HIPAA Business Associate Agreement Checklist

A Business Associate Agreement (BAA), is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

The HIPAA Privacy Rule requires all covered entities (CEs) to have a signed BAA with any Business Associate (BA) they hire that may come in contact with PHI.

According to HHS, a BAA must include the following information:

• Description of the permitted and required use of PHI by the BA.
• Provide specific requirements regarding how and when the BA will not use or further disclose PHI.
• Outline requirements for the BA to use appropriate safeguards to prevent inappropriate PHI use or disclosure.

This checklist will guide you through the process of creating and implementing a BAA.

As a covered entity, you will need to work in tandem with the BA to complete the agreement. This need for collaboration has been taken into account as the approval tasks require approval from both the CE and BA.

This means that you can efficiently move through the process knowing that there will not be any disagreements or disruptions when it comes time to confirm and implement the agreement.

Let's get started!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

First, enter some basic details regarding the covered entity and the Business Associate (BA) with which the agreement is being made, including contact details for a main contact from each of the two parties. 

Covered entity

Business Associate (BA)

In the form field below, detail the permitted use and disclosure of PHI. 

The U.S Department of Health and Human Services (HHS) only allows health care providers to share PHI if it is used to carry out health care functions. HIPAA doesn’t allow PHI to be shared or sold for any independent uses or marketing purposes. For example, a business associate can’t use PHI in their email campaigns.

Detail under what circumstances the Business Associate (BA) must disclose PHI.

If a security breach were to occur, the BA you are working with needs to have specific rules to follow regarding when and how the breach is reported to the covered entity.

In the form field below, state what these rules are, i.e. when and how the breach must be reported.

There will be circumstances in which the BA will need to either return or destroy all patient PHI (e.g. at the patient's request). 

These circumstances need to be clarified and formally documented so that the BA can carry out the procedure and avoid unnecessary and costly delays. 

Under the HIPAA Security Rule, both health care organizations and the BA's they partner with must perform and document a risk analysis of their network and IT systems to identify risks.

In the form field below, note down the risks that were identified during the analysis so that they can be evaluated and have appropriate safeguards put in place for risk mitigation.

You can also attach and/or link to risk analysis documentation below. 

Below are the risks that you identified during the IT systems risk analysis

Identified risks

{{form.IT_systems_risk_analysis_-_Identified_risks}}

Now, describe the safeguards that have been put in place to mitigate these risks. 

You can also attach and/or link to relevant documentation below. 

Employees at the BA need to be taken through security awareness training so they know how to securely manage PHI and can carry out the relevant procedures depending on what the circumstances are. 

Training records need to be documented for legal compliance and so that they are accessible in the case that prior training needs to be reviewed. 

Its also vital that you document training records because it provides an opportunity for continuous improvement and optimization of user onboarding and training. 

You can attach and/or link to training records below. 

As the covered entity, you must specify your rights to terminate the agreement. 

Also, be sure to indicate the BA’s obligations upon termination.

Copy and file the BAA.

You can attach and/or link to the agreement below. 

Set a date to review the BAA. 

Ideally, this would be once a month, or at least once a quarter.

• aNetworks - HIPAA BAA Checklist
• HIPAA Guard -  The HIPAA Business Associate Agreement Checklist
• Kim Stanger - Checklist for HIPAA Business Associate Agreements
• Hernan Serrano - 7 Quick Facts About HIPAA Business Associate Agreements
• Total HIPAA - Business Associate Agreement: Everything Explained
• HHS - Business Associates
• Accountable - What is a Business Associate Agreement? All About BAAs
• ComplyAssistant - HIPAA Business Associate Agreement Template

• HIPAA Compliance Checklist for HR
• HIPAA Privacy Risk Assessment Checklist
• HIPAA Security Breach Reporting Checklist
• HIPAA Data Backup Plan Checklist
• HIPAA Omnibus Rule Checklist
• Patient Intake Checklist for a Medical Clinic
• Patient Intake Checklist for a Dental Clinic
• Patient Satisfaction Survey Checklist
• Hospital Housekeeping Checklist
• Terminal Room Cleaning Checklist
• Hospital Safety Inspection Checklist
• General Infection Control Checklist
• Patient Satisfaction Survey Checklist
• Home Visit Checklist
• Mental Health Risk Assessment Checklist
• WHO Surgical Safety Checklist
• HIPAA Compliance Checklist
• COVID-19 Procedure: Isolation Area Management
• COVID-19 Procedure: Disinfection Procedures for COVID-19 Isolation Ward Area
• COVID-19 Procedure: Lung Transplantation Pre-Transplantation Assessment
• COVID-19 Procedure: Nursing Care During Treatment (ALSS)
• COVID-19 Procedure: Protocol for Donning and Removing PPE
• COVID-19 Procedure: Staff Management (Workflow and Health)
• COVID-19 Procedure: Daily Management and Monitoring of ECMO Audit
• COVID-19 Procedure: Digital Support for Epidemic Prevention and Control
• COVID-19 Procedure: Discharge Standards and Follow-up Plan for COVID-19 Patients
• COVID-19 Procedure: Disinfection of COVID-19 Related Reusable Medical Devices
• COVID-19 Procedure: Disinfection Procedures for Infectious Fabrics of Suspected or Confirmed Patients
• COVID-19 Procedure: Disposal Procedures for COVID-19 Related Medical Waste
• COVID-19 Procedure: Disposal Procedures for Spills of COVID-19 Patient Blood/Fluids
• COVID-19 Procedure: Procedures for Handling Bodies of Deceased Suspected or Confirmed Patients
• COVID-19 Procedure: Procedures for Taking Remedial Actions against Occupational Exposure to COVID-19
• COVID-19 Procedure: Surgical Operations for Suspected or Confirmed Patients