Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

Staying Compliant with Third-Party Vendor Relationships: Business Associates and Agreements Simplified

Staying Compliant with Third-Party Vendor Relationships: Business Associates and Agreements Simplified
Written by

Ellie Owen

Published on

7 Mar 2019

Staying Compliant with Third-Party Vendor Relationships: Business Associates and Agreements Simplified


As mentioned during SureCloud’s webinar on “Why Your Vendors are Your Biggest HIPAA Privacy Risk,” getting a business associate agreement in order can be a difficult task. The law can be nuanced, confusing, and seemingly endless on this subject matter. There are many factors to keep in mind in order to remain compliant. Here are some tips that should help streamline the process.


Before we begin, it’s important to note that Business Associate Agreements (“BAA”) are imperative towards compliance efforts, given that disclosing Protected Health Information (“PHI”) without one can constitute a Health Insurance Portability and Accountability Act (“HIPAA”) violation. These are the documents that can insulate healthcare providers from liability by means of agency law. Without a BAA, a Covered Entity can be fined and found culpable via governmental enforcement action, as well as private suits; even though their vendor caused the breach.


It’s been cited by a GovInfoSecurity article that: “[in the first half of 2019], business associates have been reported as “present” in 47 breaches affecting nearly 1.25 million individuals that have been added to the tally.”


But even more important than compliance, the vendors pose a significant risk to patient health and patient care.


Who Qualifies as a “Business Associate” (“BA”)?

The term Business Associate is one applied to third-party vendors who, regularly, make use of Protected Health Information on behalf of a Covered Entity (a healthcare provider, health plan, or clearinghouse). The actual definition, which you can find at the Legal Information Institute, is much more robust. This basic rendition will enable you to determine, generally, who and what a Business Associate is.


To make matters even more simple, if you can follow along with this flowchart, answering yes to each question in the chain, your vendor is likely to be a Business Associate. As we discussed in the webinar, it’s always better to be safe and assume that a vendor falls under the definition if you’re unsure. Please note that best practice is to consult the Code of Federal Regulations (“CFR”) for the detailed parameters when drafting business associate agreements, as the following chart has been boiled down for convenience and ease in comprehension.




What Should I do Before Implementing a Business Associate Agreement?

Once you’ve determined that a potential vendor is indeed a Business Associate, it’s wise to screen them. Screening is essentially the process of conducting a risk assessment in the selection of Business Associates. The goal is to ensure that they’re capable of enacting the safeguards mandated by federal regulation, the ones you’ll want to outline in your contract with them.


It is important to document that you’ve performed these actions, as it serves as evidence of precautions taken if a breach occurs. You can do this on a spreadsheet. However, the downside is a daunting manual process with lots of emails and calls when dealing with a large number of vendors. Our clients use our SureCloud Third-Party Risk Solutions to get efficiency in distributing the assessments, tracking and scoring them, as well as doing an automated follow-up on resulting remediation action items. Healthcare organizations have also benefitted from a purpose-built vendor risk solution that SureCloud offers, set up specifically for Business Associates, Protected Health Information tracking and Business Associate Agreement tracking.


What Should I Put in My Business Associate Agreement?

The purpose of a Business Associate Agreement is to determine safeguards and ensure they’re appropriate to protect Protected Health Information against the risks in that particular business relationship. It’s what is called a satisfactory assurance. With a proper BAA, the Covered Entity is shielded from a lot of the liability that would arise from any vendor breach. It’s effectively a company’s written due diligence, making sure that its patients’ data is safe in the hands of their vendors.


From there, it’s easy to see that creating secure safeguards, the measures taken to protect PHI, is paramount. The Health and Human Services boasts a wide variety of resources to help Covered Entities craft emails for BAAs. Such as, examples of Business Associates, sample contracts, transition provisions for existing contracts and exceptions to the Business Associate standard.


Let’s have a brief overview of the sorts of provisions required within a Business Associate Agreement:



It’s important not to forget other imperative aspects of drafting, such as creating working definitions or listing the obligations and activities of the Business Associate in question. For a more in-depth review of exactly what specifications the Office for Civil Rights (”OCR”) requires of BAAs, please read through sections 164.314 and 164.504 of the Code of Federal Regulations. These sections of the code should serve as the formal rubric for compliance.


What if I Already Have an Existing BAA?

When HITECH was enacted in 2009, Covered Entities had a grace period for current contracts with Business Associates. In other words, they could wait until the agreement was up for renewal to make it compliant. Because that leniency is no longer in effect, even existing agreements, those you’ve had with clients for years must comply with the standards we’ve discussed.


Business Associate Agreements should, ideally, be updated annually to reflect any changes in compliance requirements. Because that‘s not always possible when you‘re contracting with a multitude of Business Associates, try to stagger revisions on a two- to- three-year rotation. That way, you‘re still updating for compliance yearly, just on a more manageable basis. Remember, an inadequate BAA is almost as bad as not having one at all; either one is a HIPAA violation, you have less corrective action if you already have a Business Associate Agreement template in place.


What Should I do After Implementing a BAA?

After entering into a Business Associate Agreement, you should continue to monitor your Business Associate. Request a copy of the internal HIPAA policies, as well as regularly reviewing logs of employee training, security incidents, and periodic audits to ensure they adhere to the terms of the contract. As always, make sure to document these activities, should the need to display due diligence ever arise.


Documentation and habitual review also establish whether a Covered Entity knows about potential HIPAA violations, which might decide liability for any resulting breach; even if the Business Associate commits the act. Agency law factors in the relationship between Covered Entities and Business Associates, therefore be mindful of the conduct of those with whom you have a contract with.



In conclusion, determining Business Associates and drafting agreements do not have to be overwhelming. There are numerous templates, resources, and instructive materials at your disposal. HIPAA compliance can be inconvenient, but it is important, and by no means impossible.


This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice, nor do they necessarily reflect the views of SureCloud Inc, or any of its attorneys other than the author. This article is not intended to create an attorney-client relationship. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.


About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products, which reinvent the way organisations manage risk. SureCloud’s products and services are underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to support existing business processes without forcing organisations to engage in costly business change programmes. SureCloud has been recognized in the 2021 Gartner Magic Quadrant for Integrated Risk Management Solutions.