Business associate governance

Business associate governance is one of the fastest ways a HIPAA program turns “good on paper” into “defensible in an audit.” It sits at the junction of procurement, legal, security, privacy, IT operations, and the business teams that onboard third parties. If those teams are not coordinated, you get familiar failure modes: a cloud tool adopted by a department, PHI uploaded for convenience, and a BAA pursued after the fact (or never completed).

This requirement is operational by design. You are expected to manage contracts and oversight for business associates handling PHI, which means you must know who they are, what PHI they touch, why they touch it, what controls they promise contractually, and how you confirm they keep those promises over time ¹.

The guidance below is written for a Compliance Officer, CCO, or GRC lead who needs to implement quickly: define the decision rule for “is this a BA,” build a workable intake process, standardize BAA execution, and generate audit-ready evidence without slowing the business to a crawl.

Regulatory text

Regulatory excerpt (provided): “Manage contracts and oversight for business associates handling PHI.” ¹

Operator interpretation:
You must run a repeatable governance process for third parties that handle PHI on your behalf. Practically, that means:

• Contract coverage: Ensure the relationship is governed by appropriate contractual terms (commonly a BAA where applicable) before the third party accesses PHI.
• Ongoing oversight: Maintain visibility and control across the relationship lifecycle: onboarding, changes in scope or systems, incidents, and termination.
• Evidence: Keep artifacts that prove you executed the process, not just that you have a policy ¹.

Plain-English interpretation (what “good” looks like)

You can explain, quickly and consistently, all of the following for any business associate:

1. Who they are (legal entity, service, owner, criticality).
2. What PHI touches them (data types, systems, interfaces, storage locations).
3. Why it’s permitted (business purpose and minimum necessary framing).
4. What contract is in place (BAA status, effective date, scope, breach reporting terms).
5. How you oversee them (security review, periodic check-ins, incident handling, change control).
6. How you offboard (PHI return/destruction, access revocation, contract termination).

If you cannot answer those six items with artifacts, you do not have operational governance; you have a filing cabinet.

Who it applies to

Entity types:

• Covered Entities that engage third parties to perform functions or services involving PHI.
• Business Associates that, in turn, use subcontractors that may handle PHI as part of delivering the service ¹.

Operational contexts where this shows up:

• Cloud hosting, managed IT, email/security tooling where PHI can be stored or transmitted.
• Billing, collections, coding, claims processing, call centers, transcription.
• EHR integrations, patient engagement platforms, analytics, data warehouses.
• Consultants/contractors who can access systems with PHI (even temporary access).
• “Shadow” third parties adopted by departments (forms, file-sharing, AI tools) that end up holding PHI.

What you actually need to do (step-by-step)

Step 1: Build your BA decision rule (and publish it)

Create a one-page intake rule the business can use:

• If a third party handles PHI on your behalf, route to BA governance.
• If they may incidentally see PHI but do not handle it for you, still route for review so you can document the decision and controls.
  Keep this rule in your third-party intake workflow and procurement checklist.

Deliverable: “Business Associate Determination Guide” (one page) mapped to your intake form.

Step 2: Create a single inventory tied to PHI flows

Maintain a system of record (spreadsheet, GRC tool, or Daydream) that lists:

• Third party legal name, service description, internal owner
• Whether they are a BA (yes/no/under review)
• PHI touched (types), systems involved, data transfer method (API/SFTP/portal)
• BAA status (required? executed? effective date? renewal/termination)
• Subcontractor involvement (yes/no/unknown) and how it is addressed contractually
• Oversight cadence and last completed review

Tip: Start from PHI repositories and integrations (EHR, billing, file shares, ticketing attachments). Work outward to vendors. That approach finds missed relationships faster than starting from Accounts Payable.

Deliverable: Business Associate Inventory + PHI Data Flow references ¹.

Step 3: Standardize BAA contracting and gating

Put in place a “no PHI before BAA” gate:

• Procurement/Legal owns BAA execution workflow.
• IT/Security owns technical gating: no credentials, no SSO group membership, no interface keys, no mailbox rules, no data exports until the gate is satisfied.
• Business owner confirms scope: what PHI and why.

Create a BAA playbook:

• Approved BAA template(s)
• Fallback language if a third party insists on papering their own form
• Redlines that must escalate (breach notice timing, subcontractor terms, return/destruction language, audit rights, permitted uses)

Deliverables: BAA template + contract review checklist + gating control in onboarding process ¹.

Step 4: Verify downstream subcontractor obligations

Your governance must address the common weak spot: BA subcontractors.

• Require the BA to flow down obligations to subcontractors that handle PHI.
• Ask for a list of subcontractors that may access PHI, or a category-based disclosure if they cannot provide names.
• Document what you accepted and why (risk-based rationale).

Deliverables: Contract clause(s) addressing subcontractors + evidence of subcontractor disclosure/attestation ¹.

Step 5: Run risk-based oversight that produces evidence

Oversight does not have to be heavy, but it must be real.

• Onboarding review: Confirm security controls relevant to the service (access control, encryption approach, incident response contacts, segregation for multi-tenant services).
• Change management trigger: Re-review when scope changes (new integration, new data types, new geography, new subcontractor model).
• Incident handling: Maintain a tested contact path and require prompt notification through contractual terms.
• Periodic check-ins: A lightweight attestation or review can be sufficient for lower-risk BAs; higher-risk BAs should receive deeper review and security artifacts.

Deliverables: Completed review records, meeting notes, tickets, approvals, and any attestation documents tied to the BA inventory ¹.

Step 6: Offboarding and termination controls

Build an offboarding checklist:

• Disable access (accounts, API keys, SFTP users, VPN, shared mailboxes)
• Retrieve/confirm return or destruction of PHI where applicable
• Document termination date and retention of required records

Deliverables: Offboarding checklist + closure evidence (access revocation logs, termination notices) ¹.

Required evidence and artifacts to retain (audit-ready list)

Keep artifacts in one place, mapped to each BA record:

• Business Associate Inventory (current, versioned)
• BA determination records for ambiguous cases (why BA vs not BA)
• Signed BAAs (and amendments), with effective dates and scope
• Third-party onboarding approvals and gating evidence (ticket IDs, access requests)
• Security/privacy review outputs (questionnaire, attestation, exceptions, risk acceptance)
• Subcontractor disclosure/flow-down evidence (contract language, BA confirmation)
• Incident communications and post-incident follow-ups involving BAs
• Offboarding evidence: access revocation, PHI return/destruction confirmation ¹

Daydream fit (practical): Use Daydream as the system of record to link each BA to its BAA, scope of PHI, review tasks, and renewal/offboarding actions so audits become a query, not an email hunt.

Common exam/audit questions and hangups

Auditors and internal reviewers typically press on:

• “Show me your complete list of business associates and how you know it’s complete.”
• “For this BA, show the executed BAA and the date PHI access began.”
• “How do you ensure departments cannot onboard tools that process PHI outside procurement?”
• “How do you address BA subcontractors?”
• “What monitoring occurs after contract signature?” ¹

Hangup to expect: completeness. If your inventory is not tied to PHI systems and procurement intake, it looks like guesswork.

Frequent implementation mistakes (and how to avoid them)

1. BAA-after-access.
   Fix: enforce technical and process gating so access cannot be granted before contract status is approved.

2. Inventory built from invoices only.
   Fix: reconcile AP lists with PHI data flows and integrations; interview system owners.

3. No documented BA determinations.
   Fix: capture the rationale in the intake ticket for every questionable third party.

4. Subcontractors ignored.
   Fix: add a required contract clause and a procurement step to obtain disclosure/attestation.

5. Oversight equals “annual questionnaire” with no follow-through.
   Fix: track findings, exceptions, and remediation owners in the same place you store the BAA; close the loop with evidence.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific case outcomes. Practically, weak business associate governance increases the likelihood that PHI is disclosed through third-party misconfiguration, unauthorized access, or delayed incident notification. The operational risk shows up as: unknown PHI locations, delayed containment, and an inability to prove appropriate contracting and oversight ¹.

Practical 30/60/90-day execution plan

First 30 days (stabilize and stop new gaps)

• Stand up the BA intake decision rule and publish it to Procurement, Legal, IT, and department admins.
• Implement the “no PHI before BAA” gate in your onboarding workflow (process gate if technical gating takes longer).
• Build an initial BA inventory from procurement contracts and your highest-risk PHI systems owner list (EHR, billing, document management). ¹

Days 31–60 (make it complete enough for audits)

• Reconcile inventory against SSO apps, integrations, and data export paths used by PHI systems.
• Collect missing BAAs, prioritize by PHI volume/sensitivity and external exposure (internet-facing integrations, hosted storage).
• Add subcontractor flow-down language to templates and start capturing subcontractor disclosures for critical BAs.
• Define oversight tiers (light/standard/enhanced) and assign each BA a tier with a documented rationale. ¹

Days 61–90 (operationalize oversight and reporting)

• Run the first oversight cycle for critical BAs: review artifacts, document exceptions, track remediation.
• Test offboarding on one low-risk BA to validate the checklist and evidence trail.
• Build a governance dashboard for leadership: BA count, BAA completion status, overdue reviews, critical BA list.
• Move the inventory and workflow into Daydream (or your chosen system) to automate renewals, reviews, and evidence linking. ¹

Frequently Asked Questions

How do we decide if a third party is a business associate?

Base the decision on whether they handle PHI on your behalf as part of providing a service. Document the decision in the intake record, even when the answer is “no,” so you can show consistent governance ¹.

Do we need a BAA for every third party we buy software from?

No. You need BA governance for third parties that create, receive, maintain, or transmit PHI for you. The operational fix is to route all tools that may touch PHI through an intake check so the decision is recorded.

What’s the minimum oversight that will satisfy an auditor?

Maintain a current BA inventory, ensure BAAs are executed before PHI access, and retain evidence of ongoing oversight actions (reviews, issue tracking, incident communications). Oversight can be risk-based, but it must produce artifacts ¹.

Our business associate won’t sign our BAA template. What should we do?

Use a redline checklist with escalation points so Legal and Compliance can approve acceptable alternates consistently. Record the deviation and any compensating controls in the BA record so the decision is traceable.

How do we handle BA subcontractors if the BA won’t disclose names?

Require contractual flow-down obligations and request at least category-level disclosure plus an attestation that subcontractors are bound to equivalent requirements. Document what you received and why you accepted it.

What evidence matters most during an audit?

Auditors usually want to see the executed BAA, proof it was in place before PHI access, and a living inventory that ties the BA to PHI scope and oversight actions. If those items are scattered, centralize them in a single record per BA ¹.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. HIPAA Security Rule (45 CFR Part 164 Subpart C)