SA-9.1: Business Associate Contracts and Other Arrangements
Your business associates handle sensitive patient data on your behalf—but HIPAA holds you accountable for their security practices. SA-9.1 requires covered entities to obtain satisfactory assurances that business associates will properly safeguard ePHI, making BAAs a critical compliance control. Without proper contracts in place, you're exposed to regulatory penalties and patient privacy breaches.
What this means
Under HIPAA Security Rule §164.306, covered entities can only allow business associates to create, receive, maintain, or transmit electronic protected health information (ePHI) if the covered entity has documented proof that the business associate will appropriately safeguard that information. This proof typically comes in the form of a Business Associate Agreement (BAA) that specifies security obligations, breach notification requirements, and compliance standards. The control ensures accountability flows down your supply chain, preventing unauthorized or insecure handling of patient data by third parties.
How to comply
- 1.Identify all entities that create, receive, maintain, or transmit ePHI on your behalf (cloud vendors, billing processors, IT service providers, etc.)
- 2.Develop or obtain a Business Associate Agreement template that complies with HIPAA's required terms and conditions
- 3.Require BAAs to be signed before any business associate accesses or processes ePHI
- 4.Include specific security safeguards in the BAA aligned with your organization's security policies and HIPAA requirements
- 5.Document breach notification obligations and timelines within the BAA
- 6.Periodically audit business associates' compliance with BAA terms through assessments, questionnaires, or on-site reviews
- 7.Maintain a current inventory of all active BAAs and review them at least annually for updates or needed revisions
- 8.Require business associates to implement subcontractor agreements that flow down the same security obligations
Evidence auditors look for
- Signed Business Associate Agreements for all third-party service providers
- BAA template documentation with HIPAA-required clauses for safeguarding ePHI
- Business associate inventory or register listing all entities with ePHI access
- Security assessment reports or audit findings from business associate reviews
- Breach notification procedures documented within BAAs with response timelines
- Email or correspondence confirming BAA execution dates and renewal dates
- Documentation showing periodic compliance monitoring or audit activities
- Subcontractor agreements that flow down security requirements to downstream vendors
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates BAA tracking and renewal reminders, maintains a centralized inventory of all business associate agreements, and flags compliance gaps through automated risk assessments—eliminating manual spreadsheet management and ensuring no vendors slip through without proper contracts.
See how GRCWatch handles this control automatically
Start free trial