Business associate agreements required
Plain English Translation
Before permitting a business associate to create, receive, maintain, or transmit ePHI, covered entities must obtain a written contract — a Business Associate Agreement — providing satisfactory assurances that the associate will appropriately safeguard the data. No ePHI may be shared with a vendor before a compliant BAA is in place.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Implement a standardized BAA template to use with all new vendors that require access to ePHI.
Required Actions (scaleup)
- Maintain a centralized vendor inventory and actively track the execution status of all business associate agreements.
Required Actions (enterprise)
- Automate third-party risk management with integrated contract compliance tracking, continuous monitoring, and annual vendor audits.
Evidence Required
A HIPAA business associate agreement is a legally binding contract between an organization and a third-party vendor that dictates how electronic protected health information (ePHI) must be safeguarded.
It is required before any third-party vendor or contractor is granted access to create, receive, maintain, or transmit ePHI on behalf of the organization.
The agreement must detail the permitted uses of ePHI, require appropriate security safeguards, outline breach notification duties, and stipulate data return or destruction upon termination.
Any external entity or person (outside the organization's workforce) who performs functions involving the use or disclosure of ePHI on behalf of the covered entity.
Yes, business associates must obtain similar, legally binding agreements from their own subcontractors if those subcontractors will access the organization's ePHI.
Business associates must implement administrative, physical, and technical safeguards, comply with the Security Rule, and report any security incidents to the covered entity.
No, sharing ePHI with a third party without an executed business associate agreement is a serious regulatory violation that can result in significant financial penalties.
A covered entity is typically a healthcare provider or health plan, while a business associate is an external vendor providing services to the covered entity involving ePHI.
They should be reviewed annually or whenever there are significant changes to the vendor's services, the regulatory landscape, or the organization's security policies.
The organization faces severe financial penalties, failed regulatory audits, and significant reputational damage if ePHI is exposed to an uncontracted third party.
BAA compliance becomes difficult when vendor ownership, ePHI exposure, contract status, and review dates are tracked across disconnected spreadsheets. WatchDog Security's Vendor Risk Management can help maintain a centralized vendor catalog, risk-tier vendors that handle ePHI, track assessment status, and keep BAA follow-up tied to the vendor lifecycle.
Auditors often need proof that agreements were signed before a vendor was granted access to systems or data containing ePHI. WatchDog Security's Compliance Center can help connect vendor records, signed agreement evidence, control status, and review activity so teams can demonstrate implementation of the HIPAA BAA requirement during audits.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | WatchDog GRC Team | Initial publication |

