Back to Blog
Healthcare & HIPAA

"Business Associate Agreements: Tracking and Compliance"

"What triggers BAA requirements, required provisions, tracking your BAA inventory, renewal management, breach notification obligations, and vendor due diligence."

Protekon Compliance Team

April 13, 2026

"Business Associate Agreements: Tracking and Compliance"

Let me ask you a question that will determine whether your HIPAA compliance program is real or imaginary.

How many business associates does your organization have?

If you can't answer that question within thirty seconds — with a specific number — you have a problem. A serious, OCR-investigation-grade problem.

Because here's the truth about Business Associate Agreements: most healthcare organizations treat them as a paperwork exercise. Get the signature, file it in a drawer, forget about it. And then one day, a vendor gets breached, patient records are exposed, and OCR comes knocking. And the first thing they ask for is your BAA inventory.

Not just the agreements. The inventory. The tracking system. The evidence that you know who has access to your patients' data and what they're doing with it.

If you don't have that, you're not compliant. You're just lucky. And luck, in my experience, is a terrible compliance strategy.

What Makes Someone a Business Associate

This is where most organizations go wrong. They think narrowly. They think "business associate" means the big obvious vendors — the EHR company, the billing service, the IT support firm. And yes, those are business associates.

But the definition is much broader than that.

Under HIPAA, a business associate is any person or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity — or that provides services to a covered entity involving the use or disclosure of PHI.

Read that definition carefully, because it captures a staggering number of relationships:

  • Your cloud storage provider (if ePHI is stored there)
  • Your email service (if patients' health information passes through it)
  • Your shredding company (they handle paper PHI)
  • Your accounting firm (if they access billing records with patient identifiers)
  • Your law firm (if they receive PHI during legal matters)
  • Your telehealth platform vendor
  • Your appointment reminder service
  • Your medical transcription service
  • Your data analytics vendor
  • Your collection agency
  • Your answering service (if they take messages with patient information)
  • Your consultants (if they access patient data during their work)

And here's the one that catches everyone by surprise: subcontractors. If your IT company uses a subcontractor to manage your servers, and those servers contain ePHI, that subcontractor is a business associate of your business associate. The chain doesn't stop at the first link.

If someone touches PHI on your behalf, they need a BAA. No exceptions. No informal arrangements. No handshake deals.

Required BAA Provisions

A BAA isn't a template you download from the internet and slap a signature on. It's a legally binding contract that must contain specific provisions. Miss any of these, and your BAA is deficient — which, in OCR's eyes, is nearly as bad as not having one at all.

Here's what must be in every BAA:

**Permitted uses and disclosures.** The agreement must specify exactly what the business associate is allowed to do with PHI. Not a vague "whatever is necessary." Specific, limited, defined uses tied to the services they're providing. If they're doing billing, they can use PHI for billing. Not for marketing. Not for analytics. Not for anything beyond the defined scope.

**Safeguard requirements.** The business associate must agree to implement appropriate safeguards to protect PHI. This includes administrative, technical, and physical safeguards consistent with the Security Rule. They're not just promising to "keep it safe." They're agreeing to a specific standard of protection.

**Breach notification obligations.** The BA must report any breach of unsecured PHI to the covered entity without unreasonable delay, and no later than 60 days after discovery. This is not negotiable. Your BAA must specify the notification timeline, the required content of the notification, and the cooperation expected during the investigation.

**Subcontractor requirements.** If the business associate uses subcontractors who will access PHI, the BA must ensure those subcontractors agree to the same restrictions and conditions. This means downstream BAAs. The chain of protection must be unbroken.

**Access and amendment.** The BA must make PHI available to the covered entity (and to individuals, when required) for access and amendment. If a patient requests their records, and those records are held by your BA, the BA must be able to produce them.

**Accounting of disclosures.** The BA must make information available for an accounting of disclosures, as required by 45 CFR 164.528.

**HHS access.** The BA must make its internal practices, books, and records available to HHS for determining compliance. This is a requirement, not a courtesy.

**Termination and return of PHI.** Upon termination of the agreement, the BA must return or destroy all PHI. If that's not feasible, the protections of the BAA extend for as long as the BA retains the information. This is the provision that most people forget, and it matters enormously when you switch vendors.

BAA Inventory Management: The System You Need

Here's where I shift from what the law requires to what smart operators actually do.

You need a BAA inventory. Not a folder of PDFs. Not a list on someone's desktop. A structured, maintained, reviewed inventory that tells you:

  1. **Who** — Every vendor, contractor, and service provider with PHI access
  2. **What** — What type of PHI they access and why
  3. **When** — Effective date and expiration/renewal date of the BAA
  4. **Where** — Where the signed agreement is stored
  5. **Status** — Current, expired, pending renewal, pending execution
  6. **Contact** — Privacy/security contact at the BA's organization
  7. **Last review** — When you last verified the BA's compliance

This inventory should be reviewed quarterly at minimum. Not because HIPAA says quarterly — but because vendors change, relationships evolve, and gaps appear faster than you'd expect.

New vendor onboarded last month? Is the BAA signed? New cloud service for patient communications? BAA in place? IT company brought in a new subcontractor? Downstream BAA executed?

If your inventory isn't catching these changes in real time, you're accumulating exposure with every new relationship.

Renewal Tracking: The Silent Killer

BAAs expire. Sometimes on a set date. Sometimes when the underlying service contract ends. Sometimes they auto-renew, sometimes they don't.

And here's the problem: an expired BAA means you have a vendor with access to your patients' PHI and no legal agreement governing that access. That's a HIPAA violation. Full stop.

Your renewal tracking system should alert you at least 90 days before any BAA expires. That gives you time to review the agreement, negotiate any updates, incorporate changes to the HIPAA regulations (which do get updated), and get signatures before the deadline.

Don't treat renewals as a formality. Every renewal is an opportunity to:
- Update the scope of permitted uses
- Strengthen breach notification requirements
- Add subcontractor provisions if they weren't there before
- Incorporate new security requirements
- Verify the BA's current compliance posture

A renewed BAA should always be better than the one it replaces.

Vendor Due Diligence: Trust But Verify

A signed BAA is not a guarantee of security. It's a legal obligation. Whether the vendor actually meets that obligation is a different question entirely.

Smart covered entities conduct due diligence on their business associates. Before signing the BAA and periodically thereafter.

What does due diligence look like?

**Before engagement:**
- Request their most recent Security Risk Assessment summary
- Ask about their security certifications (SOC 2, HITRUST, ISO 27001)
- Review their breach history (public breach reports are available on HHS's Wall of Shame)
- Ask about their incident response plan
- Understand their data handling practices — where is your data stored, who has access, how is it encrypted?

**Ongoing:**
- Request annual security attestations or certifications
- Review any breach notifications they send you
- Monitor their compliance posture (are they maintaining certifications?)
- Include audit rights in your BAA and exercise them

You cannot outsource compliance. You can outsource functions, but the compliance obligation stays with you. If your BA gets breached because of their negligent security practices, you're still on the hook for notification, investigation, and regulatory scrutiny.

Breach Notification: The Chain Reaction

When a business associate experiences a breach of unsecured PHI, the notification chain works like this:

  1. The BA discovers the breach
  2. The BA notifies the covered entity within the timeframe specified in the BAA (maximum 60 days under federal rules, shorter under some state laws)
  3. The covered entity evaluates the breach using the four-factor risk assessment
  4. If it's a reportable breach, the covered entity notifies affected individuals, HHS, and (if over 500 records) the media
  5. The covered entity and BA cooperate on the investigation and remediation

Notice who bears the notification burden to individuals and HHS: the covered entity. Not the business associate. Your vendor's breach becomes your notification responsibility.

This is why your BAA must have teeth. Notification timelines must be short — 30 days or less if you can negotiate it. Cooperation requirements must be specific. Indemnification provisions should address the costs you'll incur because of their breach.

And your breach response plan must account for BA breaches. You should know exactly who to call at each BA organization, what information you need from them, and what your internal response process looks like when the breach originates outside your four walls.

Common OCR Findings on BAA Deficiencies

When OCR audits or investigates, BAA problems show up with depressing regularity:

  • **No BAA in place** with vendors clearly meeting the BA definition
  • **Incomplete BAAs** missing required provisions (especially subcontractor and termination clauses)
  • **No inventory** of business associate relationships
  • **Expired BAAs** with active vendor relationships
  • **No due diligence** on BA security practices
  • **BAAs that don't address breach notification** adequately
  • **No evidence of BAA review or updates** after regulatory changes

Each of these is a finding. Each of these can escalate a routine inquiry into a corrective action plan or a monetary settlement.

The Action Plan

Stop reading and start doing.

  1. Build your inventory. List every vendor, contractor, and service provider. For each one, ask: do they create, receive, maintain, or transmit PHI on our behalf?
  2. For every "yes," verify that a current, compliant BAA is in place.
  3. For every missing BAA, execute one immediately.
  4. For every existing BAA, review it against the required provisions list above.
  5. Implement a renewal tracking system with 90-day advance alerts.
  6. Establish a due diligence process for new and existing BAs.
  7. Document everything.

This isn't glamorous work. It's not exciting. It's not the kind of thing that makes the highlight reel at industry conferences.

But it's the work that keeps you out of OCR's crosshairs. And that should be exciting enough.

Stay ahead of Cal/OSHA

Get the weekly compliance brief.

One email a week: new regulations, enforcement trends, and the templates we publish. No spam, unsubscribe any time.

See where you stand

What would Cal/OSHA cite you for today?

Run the compliance score. You'll see the gaps, the fine exposure, and the remediation path.

Get your score

Related Articles

"HIPAA Security Risk Assessment: Step by Step"

"HIPAA Security Risk Assessment: Step by Step"

"HIPAA Security Rule SRA requirements: scope, threat identification, vulnerability assessment, risk determination, risk management plan, and OCR audit expectations."

"HIPAA Compliance for California Healthcare Practices"

"HIPAA Compliance for California Healthcare Practices"

"HIPAA Privacy Rule, Security Rule, Breach Notification, Security Risk Assessments, BAA management, and California's CMIA additions — what healthcare practices must do."