Here’s a template to help covered entities review their business associate agreements (BAAs). It was developed by Regina Alexander, a principal with BerryDunn. It also could be “reverse engineered for a business associate/vendor to review all the BAAs they have signed,” she said (see story, p. 1). Contact Alexander at ralexander@berrydunn.com.
BAA checklist
Business Associate (BA)/Vendor name |
Reviewer initials | ||
Internal AP account # (if applicable) |
Date reviewed | ||
Date of original contract/agreement |
Remediation pending? [Y/N] | ||
Renewal/expiration date of original contract/agreement |
Initial review status | ||
Internal Business Lead/Department Overseeing Vendor/BA |
Final review status | ||
Type of service provided by vendor/BA |
Risk level of vendor/BA | ||
Review Step |
Response |
Follow-up needed? [Y] |
Additional notes/observations |
---|---|---|---|
Business Associate Agreement (BAA) on-file? (Y/N) | |||
Format of BAA (hard copy, electronic) | |||
Is the BAA fully executed? (Y/N, if no, describe deficiency) | |||
If yes to BAA, date executed by CE & Name of Designee | |||
If yes to BAA, date executed by BA & Name of Designee | |||
Do the parties executing the BAA still represent the organizations? (Y/N) | |||
Is the contact information for notifications accurate for both parties? (Y/N) | |||
What is the time frame for the BA to notify the CE of a security incident or breach of PHI? | |||
What is the method of notification? (U.S. mail, fax, hand delivery, overnight, etc.) | |||
Is the BAA boilerplate (HHS OCR Sample Template, no special provisions)? (Y/N) | |||
If the BAA contains special/custom terms, do the terms include indemnification for losses? If yes, how much? | |||
If the BAA contains special/custom terms, do the terms include cyberinsurance? If yes, how much? | |||
Other custom terms? | |||
Are there terms in the Master Services Agreement or contract that potentially conflict with the BAA? (Y/N) | |||
If yes to conflicting terms, provide examples. |