HIPA-04

Have you entered into a Business Associate Agreements with all subcontractors who may have access to protected health information (PHI)?

Explanation

This question is asking whether your organization has formal Business Associate Agreements (BAAs) in place with all subcontractors who might handle Protected Health Information (PHI). Under HIPAA (Health Insurance Portability and Accountability Act), a Business Associate is any entity that performs functions or activities on behalf of a Covered Entity (like a healthcare provider, health plan, or healthcare clearinghouse) that involves the use or disclosure of PHI. A subcontractor is any entity that a Business Associate delegates work to. The question is being asked because HIPAA requires that Business Associates have written agreements with their subcontractors that establish specifically what the subcontractor can and cannot do with PHI. These agreements must include provisions that the subcontractor will implement appropriate safeguards to protect the PHI, report any security incidents, and comply with the same restrictions and conditions that apply to the Business Associate. This is critical for security assessments because it ensures the chain of responsibility and accountability for PHI protection extends to all parties who might access this sensitive data. Without BAAs, there would be no legal obligation for subcontractors to protect PHI according to HIPAA standards. To best answer this question: 1. Inventory all your subcontractors who might access PHI 2. Verify you have current, signed BAAs with each one 3. Ensure the BAAs include all required HIPAA provisions 4. Be prepared to provide evidence of these agreements 5. If you don't have BAAs with all relevant subcontractors, explain your remediation plan

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, our organization has executed Business Associate Agreements (BAAs) with all subcontractors who may have access to PHI We maintain a comprehensive inventory of all subcontractors, which is reviewed quarterly to ensure completeness Our legal team has developed a standardized BAA template that includes all provisions required by HIPAA, including obligations to implement appropriate safeguards, report security incidents, and comply with the HIPAA Privacy and Security Rules Each BAA is reviewed annually to ensure it remains current with regulatory requirements We can provide redacted copies of these agreements upon request, as well as our subcontractor management process documentation.

Example Response 2

Yes, we have executed Business Associate Agreements with 100% of our subcontractors who may access PHI Our vendor management system automatically flags any vendor who might process PHI during the onboarding process, triggering our BAA workflow Our compliance team then works with the vendor to execute our standard BAA before any PHI access is permitted We conduct annual audits of our subcontractor relationships to verify BAA coverage and compliance Our most recent audit was completed in March 2023, confirming all 17 of our subcontractors with potential PHI access have current BAAs in place These agreements explicitly prohibit the use or disclosure of PHI beyond what is permitted or required by the BAA and require the implementation of appropriate safeguards.

Example Response 3

No, we have not yet executed Business Associate Agreements with all of our subcontractors who may have access to PHI We recently discovered through an internal audit that two of our twelve subcontractors lack proper BAAs These subcontractors provide technical support services and may occasionally have incidental access to systems containing PHI We have initiated our remediation process, which includes immediately restricting their access to PHI until proper agreements are in place Our legal team has already contacted both vendors, and we expect to have compliant BAAs executed within the next 14 days To prevent recurrence, we've implemented a new vendor onboarding checklist that explicitly requires BAA verification before system access is granted to any vendor who may encounter PHI.

Context

Tab
Case-Specific
Category
HIPAA Compliance

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron