAAs required

Do subcontractor BAAs include the same protections as your own BAA?*

Subcontractors must agree to same restrictions and conditions

Do you maintain an inventory of all subcontractors with access to PHI?*

Document subcontractor chain and BAA status

5. Breach Notification

Do you report breaches to covered entities within 60 days of discovery?*

§164.410: Business associate must notify covered entity of breaches

Do you have documented breach notification procedures and response plans?*

Incident response plan for detecting, investigating, and reporting breaches

Do you conduct breach risk assessments to determine if notification is required?*

Four-factor risk assessment per §164.402 breach definition

6. Access & Amendment Rights

Do you provide access to PHI to covered entities or individuals upon request?*

§164.524: Individuals have right to access their PHI

Do you make amendments to PHI as directed by the covered entity?*

§164.526: Individuals have right to amend their PHI

Do you maintain accounting of disclosures as required by BAA?*

§164.528: Accounting of certain disclosures required for 6 years

Upon termination, do you return or destroy PHI as specified in the BAA?*

§164.504(e)(2)(ii)(I): Return or destruction of PHI at termination

Please answer all required questions to see your results