HIPAA Security Rule -- Organizational Requirement

HIPAA Business Associate Contracts

Obtain satisfactory assurances, through written contract or other arrangement, that any Business Associate creating, receiving, maintaining, or transmitting ePHI on your behalf will appropriately safeguard it.

45 CFR § 164.308(b)(1) and § 164.314(a)

What the safeguard requires

The HIPAA Business Associate Contracts is defined at 45 CFR § 164.308(b)(1) and § 164.314(a) of the HIPAA Security Rule. It is one of the core standards that every covered entity and business associate must address in a documented, defensible way. Petronella Technology Group interprets the requirement below exactly as written in the rule, without paraphrasing past what the regulation actually says.

Written Contract or Other Arrangement (Required)

A Business Associate Agreement (BAA) must be in place before any ePHI is shared. The contract must include the elements specified at § 164.504(e) -- permitted uses and disclosures, safeguards, subcontractor flow-down, breach notification timelines, and termination rights.

Satisfactory Assurances (Required)

The covered entity must have reason to believe the BA will actually uphold the contract -- not just sign it. In practice that means vendor due diligence before and during the relationship.

Why it matters

Business Associate breaches are the majority of large breach reports on the HHS 'wall of shame.' Third-party risk is where most covered entities lose control. Without a valid BAA and ongoing diligence, a vendor breach can become a covered-entity enforcement action.

Enforcement context is important. The Office for Civil Rights (OCR) publishes settlement agreements that cite exactly which Security Rule standards were violated. Repeat findings in recent years include missing or stale risk analyses, insufficient access controls, unencrypted devices, and weak workforce training. Treating each safeguard -- including this one -- as a living program rather than a one-time checkbox is the defensible posture.

How Petronella Technology Group implements it

Petronella Technology Group has supported HIPAA compliance programs since 2002. Our team -- led by Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180) and staffed with CMMC-RP certified engineers -- applies the same rigor to HIPAA Security Rule safeguards that we apply to defense-industrial-base compliance. The practical implementation usually looks like this:

BAA inventory and gap audit

We build or rebuild your BA inventory -- billing services, IT providers, cloud storage, email marketing with PHI, transcription, shredding -- and verify every one has a current, compliant BAA.

Template BAA library

We provide reviewed templates aligned to 45 CFR § 164.504(e) with HITECH and Omnibus updates, breach notification windows, and subcontractor flow-down.

Vendor risk assessments

For high-risk BAs we perform security questionnaires, review SOC 2 / HITRUST reports, and document residual risk.

Ongoing monitoring

Annual re-attestation, breach watch, and BAA renewal calendar so nothing lapses.

Common pitfalls

These are the gaps we see most often when taking over a HIPAA environment from another provider or during initial risk-analysis engagements. Each one is a documented OCR finding in at least one public settlement:

Assuming a signed BAA means the vendor is compliant -- the paperwork is the floor, not the ceiling.
No BAA with the IT vendor that has domain admin rights -- the most common gap we find in audits.
BAAs signed in 2011 that have never been updated for HITECH or Omnibus requirements.
Missing subcontractor flow-down terms, so your BA's subcontractors are uncovered.
Confusing a BAA with a standard MSA or NDA -- they are different documents.

Compliance evidence and documentation

HIPAA compliance is ultimately a documentation exercise. OCR investigators ask for evidence, not explanations. For this safeguard, the artifacts auditors typically expect include:

Current BA inventory with renewal dates
Signed BAAs for every BA
Vendor risk assessment files
Evidence of annual BA review
Breach notification test records where applicable

All documentation must be retained for six years from creation or last effective date under 45 CFR § 164.316(b)(2).

Related HIPAA Security Rule controls

This safeguard works alongside several other standards. In a well-run program they reinforce each other; gaps in one almost always surface as findings in the others:

Frequently asked questions

Who is a Business Associate?

Any person or entity that performs a function or activity on behalf of a covered entity involving the use or disclosure of PHI -- IT service providers, billing companies, cloud storage, shredding companies, consultants, some attorneys, and most health-tech SaaS platforms.

Does a cloud storage provider need a BAA even if data is encrypted?

Yes. HHS guidance is clear: if a cloud provider stores or transmits PHI -- even encrypted PHI where the provider holds no key -- a BAA is required. The encryption-only exception HHS considered was never formalized.

What happens if we share ePHI without a BAA?

It is an impermissible disclosure under the Privacy Rule, potentially a reportable breach, and a direct Security Rule organizational-requirement violation. OCR has levied six- and seven-figure fines in cases where a BAA was missing.

Who is responsible when a BA has a breach?

The BA is directly liable for the breach itself, but the covered entity has its own duties: notify affected individuals (unless the BAA shifts that to the BA and the BA executes), cooperate with investigation, and demonstrate it had the BAA and due diligence in place.

Need help with this HIPAA safeguard?

Petronella Technology Group has helped practices, hospitals, health-tech companies, and business associates implement HIPAA Security Rule safeguards since 2002. BBB A+ accredited, headquartered at 5540 Centerview Dr in Raleigh, NC. Talk with our team about a documented risk analysis, Virtual CISO engagement, or targeted remediation.

Schedule a Compliance Consultation