With recent events around supply chain attacks we thought it would be a good idea to remind everyone of the importance of tracking your Business Associate Agreements!

Tracking your Business Associate Agreements (BAA) is important, but what information is important to document and maintain? We’re going to cover which details are a must when tracking your BAAs and why. 

  1. Name and Contact Information
    • This seems like a no brainer, but this is a hugely important detail. Not only should you have the contact information of a specific person within the BA, but you should also track who internally the BA is in communication with and from which department in your organization. 
    • Your BA contact will also be the person to reach out to, annually, when confirming the security standards outlined in your BAA are being maintained.  
  1. The type of information and systems the BA has access to; PHI, ePHI etc.
    • Should your BA have some sort of attack, it is important to know what information on which systems may have been compromised. 
  1. Contract Dates
    • You’ll want to track when the agreement starts and when the agreement expires 
    • Having contract dates will keep you on a timeline for renewing agreements or terminating agreements that are no longer needed.  
    • The dates can also serve as reminders to check in on your BA’s security standards, mentioned earlier, and review/update your BAA.  

The OCR finds major issues within the BAA space when investigating covered entities. Maintaining and tracking your BAAs should be a priority within your organization to avoid investigations that could lead to financial repercussions.