Business associate contracts with vendors established
Plain English Translation
Before allowing a business associate (vendor) to create, receive, maintain, or transmit ePHI on the organization's behalf, the covered entity must obtain satisfactory assurances — typically through a signed Business Associate Agreement — that the vendor will appropriately safeguard the information. These assurances must be documented.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Maintain a centralized spreadsheet tracking all third-party vendors and ensure a signed BAA is securely stored for any vendor handling ePHI.
Required Actions (scaleup)
- Implement a vendor risk management platform to automate the collection, tracking, and annual review of business associate agreements.
Required Actions (enterprise)
- Integrate BAA tracking directly into automated procurement workflows, ensuring no new vendor can be onboarded or provisioned access to ePHI systems without a verified, executed BAA.
A HIPAA business associate agreement (BAA) is a legally binding contract between a covered entity and a business associate that establishes the permitted uses and disclosures of ePHI by the third party.
A BAA is required before a covered entity or an existing business associate allows a third-party vendor to create, receive, maintain, or transmit ePHI on its behalf.
A BAA must establish the permitted uses of ePHI, stipulate that the vendor will use appropriate safeguards to prevent unauthorized use, and require the vendor to report any security incidents or breaches.
A business associate is any person or entity (other than a member of the covered entity's workforce) that performs certain functions or activities that involve the use or disclosure of ePHI on behalf of a covered entity.
No, covered entities only need BAAs with vendors that create, receive, maintain, or transmit ePHI on their behalf. Vendors with absolutely no access to ePHI do not require a BAA.
Satisfactory assurances are the written guarantees, typically formalized within a BAA, that a business associate will appropriately safeguard the ePHI they handle for the covered entity.
No, sharing ePHI with a business associate without a signed BAA in place is a direct violation of both the HIPAA Security and Privacy Rules.
Yes, if a business associate delegates a function involving ePHI to a subcontractor, they must execute a BAA with that subcontractor holding them to the same restrictions and conditions.
While HIPAA does not mandate a specific review frequency, organizations should review their BAAs annually or whenever there is a significant change in the vendor's services or regulatory requirements.
Failing to execute a BAA before sharing ePHI can result in severe financial penalties from regulatory agencies, failed compliance audits, and significant legal liability in the event of a data breach.
BAA compliance is difficult when vendor records, risk reviews, and signed agreements are spread across spreadsheets, email, and shared drives. Tools like WatchDog Security's Vendor Risk Management can maintain a centralized vendor catalog, track which vendors handle ePHI, record BAA status, and support periodic reassessments before access is granted or renewed.
Signed BAAs and vendor security evidence often contain sensitive contractual and compliance information, so they should be shared with access controls and auditability. Tools like WatchDog Security's Secure File Sharing can help teams exchange agreements and supporting documents using encrypted sharing, TOTP verification, and audit logs for review activity.
"The company, as a covered entity, permits a business associate to create, receive, maintain, or transmit electronic Protected Health Information (ePHI) on the company's behalf only if it can obtain satisfactory assurances, in accordance with company policies, that the business associate will appropriately safeguard the information."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-05 | WatchDog GRC Team | Initial publication |

