What is a HIPAA BAA Checklist?

A HIPAA BAA checklist, or a vendor questionnaire, allows covered entities to measure their business associates’ safeguards against HIPAA standards. Covered entities should send the questionnaire to their business associates to fill out before working with the vendor. There are three major sections of a HIPAA BAA checklist, documentation, security, and training. 

HIPAA BAA Checklist: Documentation

To be HIPAA compliant, you must be able to illustrate your compliance efforts to the Department of Health and Human Services (HHS) through documentation. 

☐ Has your organization conducted your annual self-audits?

☐ Have you created remediation plans to address gaps found through your self-audits?

☐ Have you fulfilled your annual obligation to review your policies and procedures? Have you made changes to your policies and procedures to account for changes in your business process?

☐ Have you tracked access to protected health information (PHI) through audit logs?

☐ Have you kept track of all visitors to your physical site?

☐ Have you kept track of storage devices (Hard Drives, USB Flash Drives) that contain ePHI? Have devices no longer in use been properly destroyed?

☐ Have you logged detected virus and malware attacks? Have you reported breaches to the HHS?

☐ Have you vetted your business associates? Do you have signed business associate agreements with all of your business associates?

HIPAA BAA Checklist: Security

HIPAA requires organizations to ensure the confidentiality, integrity, and availability of PHI.

☐ Do you send quarterly security and procedure reminders to staff?

☐ Have you implemented automatic logoff procedures

☐ Have you updated passwords to a minimum of eight (8) characters in length, using a special character and capital letter?

☐ Do you restrict sequential, repetitive characters, context specific passwords, and commonly used passwords (i.e. 12345, aaaaaa, the name of the site, p@ssw0rd, and dictionary words)?

☐ Do you have policies against sharing passwords?

☐ Do you use encrypted email or have a policy that no emails containing ePHI are to be sent?

☐ Do you restrict admin rights to any PHI software?

☐ Does your staff understand that breaches occur? If a breach occurs, do you have a means for employees to report the breach anonymously?

HIPAA BAA Checklist: Training

Organizations that may have contact with PHI must train employees on its proper uses and disclosures. 

☐ Do you train all employees annually on HIPAA standards and your organization’s policies and procedures?