Managing Business Associate Agreements (BAAs)

SunHawk Consulting performed an analysis on all Department of Health and Human Services, Office for Civil Rights (“OCR”) settlement agreements, and determined that 1/5 of the settlements, related to Covered Entities, failed to have a Business Associates Agreement (“BAA”) in place or other mismanagement of their BAA Compliance Program.[1] A common theme has been the organization failing to execute a BAA, which is indicative of poor contract management of their BAAs.

While there are a number of reasons Providers continue to be a struggle with management of BAAs, Covered Entities (and their Business Associates) would be wise to take a focused look at how these agreements are being managed internally. Below are some tips to help aid in your organization’s compliance.

Tips for BAA Compliance:

  • Ensure your organization has a policy in place addressing BAAs.

  • Validate that your organization’s template BAA is up-to-date with the current regulations.

  • Audit your BAAs to identify any gaps in compliance.

  • Make sure you understand the process for executing these contracts.

  • Make sure you understand the process for managing contracts in your organization, including communication with internal and external parties.

  • Ensure that a copy of all your BAAs, and a log of those BAAs can be readily produced upon request.

  • Educate leaders on the importance of BAAs and in engaging compliance to identify when one is needed.

If a complaint is made to the OCR involving a potential breach, their investigation will almost certainly include asking about your organization’s BAAs.

Call to Action:

SunHawk Consulting offers an easy-to-use HIPAA Check™ tool that guides you through the risk assessment process. HIPAA Check™ is a subscription-based HIPAA audit and risk assessment program that uses an algorithm to measure OCR settlement agreements and guidance to assess regulatory risk for each Security Rule requirement including criteria for Business Associate Agreements. The tool helps you prioritize items with higher regulatory risk, which will have a significant impact on the risk to your ePHI.

If your organization is in need of assistance in auditing or advising on your BAAs, please contact Jim Rough at

Key SunHawk Privacy and Security Experts:

[1]Seethe following OCR Settlements: Advanced Care Hospitalists OCR Settlement:, Pagosa Springs Medical Center (PSMC),, Cottage Heath,