Introduction:

A Business Associate Agreement (BAA), is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

The HIPAA Privacy Rule requires all covered entities (CEs) to have a signed BAA with any Business Associate (BA) they hire that may come in contact with PHI.

According to HHS, a BAA must include the following information:

  • Description of the permitted and required use of PHI by the BA.
  • Provide specific requirements regarding how and when the BA will not use or further disclose PHI.
  • Outline requirements for the BA to use appropriate safeguards to prevent inappropriate PHI use or disclosure.

This checklist will guide you through the process of creating and implementing a BAA.

As a covered entity, you will need to work in tandem with the BA to complete the agreement. This need for collaboration has been taken into account as the approval tasks require approval from both the CE and BA.

This means that you can efficiently move through the process knowing that there will not be any disagreements or disruptions when it comes time to confirm and implement the agreement.

Let's get started!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Enter basic details

First, enter some basic details regarding the covered entity and the Business Associate (BA) with which the agreement is being made, including contact details for a main contact from each of the two parties. 


Covered entity

Business Associate (BA)

Use and disclosure of PHI:

Describe the permitted use and disclosure of PHI

In the form field below, detail the permitted use and disclosure of PHI. 

The U.S Department of Health and Human Services (HHS) only allows health care providers to share PHI if it is used to carry out health care functions. HIPAA doesn’t allow PHI to be shared or sold for any independent uses or marketing purposes. For example, a business associate can’t use PHI in their email campaigns.

Define under what circumstances the BA must disclose PHI

Detail under what circumstances the Business Associate (BA) must disclose PHI.

Approval: Use and disclosure of PHI

Will be submitted for approval:
  • Describe the permitted use and disclosure of PHI
    Will be submitted
  • Define under what circumstances the BA must disclose PHI
    Will be submitted

Breach reporting and PHI destruction:

Specify how and when the BA must report any accidental disclosures of PHI

If a security breach were to occur, the BA you are working with needs to have specific rules to follow regarding when and how the breach is reported to the covered entity.

In the form field below, state what these rules are, i.e. when and how the breach must be reported.

Specify how and when the BA is to return or effectively destroy all patient PHI

There will be circumstances in which the BA will need to either return or destroy all patient PHI (e.g. at the patient's request). 

These circumstances need to be clarified and formally documented so that the BA can carry out the procedure and avoid unnecessary and costly delays. 

Approval: PHI breach reporting and destruction procedures

Will be submitted for approval:
  • Specify how and when the BA is to return or effectively destroy all patient PHI
    Will be submitted
  • Specify how and when the BA must report any accidental disclosures of PHI
    Will be submitted

Security rule risk analysis:

Conduct a risk analysis of IT systems

Under the HIPAA Security Rule, both health care organizations and the BA's they partner with must perform and document a risk analysis of their network and IT systems to identify risks.

In the form field below, note down the risks that were identified during the analysis so that they can be evaluated and have appropriate safeguards put in place for risk mitigation.

You can also attach and/or link to risk analysis documentation below. 

Describe the safeguards that have been implemented

Below are the risks that you identified during the IT systems risk analysis

Identified risks

{{form.IT_systems_risk_analysis_-_Identified_risks}}


Now, describe the safeguards that have been put in place to mitigate these risks. 

You can also attach and/or link to relevant documentation below. 

Approval: Security rule risk analysis

Will be submitted for approval:
  • Describe the safeguards that have been implemented
    Will be submitted
  • Conduct a risk analysis of IT systems
    Will be submitted

Cyber security training:

Conduct user training

Employees at the BA need to be taken through security awareness training so they know how to securely manage PHI and can carry out the relevant procedures depending on what the circumstances are. 

Document training records

Training records need to be documented for legal compliance and so that they are accessible in the case that prior training needs to be reviewed. 

Its also vital that you document training records because it provides an opportunity for continuous improvement and optimization of user onboarding and training. 

You can attach and/or link to training records below. 

Approval: Training completed & documented

Will be submitted for approval:
  • Document training records
    Will be submitted
  • Conduct user training
    Will be submitted

Terminating the agreement:

Specify your rights to terminate the BAA

As the covered entity, you must specify your rights to terminate the agreement. 

Also, be sure to indicate the BA’s obligations upon termination.

Approval: Termination rights & obligations

Will be submitted for approval:
  • Specify your rights to terminate the BAA
    Will be submitted

Final steps:

Copy and file the BAA

Copy and file the BAA.

You can attach and/or link to the agreement below. 

Set date to review the BAA

Set a date to review the BAA. 

Ideally, this would be once a month, or at least once a quarter.

Approval: BAA finalized & implemented

Will be submitted for approval:
  • Set date to review the BAA
    Will be submitted
  • Copy and file the BAA
    Will be submitted

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.