Business Associate Agreement Services
Every vendor that accesses PHI on your behalf requires a compliant Business Associate Agreement. PTG provides comprehensive BAA development, review, negotiation, and ongoing management to protect your organization from regulatory liability.
What We Deliver
Comprehensive BAA management that goes beyond templates to address the specific realities of each vendor relationship.
BAA Development
Custom-drafted agreements meeting all HIPAA and HITECH Act requirements, tailored to the specific services each vendor provides.
BAA Review and Gap Analysis
Thorough review of existing BAAs to identify missing provisions, outdated language, and gaps that expose you to regulatory risk.
Vendor Risk Assessment
Evaluate whether your business associates actually implement the safeguards required by their BAAs. A signed agreement means nothing without compliance.
Ongoing BAA Management
Continuous tracking of expirations, vendor changes, and regulatory updates. Centralized inventory so no agreement falls through the cracks.
BAA Negotiation Support
Review and strengthen vendor-drafted BAAs. We identify provisions that create risk and provide alternative language proposals.
Subcontractor Chain Management
HITECH Act requires BAAs with downstream subcontractors. We ensure the entire chain of trust is covered.
Before and After BAA Management
Missing BAAs
Vendors accessing PHI without signed agreements. OCR levied $1.3M in 2023 for this violation alone.
Outdated Agreements
Pre-HITECH BAAs lacking breach notification provisions, subcontractor requirements, and direct liability clauses.
No Vendor Oversight
No process to verify that vendors actually implement the safeguards promised in their BAAs.
Complete BAA Coverage
Every vendor relationship identified and covered by a compliant, current Business Associate Agreement.
HITECH-Compliant Terms
All agreements updated with breach notification, subcontractor flow-down, and Omnibus Rule requirements.
Active Vendor Monitoring
Ongoing due diligence program with security questionnaires, SOC report reviews, and risk evaluations.
Our BAA Management Process
Vendor Inventory and Assessment
BAA Development and Remediation
Vendor Due Diligence
Ongoing Monitoring and Updates
Negotiation Support
Lifecycle Tracking and Renewals
Frequently Asked Questions
What is a Business Associate Agreement?
A legally binding contract required by HIPAA between a covered entity and any vendor that accesses, creates, receives, maintains, or transmits PHI on the covered entity's behalf. It establishes permitted uses, required safeguards, and breach notification responsibilities.
Who qualifies as a business associate?
Any organization performing functions involving PHI on behalf of a covered entity. This includes IT providers, cloud hosting companies, billing services, EHR vendors, transcription services, shredding companies, and consultants with PHI access.
What happens if we operate without a BAA?
The absence of a BAA is itself a HIPAA violation that triggers penalties regardless of whether a breach has occurred. OCR has levied penalties exceeding $1 million solely for missing BAAs.
Do subcontractors need BAAs too?
Yes. The HITECH Act requires the chain of trust to extend to all downstream business associates. If your vendor uses a subcontractor that accesses PHI, that subcontractor must also have a BAA.
What must a compliant BAA contain?
Required provisions include permitted PHI uses and disclosures, safeguard obligations, breach notification timelines, subcontractor requirements, individual access rights, PHI return/destruction procedures, and HHS access provisions.
How often should BAAs be reviewed?
At minimum when agreements expire or renew, when vendor relationships change scope, and when regulatory requirements evolve. PTG recommends annual reviews of all active BAAs.
Explore More
Protect Your Organization from BAA Gaps
Schedule a BAA review to identify missing agreements, outdated terms, and vendor compliance gaps before OCR does.