GRCWatch
Sign inStart free trial

HIPAA OR-1.1: Business Associate Contract Requirements

Your organization is directly liable for business associates who mishandle protected health information (PHI). OR-1.1 requires you to maintain enforceable contracts and actively monitor that associates meet their obligations—or face penalties. Without a systematic monitoring process, you risk substantial HIPAA violations.

What this means

Under HIPAA §164.306, a covered entity cannot claim compliance if it knows a business associate has materially breached or violated contract terms, yet fails to take reasonable corrective action. This control requires three things: a written business associate agreement (BAA) in place before the associate handles PHI; documented awareness of any breaches or violations; and evidence of reasonable steps taken to cure the breach or terminate the relationship. Ignorance is not a defense—you must actively monitor and respond.

How to comply

  1. 1.Execute written Business Associate Agreements (BAAs) with every vendor, contractor, or third party that accesses, processes, or stores PHI before they touch any protected data.
  2. 2.Document all business associate obligations in the contract, including security safeguards, breach notification requirements, and permitted use limitations.
  3. 3.Establish a monitoring process to track business associate compliance through periodic audits, vulnerability assessments, or compliance attestations.
  4. 4.Create a log or register of known breaches, security incidents, or contract violations involving business associates, including the date discovered and nature of the issue.
  5. 5.Define remediation timelines and corrective action procedures in the BAA so you have a documented playbook for responding to violations.
  6. 6.Document all reasonable steps taken to cure breaches or violations—including corrective action plans, follow-up audits, or contract termination notices.
  7. 7.Maintain evidence files showing your diligence: audit reports, signed acknowledgments of violations, remediation confirmations, and any contract amendments or terminations.

Evidence auditors look for

  • Signed Business Associate Agreements (BAAs) for all third parties handling PHI, dated prior to data access
  • Audit or assessment reports documenting business associate security compliance (annual or biennial)
  • Vendor risk assessment scorecards or security questionnaires completed and retained
  • Breach notification logs or incident reports documenting violations discovered
  • Corrective action plans (CAPs) issued to associates, with documented remediation timelines
  • Follow-up audit or attestation evidence showing cure of identified violations
  • Contract termination letters for associates who failed to remedy material breaches
  • Board or management meeting minutes discussing business associate compliance monitoring

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates business associate contract tracking, monitors compliance through continuous attestations, and flags violations in real-time so you can document corrective actions before regulators ask—eliminating the manual spreadsheet hunt.

See how GRCWatch handles this control automatically

Start free trial

Related controls

HIPAA OR-1.2 — Business Associate Contracts — Written AssuranceHIPAA §164.308(b)(1) — Workforce SecurityHIPAA §164.308(a)(4) — Information Access ManagementHIPAA §164.504(e) — Business Associate Agreement Requirements