BAA Management Module — HIPAA Business Associate Agreement System
Classification: Internal — Compliance Engineering Date: 2026-02-16 Task: D.3.3 — BAA Management Module Regulatory Framework: HIPAA §164.502(e), §164.504(e), HITECH Act
1. Executive Summary
The Business Associate Agreement (BAA) Management Module is a compliance-critical system that ensures all third-party vendors, subcontractors, and service providers who create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of the organization (the Covered Entity) have executed valid, compliant BAAs as required by HIPAA §164.502(e) and §164.504(e).
1.1 Mission-Critical Requirements
| Requirement | Regulatory Driver | System Response |
|---|---|---|
| BAA execution before PHI access | HIPAA §164.502(e)(1) | PHI access blocked without active BAA |
| Documented permitted uses/disclosures | HIPAA §164.504(e)(2)(i) | Structured data model with audit trail |
| Breach notification requirements | HITECH Act §13402 | Timeline enforcement (60hr default) |
| Safeguard requirements | HIPAA §164.504(e)(2)(ii)(A) | Security requirements level per BAA |
| Subcontractor authorization | HIPAA §164.504(e)(2)(i)(D) | Subcontractor chain tracking |
| Termination provisions | HIPAA §164.504(e)(2)(i)(H) | Return/destroy requirement enforcement |
| Annual review | OCR Audit Protocol | Automated review reminders and tracking |
1.2 Key Capabilities
- Lifecycle Management: Draft → Negotiation → Signature → Active → Renewal → Termination
- Alert System: 90/60/30/7-day advance renewal notifications with escalation
- Compliance Dashboard: Real-time view of BAA coverage, expirations, and gaps
- Template Library: HHS-compliant templates with version control
- Subcontractor Tracking: Multi-level chain verification (BA → sub-BA → sub-sub-BA)
- Integration Hub: Connects to vendor management, document storage, incident response, and audit systems
- Reporting Engine: OCR audit-ready BAA inventory and compliance reports
2. Data Model
2.1 Core Entity: BusinessAssociateAgreement
CREATE TABLE business_associate_agreements (
-- Identifiers
baa_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
tenant_id UUID NOT NULL REFERENCES tenants(tenant_id),
baa_number VARCHAR(50) UNIQUE NOT NULL, -- e.g., "BAA-2026-001"
-- Parties
covered_entity_id UUID NOT NULL REFERENCES organizations(org_id),
covered_entity_name VARCHAR(255) NOT NULL,
business_associate_id UUID NOT NULL REFERENCES organizations(org_id),
business_associate_name VARCHAR(255) NOT NULL,
-- BAA Type & Classification
baa_type VARCHAR(50) NOT NULL CHECK (baa_type IN ('standard', 'subcontractor', 'omnibus', 'hybrid')),
-- standard: direct BA relationship
-- subcontractor: BA's downstream BA
-- omnibus: covers multiple entities under one agreement
-- hybrid: custom arrangement
parent_baa_id UUID REFERENCES business_associate_agreements(baa_id), -- For subcontractor BAAs
-- Temporal
effective_date DATE NOT NULL,
expiration_date DATE NOT NULL,
renewal_date DATE, -- Planned renewal date if auto-renewing
auto_renew BOOLEAN DEFAULT false,
renewal_notice_period_days INTEGER DEFAULT 90, -- Days before expiry to trigger renewal process
-- Status
status VARCHAR(50) NOT NULL CHECK (status IN (
'draft', 'internal_review', 'legal_review', 'negotiation',
'pending_signature', 'active', 'pending_renewal', 'expired',
'terminated', 'suspended'
)),
status_reason TEXT, -- Free text for context (e.g., "Expired - vendor unresponsive")
-- Permitted Uses & Disclosures (HIPAA §164.504(e)(2)(i))
permitted_uses JSONB NOT NULL, -- Array of use cases: ["treatment", "payment", "healthcare_operations", "research"]
permitted_disclosures JSONB NOT NULL, -- Array of disclosure types
permitted_phi_types JSONB, -- ["demographic", "clinical", "billing", "lab_results"]
data_minimization_required BOOLEAN DEFAULT true,
-- Security & Safeguards (HIPAA §164.504(e)(2)(ii))
security_requirements_level VARCHAR(50) NOT NULL CHECK (security_requirements_level IN ('standard', 'enhanced', 'critical')),
-- standard: minimum HIPAA requirements
-- enhanced: additional controls (e.g., encryption, MFA)
-- critical: maximum controls (e.g., dedicated environment, SOC 2 Type II)
encryption_required BOOLEAN DEFAULT true,
encryption_standards JSONB, -- ["AES-256", "TLS 1.3"]
access_control_requirements JSONB, -- ["MFA", "IP_allowlist", "VPN"]
audit_logging_required BOOLEAN DEFAULT true,
vulnerability_scanning_frequency VARCHAR(50), -- "monthly", "quarterly", "annual"
penetration_testing_required BOOLEAN DEFAULT false,
-- Breach Notification (HITECH Act §13402)
breach_notification_timeline_hours INTEGER NOT NULL DEFAULT 60, -- 60 hours = OCR guidance
breach_notification_contact_email VARCHAR(255),
breach_notification_contact_phone VARCHAR(50),
breach_discovery_responsibility VARCHAR(50) CHECK (breach_discovery_responsibility IN ('covered_entity', 'business_associate', 'both')),
-- Termination Provisions (HIPAA §164.504(e)(2)(i)(H))
termination_notice_period_days INTEGER DEFAULT 30,
phi_return_required BOOLEAN DEFAULT true,
phi_destruction_allowed BOOLEAN DEFAULT false,
phi_disposal_method VARCHAR(50) CHECK (phi_disposal_method IN ('return', 'destruction', 'either', 'both')),
phi_disposal_certification_required BOOLEAN DEFAULT true,
phi_disposal_deadline_days INTEGER DEFAULT 30, -- Days after termination
-- Subcontractor Authorization (HIPAA §164.504(e)(2)(i)(D))
subcontractor_authorization_required BOOLEAN DEFAULT true,
authorized_subcontractors JSONB, -- Array of {name, baa_id, service, date_authorized}
-- Compliance & Audit
hipaa_training_required BOOLEAN DEFAULT true,
hipaa_training_frequency_months INTEGER DEFAULT 12,
compliance_assessment_required BOOLEAN DEFAULT false,
compliance_assessment_frequency_months INTEGER,
soc2_certification_required BOOLEAN DEFAULT false,
hitrust_certification_required BOOLEAN DEFAULT false,
-- Document Management
document_storage_url TEXT, -- Link to signed BAA document (S3, SharePoint, etc.)
document_version VARCHAR(20), -- Template version used
document_hash VARCHAR(128), -- SHA-256 hash of signed document for integrity
-- Amendment History
amendment_count INTEGER DEFAULT 0,
last_amendment_date DATE,
amendment_history JSONB DEFAULT '[]'::jsonb, -- Array of {date, description, amended_by, document_url}
-- Financial
annual_cost DECIMAL(12,2), -- Optional: track cost for budgeting
cost_center VARCHAR(100),
-- Workflow & Attribution
created_at TIMESTAMP NOT NULL DEFAULT NOW(),
created_by UUID NOT NULL REFERENCES users(user_id),
updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
updated_by UUID NOT NULL REFERENCES users(user_id),
reviewed_at TIMESTAMP, -- Last compliance review
reviewed_by UUID REFERENCES users(user_id),
next_review_date DATE, -- Next mandatory review
-- Multi-tenancy & Security
CONSTRAINT fk_tenant FOREIGN KEY (tenant_id) REFERENCES tenants(tenant_id),
CONSTRAINT ck_dates CHECK (expiration_date > effective_date),
CONSTRAINT ck_parent_baa CHECK (
(baa_type = 'subcontractor' AND parent_baa_id IS NOT NULL) OR
(baa_type != 'subcontractor')
)
);
-- Indexes for performance
CREATE INDEX idx_baa_tenant ON business_associate_agreements(tenant_id);
CREATE INDEX idx_baa_status ON business_associate_agreements(status);
CREATE INDEX idx_baa_expiration ON business_associate_agreements(expiration_date);
CREATE INDEX idx_baa_ba ON business_associate_agreements(business_associate_id);
CREATE INDEX idx_baa_parent ON business_associate_agreements(parent_baa_id);
-- RLS for multi-tenancy
ALTER TABLE business_associate_agreements ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON business_associate_agreements
USING (tenant_id = current_setting('app.current_tenant')::uuid);
2.2 Supporting Entity: BAAParty (Organizations)
CREATE TABLE baa_parties (
party_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
tenant_id UUID NOT NULL REFERENCES tenants(tenant_id),
-- Organization Details
legal_name VARCHAR(255) NOT NULL,
doing_business_as VARCHAR(255),
organization_type VARCHAR(50) CHECK (organization_type IN ('covered_entity', 'business_associate', 'both')),
-- Contact Information
primary_contact_name VARCHAR(255),
primary_contact_title VARCHAR(255),
primary_contact_email VARCHAR(255) NOT NULL,
primary_contact_phone VARCHAR(50),
legal_contact_name VARCHAR(255),
legal_contact_email VARCHAR(255),
privacy_officer_name VARCHAR(255),
privacy_officer_email VARCHAR(255),
-- Address
street_address TEXT,
city VARCHAR(100),
state VARCHAR(50),
postal_code VARCHAR(20),
country VARCHAR(100) DEFAULT 'USA',
-- Regulatory
ein VARCHAR(20), -- Employer Identification Number
npi VARCHAR(10), -- National Provider Identifier (if applicable)
is_covered_entity BOOLEAN DEFAULT false,
is_business_associate BOOLEAN DEFAULT false,
-- Vendor Classification
vendor_category VARCHAR(100), -- "cloud_storage", "analytics", "billing", "claims_processing", etc.
services_provided TEXT,
phi_access_level VARCHAR(50) CHECK (phi_access_level IN ('none', 'limited', 'full')),
-- Risk Assessment
risk_tier VARCHAR(50) CHECK (risk_tier IN ('low', 'medium', 'high', 'critical')),
last_security_assessment_date DATE,
next_security_assessment_date DATE,
-- Status
active BOOLEAN DEFAULT true,
onboarding_date DATE,
offboarding_date DATE,
-- Attribution
created_at TIMESTAMP DEFAULT NOW(),
created_by UUID REFERENCES users(user_id),
updated_at TIMESTAMP DEFAULT NOW(),
updated_by UUID REFERENCES users(user_id),
CONSTRAINT fk_tenant FOREIGN KEY (tenant_id) REFERENCES tenants(tenant_id)
);
CREATE INDEX idx_party_tenant ON baa_parties(tenant_id);
CREATE INDEX idx_party_type ON baa_parties(organization_type);
CREATE INDEX idx_party_active ON baa_parties(active);
ALTER TABLE baa_parties ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON baa_parties
USING (tenant_id = current_setting('app.current_tenant')::uuid);
2.3 Supporting Entity: BAAAmendment
CREATE TABLE baa_amendments (
amendment_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
baa_id UUID NOT NULL REFERENCES business_associate_agreements(baa_id) ON DELETE CASCADE,
tenant_id UUID NOT NULL REFERENCES tenants(tenant_id),
-- Amendment Details
amendment_number INTEGER NOT NULL, -- Sequential per BAA
amendment_date DATE NOT NULL,
effective_date DATE NOT NULL,
-- Changes
amendment_type VARCHAR(50) CHECK (amendment_type IN (
'scope_change', 'term_extension', 'security_enhancement',
'subcontractor_addition', 'contact_update', 'compliance_update', 'other'
)),
description TEXT NOT NULL,
changes_summary JSONB, -- Structured: {field: {old_value, new_value}}
-- Approval
approved_by UUID REFERENCES users(user_id),
approved_at TIMESTAMP,
-- Document
document_storage_url TEXT,
document_hash VARCHAR(128),
-- Attribution
created_at TIMESTAMP DEFAULT NOW(),
created_by UUID REFERENCES users(user_id),
CONSTRAINT fk_tenant FOREIGN KEY (tenant_id) REFERENCES tenants(tenant_id),
CONSTRAINT uq_amendment_number UNIQUE (baa_id, amendment_number)
);
CREATE INDEX idx_amendment_baa ON baa_amendments(baa_id);
CREATE INDEX idx_amendment_tenant ON baa_amendments(tenant_id);
ALTER TABLE baa_amendments ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON baa_amendments
USING (tenant_id = current_setting('app.current_tenant')::uuid);
2.4 Supporting Entity: BAANotification
CREATE TABLE baa_notifications (
notification_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
baa_id UUID NOT NULL REFERENCES business_associate_agreements(baa_id) ON DELETE CASCADE,
tenant_id UUID NOT NULL REFERENCES tenants(tenant_id),
-- Notification Details
notification_type VARCHAR(50) CHECK (notification_type IN (
'renewal_90day', 'renewal_60day', 'renewal_30day', 'renewal_7day',
'expired', 'review_due', 'amendment_required', 'compliance_gap',
'subcontractor_added', 'security_incident'
)),
notification_priority VARCHAR(20) CHECK (notification_priority IN ('low', 'medium', 'high', 'critical')),
-- Message
subject VARCHAR(255) NOT NULL,
message TEXT NOT NULL,
-- Recipients
recipient_user_ids JSONB, -- Array of user UUIDs
recipient_roles JSONB, -- Array of roles: ["HIPAA_PRIVACY_OFFICER", "COMPLIANCE_MANAGER"]
recipient_emails JSONB, -- Array of email addresses for external parties
-- Delivery
sent_at TIMESTAMP,
delivery_status VARCHAR(50) CHECK (delivery_status IN ('pending', 'sent', 'failed', 'acknowledged')),
delivery_channels JSONB DEFAULT '["email", "in_app"]'::jsonb,
-- Response
acknowledged_at TIMESTAMP,
acknowledged_by UUID REFERENCES users(user_id),
action_taken TEXT,
action_taken_at TIMESTAMP,
-- Escalation
escalated BOOLEAN DEFAULT false,
escalated_at TIMESTAMP,
escalated_to UUID REFERENCES users(user_id),
-- Attribution
created_at TIMESTAMP DEFAULT NOW(),
created_by UUID REFERENCES users(user_id), -- System or user who triggered
CONSTRAINT fk_tenant FOREIGN KEY (tenant_id) REFERENCES tenants(tenant_id)
);
CREATE INDEX idx_notification_baa ON baa_notifications(baa_id);
CREATE INDEX idx_notification_tenant ON baa_notifications(tenant_id);
CREATE INDEX idx_notification_status ON baa_notifications(delivery_status);
CREATE INDEX idx_notification_sent ON baa_notifications(sent_at);
ALTER TABLE baa_notifications ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON baa_notifications
USING (tenant_id = current_setting('app.current_tenant')::uuid);
2.5 Supporting Entity: BAAReview
CREATE TABLE baa_reviews (
review_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
baa_id UUID NOT NULL REFERENCES business_associate_agreements(baa_id) ON DELETE CASCADE,
tenant_id UUID NOT NULL REFERENCES tenants(tenant_id),
-- Review Details
review_type VARCHAR(50) CHECK (review_type IN ('annual', 'incident_triggered', 'audit_triggered', 'ad_hoc')),
review_date DATE NOT NULL,
reviewer_id UUID NOT NULL REFERENCES users(user_id),
reviewer_role VARCHAR(100), -- "HIPAA Privacy Officer", "Compliance Manager"
-- Assessment
compliance_status VARCHAR(50) CHECK (compliance_status IN ('compliant', 'non_compliant', 'requires_attention', 'pending')),
findings TEXT,
recommendations TEXT,
-- Checklist (HIPAA §164.504(e) requirements)
checklist_results JSONB, -- {item: {compliant: boolean, notes: string}}
checklist_score DECIMAL(5,2), -- Percentage
-- Action Items
action_items_required BOOLEAN DEFAULT false,
action_items JSONB, -- Array of {description, assigned_to, due_date, status}
-- Follow-up
follow_up_required BOOLEAN DEFAULT false,
follow_up_date DATE,
follow_up_completed_at TIMESTAMP,
-- Document
review_document_url TEXT,
-- Attribution
created_at TIMESTAMP DEFAULT NOW(),
updated_at TIMESTAMP DEFAULT NOW(),
CONSTRAINT fk_tenant FOREIGN KEY (tenant_id) REFERENCES tenants(tenant_id)
);
CREATE INDEX idx_review_baa ON baa_reviews(baa_id);
CREATE INDEX idx_review_tenant ON baa_reviews(tenant_id);
CREATE INDEX idx_review_date ON baa_reviews(review_date);
CREATE INDEX idx_review_status ON baa_reviews(compliance_status);
ALTER TABLE baa_reviews ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON baa_reviews
USING (tenant_id = current_setting('app.current_tenant')::uuid);
2.6 Entity Relationship Diagram
3. BAA Lifecycle Workflow
3.1 State Machine
3.2 Workflow Rules
| Transition | Preconditions | Actions | Post-conditions | Notification |
|---|---|---|---|---|
| Draft → Internal Review | - All required fields populated - Template selected - Parties identified | - Assign to compliance team - Create review task | - Status = internal_review- Review deadline set | Compliance team (in-app + email) |
| Internal Review → Legal Review | - Compliance sign-off - Risk assessment complete | - Assign to legal team - Attach risk assessment | - Status = legal_review- Legal review deadline set | Legal team (in-app + email) |
| Legal Review → Negotiation | - Legal approval - No deal-breaker issues | - Send to BA for review - Create negotiation tracker | - Status = negotiation- Negotiation log initiated | BA primary contact (email) |
| Negotiation → Pending Signature | - Terms agreed - Final document generated | - Initiate e-signature workflow - Set signature deadline (30 days) | - Status = pending_signature- Signature deadline set | Both parties (email + DocuSign) |
| Pending Signature → Active | - Both parties signed - Document hash recorded - Effective date reached | - Store signed document - Schedule renewal notification - Grant PHI access | - Status = active- Next review date set - PHI access enabled | Compliance officer, IT security |
| Active → Pending Renewal | - 90 days before expiration | - Trigger renewal workflow - Send renewal notification - Create renewal task | - Status = pending_renewal- Renewal process initiated | Privacy officer, vendor manager, BA |
| Active → Terminated | - Termination notice received OR - Breach/material violation | - Block PHI access immediately - Initiate PHI disposal workflow - Create termination work order | - Status = terminated- PHI access revoked - Disposal deadline set | Compliance, IT, legal, BA |
| Terminated → [End] | - PHI returned/destroyed - Certification received | - Verify disposal - Archive BAA record - Close all related tasks | - Final audit entry - Record archived | Privacy officer |
3.3 Renewal Workflow
4. BAA Status Dashboard
4.1 Dashboard Layout
┌─────────────────────────────────────────────────────────────────────┐
│ BUSINESS ASSOCIATE AGREEMENT MANAGEMENT │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ KPI CARDS │
│ ┌──────────────┬──────────────┬──────────────┬──────────────────┐ │
│ │ Total BAAs │ Active │ Expiring Soon│ Expired │ │
│ │ 47 │ 42 │ 3 │ 2 │ │
│ │ │ ✅ 89% │ ⚠️ (30d) │ ❌ │ │
│ └──────────────┴──────────────┴──────────────┴──────────────────┘ │
│ ┌──────────────┬──────────────┬──────────────┬──────────────────┐ │
│ │ Pending Sign │ In Negotiation│ Pending Rev │ Compliance Gap │ │
│ │ 5 │ 2 │ 4 │ 1 │ │
│ │ (avg 12d) │ (avg 45d) │ (avg 60d) │ ⚠️ Critical │ │
│ └──────────────┴──────────────┴──────────────┴──────────────────┘ │
│ │
├─────────────────────────────────────────────────────────────────────┤
│ COVERAGE ANALYSIS │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ Organizations Handling PHI: 52 │ │
│ │ Organizations with Valid BAA: 47 (90%) │ │
│ │ Coverage Gap: 5 (❌ 10% — requires action) │ │
│ │ - CloudStorage Inc (PHI since 2026-01-15, no BAA) │ │
│ │ - DataAnalytics Co (BAA expired 2026-02-01) │ │
│ │ - Labs-R-Us (new vendor, BAA in negotiation) │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │
├─────────────────────────────────────────────────────────────────────┤
│ EXPIRATION TIMELINE (Next 180 Days) │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ Month │ Expiring │ Status │ │
│ ├───────────────────────────────────────────────────────────────┤ │
│ │ Feb 2026 │ 2 │ ⚠️ 1 pending renewal, 1 late │ │
│ │ Mar 2026 │ 1 │ ✅ Renewal in progress │ │
│ │ Apr 2026 │ 0 │ ✅ None │ │
│ │ May 2026 │ 3 │ ⚠️ 90-day notifications sent │ │
│ │ Jun 2026 │ 1 │ ✅ Auto-renew enabled │ │
│ │ Jul 2026 │ 2 │ 📅 120 days out │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │
├─────────────────────────────────────────────────────────────────────┤
│ BAA LIST (Filters: Status ▼ | Vendor ▼ | Expiry Date ▼) │
│ ┌─────────────────────────────────────────────────────────────────┐│
│ │BAA #│Vendor│Status│Effective│Expires│Days Left│Risk│Actions ││
│ ├─────────────────────────────────────────────────────────────────┤│
│ │2026-│Cloud │Active│2025-03-│2027-03│ 395 │Med │View│Edit ││
│ │ 001 │Store │ │ 01 │ 01 │ │ │ │ ││
│ ├─────────────────────────────────────────────────────────────────┤│
│ │2026-│Labs │Pend │2026-04-│2027-04│ N/A │High│View│Sign ││
│ │ 007 │-R-Us │Sign │ 15 │ 15 │ │ │ │ ││
│ ├─────────────────────────────────────────────────────────────────┤│
│ │2025-│Data │Expire│2024-02-│2026-02│ -14 │Crit│View│Renew││
│ │ 042 │Analyt│d │ 01 │ 01 │ ❌ │ ❌ │ │ ││
│ └─────────────────────────────────────────────────────────────────┘│
│ [1] [2] [3] ... [8] (47 records) │
│ │
└─────────────────────────────────────────────────────────────────────┘
4.2 Dashboard Data Sources
| Widget | SQL Query | Refresh Rate |
|---|---|---|
| Total BAAs | SELECT COUNT(*) FROM business_associate_agreements WHERE tenant_id = $1 | Real-time |
| Active BAAs | SELECT COUNT(*) FROM business_associate_agreements WHERE tenant_id = $1 AND status = 'active' | Real-time |
| Expiring Soon | SELECT COUNT(*) FROM business_associate_agreements WHERE tenant_id = $1 AND status = 'active' AND expiration_date BETWEEN NOW() AND NOW() + INTERVAL '30 days' | Real-time |
| Expired | SELECT COUNT(*) FROM business_associate_agreements WHERE tenant_id = $1 AND status = 'expired' | Real-time |
| Coverage Gap | SELECT COUNT(DISTINCT v.vendor_id) FROM vendors v LEFT JOIN business_associate_agreements b ON v.vendor_id = b.business_associate_id AND b.status = 'active' WHERE v.phi_access = true AND b.baa_id IS NULL | Every 5 min |
| Expiration Timeline | SELECT DATE_TRUNC('month', expiration_date) AS month, COUNT(*) FROM business_associate_agreements WHERE tenant_id = $1 AND status = 'active' AND expiration_date BETWEEN NOW() AND NOW() + INTERVAL '180 days' GROUP BY month ORDER BY month | Every hour |
4.3 Drill-Down Views
4.3.1 Individual BAA Detail View
┌─────────────────────────────────────────────────────────────────────┐
│ BAA-2026-001: CloudStorage Inc [Edit] [⋯] │
├─────────────────────────────────────────────────────────────────────┤
│ STATUS: Active ✅ RISK: Medium ⚠️ NEXT REVIEW: 2026-09-01 │
│ │
│ PARTIES │
│ Covered Entity: Acme Biosciences Inc │
│ Business Assoc: CloudStorage Inc │
│ Contact: Jane Smith (jsmith@cloudstorage.com) │
│ Privacy Officer: John Doe (privacy@cloudstorage.com) │
│ │
│ DATES │
│ Effective: 2025-03-01 │
│ Expires: 2027-03-01 (395 days remaining) │
│ Auto-renew: Yes (90-day notice) │
│ │
│ PERMITTED USES & DISCLOSURES │
│ Uses: Healthcare Operations, Data Storage │
│ PHI Types: Demographic, Clinical (de-identified) │
│ Minimization Required: Yes ✅ │
│ │
│ SECURITY REQUIREMENTS │
│ Level: Enhanced │
│ Encryption: AES-256, TLS 1.3 ✅ │
│ Access Ctrl: MFA Required, IP Allowlist ✅ │
│ Auditing: Required ✅ (logs retained 7 years) │
│ SOC 2: Type II (expires 2026-12-31) ✅ │
│ │
│ BREACH NOTIFICATION │
│ Timeline: 60 hours │
│ Contact: security@cloudstorage.com | +1-555-0100 │
│ │
│ TERMINATION PROVISIONS │
│ Notice: 30 days │
│ PHI Disposal: Return (certification required) │
│ Deadline: 30 days post-termination │
│ │
│ SUBCONTRACTORS (2) │
│ - AWS (BAA-2026-001-SUB-001, authorized 2025-03-15) ✅ │
│ - BackupCo (BAA-2026-001-SUB-002, authorized 2025-06-01) ✅ │
│ │
│ AMENDMENTS (1) │
│ #1: 2025-09-15 — Added BackupCo subcontractor [View] │
│ │
│ REVIEWS (2) │
│ 2026-03-01: Annual Review (Compliant, 98%) by J. Privacy [View] │
│ 2025-03-01: Initial Assessment (Compliant, 100%) by J. Privacy │
│ │
│ DOCUMENTS │
│ 📄 Signed BAA (2025-03-01) [Download] [Verify Hash] │
│ 📄 Amendment #1 (2025-09-15) [Download] │
│ 📄 SOC 2 Type II Report (2025-12-31) [Download] │
│ │
│ AUDIT TRAIL │
│ 2026-02-14 10:32 UTC: Annual review completed by J. Privacy │
│ 2025-09-15 14:22 UTC: Amendment #1 signed │
│ 2025-03-01 09:15 UTC: BAA activated │
│ [View Full Audit Trail] │
└─────────────────────────────────────────────────────────────────────┘
5. Alert and Notification System
5.1 Notification Schedule
| Event | Trigger | Timing | Priority | Channels | Recipients |
|---|---|---|---|---|---|
| Renewal - 90 days | expiration_date - 90 days | 9:00 AM local | Medium | Email, In-app | Vendor Manager, Compliance Officer, BA Primary Contact |
| Renewal - 60 days | expiration_date - 60 days | 9:00 AM local | Medium | Email, In-app | Vendor Manager, Compliance Officer, BA Primary Contact |
| Renewal - 30 days | expiration_date - 30 days | 9:00 AM local | High | Email, In-app, Slack | Vendor Manager, Compliance Officer, Privacy Officer, BA Primary Contact |
| Renewal - 7 days | expiration_date - 7 days | 9:00 AM local | Critical | Email, In-app, Slack, SMS | Privacy Officer, CIO, Compliance Manager, BA Primary + Legal Contact |
| Expiration Day | expiration_date = TODAY | 6:00 AM local | Critical | Email, In-app, Slack, SMS | Privacy Officer, CIO, CISO, Legal, BA Primary + Legal |
| Expired (auto-action) | expiration_date < TODAY AND status = 'active' | Immediate | Critical | Email, In-app, Slack | Privacy Officer, CIO, CISO, IT Security |
| Annual Review Due | next_review_date - 30 days | 9:00 AM local | Medium | Email, In-app | Compliance Officer, Assigned Reviewer |
| Compliance Gap Detected | Vendor with PHI access has no active BAA | Immediate | Critical | Email, In-app, Slack | Privacy Officer, Vendor Manager, CISO |
| Subcontractor Added | New entry in authorized_subcontractors | Immediate | Low | Email, In-app | Compliance Officer, Vendor Manager |
| Amendment Required | User-triggered or policy-triggered | Immediate | Medium | Email, In-app | Legal, Compliance Officer, Vendor Manager |
| Security Incident | Integration from incident management system | Immediate | Critical | Email, In-app, Slack, SMS | Privacy Officer, CISO, Legal, affected BA |
5.2 Notification Templates
Template: Renewal 90-Day Notice
Subject: Action Required: BAA Renewal for {{business_associate_name}} (90 days)
Dear {{recipient_name}},
This is a notification that the Business Associate Agreement (BAA) with {{business_associate_name}} will expire in 90 days.
BAA Details:
- BAA Number: {{baa_number}}
- Business Associate: {{business_associate_name}}
- Effective Date: {{effective_date}}
- Expiration Date: {{expiration_date}}
- Days Remaining: 90
Action Required:
1. Review the current BAA for any required updates
2. Confirm renewal intent with the Business Associate
3. Determine if terms renegotiation is needed
4. Initiate renewal workflow in the BAA Management System
{% if auto_renew %}
Note: This BAA has auto-renewal enabled. If no changes are required, the renewal amendment will be generated automatically at 60 days before expiry.
{% endif %}
View BAA Details: {{dashboard_link}}
Contact: {{compliance_officer_name}} ({{compliance_officer_email}})
This notification was sent to: {{recipient_roles}}
---
CODITECT BIO-QMS | BAA Management Module
Automated notification — do not reply
Template: Expiration Critical Warning (7 days)
Subject: URGENT: BAA Expiring in 7 Days — {{business_associate_name}} — PHI ACCESS AT RISK
URGENT ACTION REQUIRED
The Business Associate Agreement (BAA) with {{business_associate_name}} will expire in 7 DAYS.
BAA Number: {{baa_number}}
Expiration Date: {{expiration_date}}
Current Status: {{status}}
IMPACT IF NOT RENEWED:
- PHI access for {{business_associate_name}} will be AUTOMATICALLY BLOCKED on {{expiration_date}}
- All PHI sharing services will be SUSPENDED
- HIPAA compliance violation if PHI access continues without valid BAA
IMMEDIATE ACTIONS REQUIRED:
1. If renewal is in progress: Expedite signature collection
2. If renewal is stalled: Escalate to executive sponsors
3. If not renewing: Initiate termination and PHI disposal workflow immediately
Current Workflow Status:
{{workflow_status}}
Open Tasks:
{{open_tasks}}
Contact Immediately:
- Privacy Officer: {{privacy_officer_name}} ({{privacy_officer_email}})
- Business Associate Contact: {{ba_contact_name}} ({{ba_contact_email}})
View BAA Details: {{dashboard_link}}
This is the FINAL automated warning. Manual intervention is required.
---
CODITECT BIO-QMS | BAA Management Module
CRITICAL ALERT — Immediate Action Required
Template: BAA Expired — PHI Access Blocked
Subject: CRITICAL: BAA EXPIRED — PHI Access Blocked for {{business_associate_name}}
CRITICAL ALERT: BAA EXPIRED
The Business Associate Agreement (BAA) with {{business_associate_name}} has EXPIRED as of {{expiration_date}}.
BAA Number: {{baa_number}}
Expiration Date: {{expiration_date}}
Current Status: EXPIRED
ACTIONS TAKEN AUTOMATICALLY:
✅ PHI access for {{business_associate_name}} has been BLOCKED
✅ All data sharing connections have been SUSPENDED
✅ Incident report #{{incident_id}} has been created
✅ Compliance gap alert has been escalated to Privacy Officer
REQUIRED ACTIONS:
1. IMMEDIATE: Verify no PHI is being transmitted to {{business_associate_name}}
2. URGENT: Determine renewal or termination path
- If renewing: Expedite renewal workflow (PHI access will remain blocked until valid BAA is in place)
- If terminating: Initiate PHI return/destruction workflow
3. Document decision and rationale in incident report #{{incident_id}}
4. Notify {{business_associate_name}} of access suspension
COMPLIANCE NOTES:
- Continuing PHI transmission without a valid BAA is a HIPAA violation (§164.502(e))
- OCR enforcement actions may result from expired BAA with ongoing PHI access
- This incident will be included in the next compliance audit report
Contact:
- Privacy Officer: {{privacy_officer_name}} ({{privacy_officer_email}}) — IMMEDIATE ACTION REQUIRED
- CIO: {{cio_name}} ({{cio_email}})
- Legal: {{legal_contact_name}} ({{legal_contact_email}})
View Incident Report: {{incident_link}}
View BAA Details: {{dashboard_link}}
---
CODITECT BIO-QMS | BAA Management Module
CRITICAL ALERT — Compliance Violation Risk
5.3 Escalation Matrix
| Days Before Expiry | Recipients | Priority | Escalation Action |
|---|---|---|---|
| 90 days | Vendor Manager, Compliance Officer, BA Contact | Medium | None (first notice) |
| 60 days | + Privacy Officer | Medium | Create task for Privacy Officer review |
| 30 days | + CIO | High | Create high-priority task, daily status check |
| 7 days | + Legal, CISO | Critical | Escalate to executive leadership, twice-daily status check |
| Expiration day | + CEO (if critical vendor) | Critical | Emergency meeting, immediate containment plan |
| Post-expiration | Full executive team, Board (if material) | Critical | Incident response, legal review, OCR notification assessment |
5.4 Automated Actions
| Trigger | Automated Action | Manual Override |
|---|---|---|
| 90 days before expiry | Create renewal task, send notifications | Can snooze 7 days (once) |
| 60 days before expiry | Escalate priority, send second notification | Can snooze 7 days (once) |
| 30 days before expiry | Create high-priority task, alert Privacy Officer, create Slack channel | Cannot snooze |
| 7 days before expiry | Alert executive team, create incident placeholder | Cannot snooze |
| Expiration day (no renewal) | Status → expired, block PHI access, create incident report | Can manually reactivate (requires Privacy Officer approval + justification) |
| Subcontractor added without BAA | Create compliance gap alert, block subcontractor PHI access | Cannot override (BAA required) |
| Amendment signed | Update BAA record, increment amendment count, notify stakeholders | N/A |
| Annual review overdue | Escalate to Compliance Manager, create overdue task | Can extend deadline (with justification) |
6. BAA Compliance Verification
6.1 Annual BAA Review Process
Regulatory Requirement: OCR Audit Protocol mandates annual review of all BAAs to ensure ongoing compliance with HIPAA requirements.
Review Cycle: Every BAA must be reviewed within 12 months of activation and annually thereafter.
6.1.1 Review Checklist (15 Items — HIPAA §164.504(e))
| # | Requirement | HIPAA Reference | Verification Method | Evidence |
|---|---|---|---|---|
| 1 | BAA establishes permitted uses and disclosures | §164.504(e)(2)(i)(A) | Review permitted_uses and permitted_disclosures fields | Document excerpt |
| 2 | BA agrees not to use or disclose PHI except as permitted | §164.504(e)(2)(i)(B) | Review contract clauses 3.1-3.3 | Contract section |
| 3 | BA agrees to use appropriate safeguards | §164.504(e)(2)(ii)(A) | Verify security_requirements_level and security controls | Security assessment report |
| 4 | BA agrees to report security incidents | §164.504(e)(2)(ii)(B) | Review breach notification clause, verify breach_notification_timeline_hours | Contract section, test notification |
| 5 | BA agrees to ensure subcontractor compliance | §164.504(e)(2)(i)(D) | Review authorized_subcontractors, verify sub-BAAs exist | Sub-BAA documents |
| 6 | BA provides access to PHI as required by individual | §164.504(e)(2)(ii)(E) | Review data access provisions | Contract section |
| 7 | BA provides access to PHI for amendment | §164.504(e)(2)(ii)(F) | Review amendment provisions | Contract section |
| 8 | BA makes internal practices available for OCR review | §164.504(e)(2)(ii)(H) | Review audit cooperation clause | Contract section |
| 9 | BA provides accounting of disclosures | §164.504(e)(2)(ii)(G) | Review disclosure tracking provisions | Contract section |
| 10 | BAA includes termination provisions | §164.504(e)(2)(i)(H) | Verify termination_notice_period_days and phi_disposal_method | Contract section |
| 11 | BAA requires return or destruction of PHI | §164.504(e)(2)(i)(I) | Verify phi_return_required or phi_destruction_allowed | Contract section |
| 12 | Covered Entity authorized to terminate for violations | §164.504(e)(1)(ii) | Review termination for cause clause | Contract section |
| 13 | BA contact information is current | N/A (operational) | Verify email/phone of BA privacy officer | Test email delivery |
| 14 | BA certifications are current (SOC 2, HITRUST, etc.) | Contract-specific | Check soc2_certification_required, verify expiration | Certificate copy |
| 15 | No material changes in BA services requiring amendment | N/A (operational) | Review service scope changes in past 12 months | Change log |
6.1.2 Review Workflow
6.2 Subcontractor BAA Chain Verification
Requirement: Per HIPAA §164.504(e)(2)(i)(D), the Covered Entity must ensure that any subcontractors of the Business Associate who create, receive, maintain, or transmit PHI also have satisfactory assurances (i.e., a BAA).
6.2.1 Subcontractor Chain Data Model
-- Example: Multi-level subcontractor chain
-- CE → BA1 (cloud storage) → BA1-SUB1 (AWS) → BA1-SUB1-SUB1 (AWS subprocessor)
SELECT
baa.baa_id,
baa.baa_number,
baa.business_associate_name,
baa.baa_type,
baa.parent_baa_id,
parent.baa_number AS parent_baa_number,
parent.business_associate_name AS parent_ba_name,
baa.status,
baa.expiration_date
FROM business_associate_agreements baa
LEFT JOIN business_associate_agreements parent ON baa.parent_baa_id = parent.baa_id
WHERE baa.tenant_id = $1
AND baa.baa_type IN ('subcontractor', 'omnibus')
ORDER BY baa.parent_baa_id, baa.baa_number;
6.2.2 Chain Verification Process
| Verification Step | Frequency | Responsible Party | Evidence Required |
|---|---|---|---|
| Identify all subcontractors | Quarterly | Vendor Manager | Subcontractor list from BA |
| Verify BAA exists for each subcontractor | Quarterly | Compliance Officer | Copy of sub-BAA or omnibus BAA |
| Verify sub-BAA terms ≥ parent BAA terms | Annual | Legal | Comparison matrix |
| Verify sub-BAA expiration ≤ parent BAA expiration | Quarterly | Compliance Officer | Dates validation report |
| Audit unauthorized subcontractors | Continuous (automated) | System | Alert if new subcontractor detected without BAA |
6.2.3 Subcontractor Chain Visualization
Dashboard Widget: Subcontractor Chain Explorer
BAA-2026-001: CloudStorage Inc (Primary BA)
├── Status: Active ✅
├── Expires: 2027-03-01
├── Subcontractors (2):
│ ├── BAA-2026-001-SUB-001: AWS
│ │ ├── Status: Active ✅
│ │ ├── Expires: 2027-03-01 ✅ (matches parent)
│ │ ├── BAA Type: Omnibus (AWS standard BAA)
│ │ └── Sub-subcontractors (1):
│ │ └── BAA-2026-001-SUB-001-SUB-001: AWS Lambda (covered by omnibus)
│ │
│ └── BAA-2026-001-SUB-002: BackupCo
│ ├── Status: Active ✅
│ ├── Expires: 2026-12-01 ⚠️ (expires before parent — requires attention)
│ └── Sub-subcontractors: None
│
└── Compliance Issues:
└── ⚠️ BackupCo BAA expires 3 months before CloudStorage BAA — renewal required
6.3 Security Assessment Requirements Per BAA
| Security Requirement Level | Assessment Frequency | Assessment Type | Required Certifications | Evidence Retention |
|---|---|---|---|---|
| Standard | Annual | Self-assessment questionnaire | None (optional: HIPAA compliance attestation) | 6 years |
| Enhanced | Semi-annual | Third-party security assessment | SOC 2 Type II (preferred) OR HITRUST CSF (preferred) | 6 years |
| Critical | Quarterly | Penetration testing + third-party audit | SOC 2 Type II (required) + HITRUST CSF (required) | 7 years |
Automated Tracking:
- System sends assessment reminder based on
security_requirements_leveland last assessment date - Assessment results stored in
baa_reviewstable withreview_type = 'security_assessment' - Expired certifications trigger compliance gap alert
6.4 Breach Notification Obligation Tracking
Regulatory Requirement: HITECH Act §13402 requires Business Associates to notify Covered Entities of breaches of unsecured PHI within 60 days of discovery (or sooner per BAA terms).
6.4.1 Breach Notification Workflow Integration
6.4.2 Breach Notification Compliance Metrics
| Metric | Calculation | Target | Dashboard Widget |
|---|---|---|---|
| On-time notifications | (notifications within timeline) / (total notifications) | 100% | KPI card |
| Average notification delay | AVG(notification_received - breach_discovered) | < 24 hours | Trend chart |
| Breach count by BA | COUNT(breaches) GROUP BY business_associate_id | Minimize | Table |
| OCR-reportable breaches | COUNT(breaches WHERE affected_individuals >= 500) | Minimize | KPI card |
6.5 PHI Inventory Per BAA
Purpose: Track what specific PHI data elements are shared with each Business Associate to ensure data minimization (HIPAA §164.514(d)) and facilitate breach impact assessment.
6.5.1 PHI Inventory Data Model
CREATE TABLE baa_phi_inventory (
inventory_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
baa_id UUID NOT NULL REFERENCES business_associate_agreements(baa_id) ON DELETE CASCADE,
tenant_id UUID NOT NULL REFERENCES tenants(tenant_id),
-- Data Classification
phi_category VARCHAR(100) NOT NULL, -- "demographic", "clinical", "billing", "lab_results", "imaging"
data_elements JSONB NOT NULL, -- Array of specific fields: ["first_name", "last_name", "dob", "ssn"]
sensitivity_level VARCHAR(50) CHECK (sensitivity_level IN ('low', 'medium', 'high', 'critical')),
-- Purpose
purpose_of_disclosure VARCHAR(255) NOT NULL, -- "cloud storage", "data analytics", "billing services"
regulatory_basis VARCHAR(100), -- "treatment", "payment", "healthcare_operations", "research"
-- Volume
approximate_record_count INTEGER,
update_frequency VARCHAR(50), -- "real-time", "daily", "weekly", "monthly", "on-demand"
-- Data Flow
data_flow_direction VARCHAR(50) CHECK (data_flow_direction IN ('to_ba', 'from_ba', 'bidirectional')),
transmission_method VARCHAR(100), -- "SFTP", "API", "direct_db_access", "manual_upload"
encryption_in_transit BOOLEAN DEFAULT true,
encryption_at_rest BOOLEAN DEFAULT true,
-- Lifecycle
retention_period_days INTEGER,
disposal_method VARCHAR(100), -- "automatic_deletion", "manual_deletion", "return_to_ce"
-- Attribution
documented_at TIMESTAMP DEFAULT NOW(),
documented_by UUID REFERENCES users(user_id),
last_verified_at TIMESTAMP,
verified_by UUID REFERENCES users(user_id),
CONSTRAINT fk_tenant FOREIGN KEY (tenant_id) REFERENCES tenants(tenant_id)
);
CREATE INDEX idx_phi_inventory_baa ON baa_phi_inventory(baa_id);
CREATE INDEX idx_phi_inventory_tenant ON baa_phi_inventory(tenant_id);
ALTER TABLE baa_phi_inventory ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON baa_phi_inventory
USING (tenant_id = current_setting('app.current_tenant')::uuid);
6.5.2 PHI Inventory Dashboard Widget
┌─────────────────────────────────────────────────────────────────────┐
│ PHI INVENTORY: BAA-2026-001 (CloudStorage Inc) │
├─────────────────────────────────────────────────────────────────────┤
│ Category │ Data Elements │ Records │ Sens. │
├─────────────────────────────────────────────────────────────────────┤
│ Demographic │ First, Last, DOB, Address │ ~15,000 │ Medium │
│ Clinical │ Diagnoses, Medications │ ~12,000 │ High │
│ Billing │ Insurance ID, Claims │ ~8,000 │ Medium │
│ Lab Results │ Test results, dates │ ~5,000 │ High │
├─────────────────────────────────────────────────────────────────────┤
│ Total Records: ~40,000 │
│ Highest Sensitivity: High (Clinical, Lab Results) │
│ Data Flow: To BA (cloud backup) │
│ Transmission: SFTP (encrypted) ✅ │
│ Last Verified: 2026-01-15 by J. Privacy │
│ [Update Inventory] [Verify Now] │
└─────────────────────────────────────────────────────────────────────┘
7. BAA Template Library
7.1 Template Version Control
CREATE TABLE baa_templates (
template_id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
template_name VARCHAR(255) NOT NULL,
template_type VARCHAR(50) CHECK (template_type IN ('standard', 'enhanced', 'subcontractor', 'dua', 'omnibus')),
version VARCHAR(20) NOT NULL, -- "1.0", "1.1", "2.0"
-- Template Content
template_content TEXT NOT NULL, -- Full contract text with {{variables}}
variables JSONB, -- {variable_name: {type, description, required}}
-- Regulatory Basis
based_on_model VARCHAR(100) DEFAULT 'HHS Model BAA (2013)', -- "HHS Model BAA (2013)", "Custom", "HITRUST"
hipaa_compliant BOOLEAN DEFAULT true,
hitech_compliant BOOLEAN DEFAULT true,
state_specific JSONB, -- ["California CCPA", "Texas HB 300"]
-- Status
status VARCHAR(50) CHECK (status IN ('draft', 'legal_review', 'approved', 'active', 'deprecated')),
effective_date DATE,
deprecated_date DATE,
superseded_by UUID REFERENCES baa_templates(template_id),
-- Approval
approved_by UUID REFERENCES users(user_id),
approved_at TIMESTAMP,
approval_notes TEXT,
-- Attribution
created_at TIMESTAMP DEFAULT NOW(),
created_by UUID REFERENCES users(user_id),
updated_at TIMESTAMP DEFAULT NOW(),
updated_by UUID REFERENCES users(user_id),
CONSTRAINT uq_template_version UNIQUE (template_name, version)
);
CREATE INDEX idx_template_status ON baa_templates(status);
CREATE INDEX idx_template_type ON baa_templates(template_type);
7.2 Template Approval Workflow
7.3 Standard Template Library (Initial Set)
| Template Name | Type | Version | Based On | Use Case | Status |
|---|---|---|---|---|---|
| HHS Model BAA | Standard | 1.0 | HHS Model BAA (2013) | General-purpose BA relationships | Active |
| Enhanced BAA (Cloud Services) | Enhanced | 1.2 | Custom + HHS | Cloud storage, SaaS, PaaS providers | Active |
| Enhanced BAA (High Risk) | Enhanced | 1.1 | Custom + HHS + HITRUST | Critical BAs handling sensitive PHI | Active |
| Subcontractor BAA | Subcontractor | 1.0 | HHS + flow-down clauses | BA's downstream BAs | Active |
| Omnibus BAA | Omnibus | 1.0 | Custom multi-entity | Multi-entity arrangements (e.g., AWS, Azure) | Active |
| Data Use Agreement (Research) | DUA | 1.0 | HHS Limited Data Set DUA | Research with limited datasets | Active |
7.4 Template Variable Substitution
Example variables in templates:
{
"variables": {
"covered_entity_name": {
"type": "string",
"description": "Legal name of Covered Entity",
"required": true
},
"business_associate_name": {
"type": "string",
"description": "Legal name of Business Associate",
"required": true
},
"effective_date": {
"type": "date",
"description": "Date BAA becomes effective",
"required": true
},
"term_years": {
"type": "integer",
"description": "Initial term in years",
"default": 2
},
"breach_notification_hours": {
"type": "integer",
"description": "Hours to notify CE of breach",
"default": 60,
"min": 24,
"max": 1440
},
"security_level": {
"type": "enum",
"description": "Security requirements level",
"options": ["standard", "enhanced", "critical"],
"required": true
},
"subcontractors_allowed": {
"type": "boolean",
"description": "Whether BA can use subcontractors",
"default": true
}
}
}
Template rendering engine: Jinja2 or Handlebars for server-side rendering, variable validation before generation.
8. Integration Points
8.1 Integration Architecture
8.2 API Endpoints
8.2.1 Core CRUD Operations
| Method | Endpoint | Description | Request Body | Response |
|---|---|---|---|---|
| POST | /api/v1/baas | Create new BAA | {covered_entity_id, business_associate_id, baa_type, effective_date, expiration_date, permitted_uses, security_requirements_level, ...} | {baa_id, baa_number, status} |
| GET | /api/v1/baas | List all BAAs (tenant-scoped) | Query params: ?status=active&expiring_soon=true&limit=50&offset=0 | {baas: [...], total: 47, page: 1} |
| GET | /api/v1/baas/:baa_id | Get BAA details | N/A | {baa_id, baa_number, status, parties, dates, permitted_uses, ...} |
| PUT | /api/v1/baas/:baa_id | Update BAA (draft only) | {field: new_value, ...} | {baa_id, updated_at} |
| DELETE | /api/v1/baas/:baa_id | Delete BAA (draft only) | N/A | {deleted: true} |
8.2.2 Workflow Operations
| Method | Endpoint | Description | Request Body | Response |
|---|---|---|---|---|
| POST | /api/v1/baas/:baa_id/submit-for-review | Transition Draft → Internal Review | {reviewer_id} | {status: "internal_review"} |
| POST | /api/v1/baas/:baa_id/approve | Approve in current stage | {approver_id, notes} | {status: "next_stage"} |
| POST | /api/v1/baas/:baa_id/reject | Reject and return to previous stage | {reason} | {status: "previous_stage"} |
| POST | /api/v1/baas/:baa_id/activate | Activate after signatures | {signature_confirmation} | {status: "active", phi_access_enabled: true} |
| POST | /api/v1/baas/:baa_id/initiate-renewal | Start renewal workflow | {renewal_type: "auto" or "renegotiate"} | {renewal_task_id, status: "pending_renewal"} |
| POST | /api/v1/baas/:baa_id/terminate | Terminate BAA | {termination_reason, phi_disposal_plan} | {status: "terminated", phi_access_blocked: true} |
8.2.3 Amendment Operations
| Method | Endpoint | Description | Request Body | Response |
|---|---|---|---|---|
| POST | /api/v1/baas/:baa_id/amendments | Create amendment | {amendment_type, description, changes_summary} | {amendment_id, amendment_number} |
| GET | /api/v1/baas/:baa_id/amendments | List amendments | N/A | {amendments: [...]} |
| POST | /api/v1/baas/:baa_id/amendments/:amendment_id/approve | Approve amendment | {approver_id} | {approved: true} |
8.2.4 Notification & Review Operations
| Method | Endpoint | Description | Request Body | Response |
|---|---|---|---|---|
| GET | /api/v1/baas/:baa_id/notifications | Get notification history | N/A | {notifications: [...]} |
| POST | /api/v1/baas/:baa_id/reviews | Create compliance review | {review_type, checklist_results} | {review_id} |
| GET | /api/v1/baas/:baa_id/reviews | Get review history | N/A | {reviews: [...]} |
| POST | /api/v1/baas/:baa_id/reviews/:review_id/complete | Complete review | {compliance_status, findings, recommendations} | {completed: true} |
8.2.5 Reporting Operations
| Method | Endpoint | Description | Query Params | Response |
|---|---|---|---|---|
| GET | /api/v1/baas/reports/inventory | BAA inventory report | ?format=pdf or csv | PDF or CSV file |
| GET | /api/v1/baas/reports/expiring | Expiring BAAs report | ?days=30&format=csv | CSV file |
| GET | /api/v1/baas/reports/subcontractor-chain | Subcontractor chain report | ?baa_id=... | JSON or PDF |
| GET | /api/v1/baas/reports/compliance-gap | Compliance gap analysis | N/A | JSON |
| GET | /api/v1/baas/reports/breach-notifications | Breach notification compliance | ?start_date=...&end_date=... | JSON |
8.3 Webhook Events
| Event | Trigger | Payload | Subscribers |
|---|---|---|---|
baa.created | New BAA created | {baa_id, baa_number, business_associate_name, status} | Vendor management, audit trail |
baa.activated | BAA becomes active | {baa_id, effective_date, phi_access_enabled: true} | IT security (enable PHI access), compliance dashboard |
baa.renewed | BAA renewed | {baa_id, new_expiration_date, amendment_id} | Compliance dashboard |
baa.expired | BAA expired | {baa_id, expiration_date, phi_access_blocked: true} | IT security (block PHI access), incident management |
baa.terminated | BAA terminated | {baa_id, termination_date, phi_disposal_deadline} | IT security, document management |
baa.amendment.signed | Amendment signed | {baa_id, amendment_id, changes_summary} | Compliance dashboard, audit trail |
baa.renewal.notification | Renewal notification sent | {baa_id, days_until_expiry, notification_type} | Compliance officer |
baa.compliance.gap | Vendor has PHI access but no active BAA | {vendor_id, vendor_name, phi_access_since} | Privacy officer (critical alert) |
9. Reporting and Compliance
9.1 BAA Inventory Report (OCR Audit Ready)
Purpose: Provide complete inventory of all BAAs for HIPAA audits (OCR Audit Protocol Phase 2 requirement).
Report Contents:
| Section | Data Fields | Source Table |
|---|---|---|
| Executive Summary | Total BAAs, active count, expired count, pending count, compliance percentage | business_associate_agreements (aggregates) |
| BAA List | BAA number, BA name, effective date, expiration date, status, security level, permitted uses | business_associate_agreements |
| Subcontractor Inventory | Parent BA, subcontractor name, sub-BAA number, status, expiration date | business_associate_agreements (parent_baa_id join) |
| PHI Data Elements | BA name, PHI categories, data elements, record count, sensitivity | baa_phi_inventory |
| Breach Notifications | BA name, breach date, notification date, timeline compliance, OCR-reportable | incident_management + baa_notifications |
| Compliance Gaps | Vendors with PHI access but no active BAA, overdue reviews, expired certifications | Derived (cross-system query) |
Report Formats:
- PDF (executive presentation)
- CSV (data export)
- JSON (API integration)
Generation Frequency:
- On-demand (for audits)
- Quarterly (compliance review)
- Annual (executive summary)
9.2 Subcontractor Chain Report
Purpose: Visualize multi-level subcontractor relationships and verify all downstream BAAs are in place.
Report Structure:
Subcontractor Chain Report
Generated: 2026-02-16 | Tenant: Acme Biosciences
Primary Business Associate: CloudStorage Inc (BAA-2026-001)
├── Status: Active ✅
├── Expires: 2027-03-01
├── Level 1 Subcontractors (2):
│ ├── AWS (BAA-2026-001-SUB-001)
│ │ ├── Status: Active ✅
│ │ ├── Expires: 2027-03-01
│ │ ├── Type: Omnibus
│ │ └── Level 2 Subcontractors (3):
│ │ ├── AWS Lambda (covered by omnibus) ✅
│ │ ├── AWS S3 (covered by omnibus) ✅
│ │ └── AWS RDS (covered by omnibus) ✅
│ │
│ └── BackupCo (BAA-2026-001-SUB-002)
│ ├── Status: Active ✅
│ ├── Expires: 2026-12-01 ⚠️
│ ├── Issue: Expires 3 months before parent BAA
│ └── Level 2 Subcontractors: None
│
└── Compliance Status:
├── Total subcontractors: 5
├── Valid BAAs: 5/5 ✅
├── Expiration alignment: 4/5 ⚠️ (1 issue)
└── Action Required: Renew BackupCo BAA to align with parent expiration
9.3 Breach Notification Compliance Report
Purpose: Track Business Associate compliance with breach notification obligations under HITECH Act.
Metrics Tracked:
| Metric | Calculation | Target | Red Flag Threshold |
|---|---|---|---|
| On-time notification rate | (on-time notifications) / (total notifications) | 100% | <95% |
| Average notification delay | AVG(notification_received - breach_discovered) | <24 hours | >48 hours |
| Late notifications | Count of notifications received after BAA deadline | 0 | >1 per quarter |
| Unreported breaches | Breaches discovered by CE (not BA) | 0 | >0 |
| OCR-reportable breaches | Breaches affecting ≥500 individuals | Minimize | >2 per year |
Report Output:
Breach Notification Compliance Report
Period: 2025-Q4 (Oct 1 - Dec 31, 2025)
Summary:
- Total Breaches Reported: 3
- On-time Notifications: 3/3 (100%) ✅
- Average Notification Delay: 18 hours ✅
- Late Notifications: 0 ✅
- OCR-Reportable: 0 ✅
Breach Details:
1. DataAnalytics Co — 2025-10-15
- Breach Discovered: 2025-10-15 08:00 UTC
- CE Notified: 2025-10-15 14:30 UTC (6.5 hours) ✅
- BAA Timeline: 60 hours
- Individuals Affected: 12
- OCR-Reportable: No
2. CloudStorage Inc — 2025-11-22
- Breach Discovered: 2025-11-22 10:00 UTC
- CE Notified: 2025-11-23 09:00 UTC (23 hours) ✅
- BAA Timeline: 60 hours
- Individuals Affected: 45
- OCR-Reportable: No
3. LabResults Inc — 2025-12-05
- Breach Discovered: 2025-12-05 15:00 UTC
- CE Notified: 2025-12-06 18:00 UTC (27 hours) ✅
- BAA Timeline: 60 hours
- Individuals Affected: 8
- OCR-Reportable: No
Compliance Assessment: COMPLIANT ✅
No issues identified. All BAs met notification deadlines.
9.4 BAA Gap Analysis Report
Purpose: Identify vendors, systems, or workflows that handle PHI without a valid BAA in place.
Gap Detection Logic:
-- Vendors with PHI access but no active BAA
SELECT
v.vendor_id,
v.vendor_name,
v.phi_access_level,
v.onboarding_date,
v.services_provided,
baa.baa_id,
baa.status AS baa_status,
baa.expiration_date
FROM vendors v
LEFT JOIN business_associate_agreements baa
ON v.vendor_id = baa.business_associate_id
AND baa.status = 'active'
WHERE v.phi_access_level IN ('limited', 'full')
AND v.active = true
AND baa.baa_id IS NULL
ORDER BY v.risk_tier DESC, v.onboarding_date ASC;
Report Output:
BAA Gap Analysis Report
Generated: 2026-02-16
CRITICAL GAPS (5):
These vendors have PHI access but NO valid BAA. IMMEDIATE ACTION REQUIRED.
1. CloudStorage Inc (CRITICAL RISK)
- PHI Access Level: Full
- PHI Access Since: 2026-01-15 (32 days without BAA) ❌
- Services: Cloud backup, file storage
- Action: Block PHI access immediately, initiate BAA workflow
- Assigned To: J. Privacy (Privacy Officer)
2. DataAnalytics Co (HIGH RISK)
- PHI Access Level: Limited
- BAA Status: Expired (2026-02-01)
- Days Expired: 15 ❌
- Services: De-identified analytics
- Action: Verify data is truly de-identified OR renew BAA immediately
- Assigned To: V. Manager (Vendor Manager)
...
MODERATE GAPS (2):
BAAs exist but have compliance issues.
1. BackupCo
- BAA Status: Active ✅
- Issue: Expires 3 months before parent CloudStorage BAA ⚠️
- Action: Align expiration dates via amendment
- Assigned To: V. Manager
...
COMPLIANCE SUMMARY:
- Total Vendors with PHI Access: 52
- Valid BAAs: 47 (90%)
- Critical Gaps: 5 (10%) ❌
- Compliance Target: 100%
- Action Items Created: 7
Next Review: 2026-03-16
9.5 Annual BAA Review Completion Tracking
Dashboard Widget:
Annual BAA Review Tracking
Review Period: 2025-03-01 to 2026-02-29
Progress: 42/47 (89%) Complete ⚠️
Overdue: 3 (deadline passed)
Due This Month: 2
Status Breakdown:
✅ Compliant (36) — 77%
⚠️ Requires Attention (4) — 8%
❌ Non-Compliant (2) — 4%
⏳ Pending Review (5) — 11%
Overdue Reviews:
1. CloudStorage Inc (BAA-2026-001) — Due: 2026-02-01, 15 days overdue ❌
2. Labs-R-Us (BAA-2026-007) — Due: 2026-02-10, 6 days overdue ❌
3. LabResults Inc (BAA-2025-042) — Due: 2026-02-12, 4 days overdue ❌
Action Required: Assign reviewers to overdue reviews immediately.
10. HIPAA §164.504(e) Compliance Matrix
Purpose: Map HIPAA regulatory requirements to system implementation.
| HIPAA Provision | Requirement | System Implementation | Evidence Location |
|---|---|---|---|
| §164.502(e)(1) | Covered Entity may disclose PHI to BA only if satisfactory assurances obtained via BAA | PHI access blocked until BAA status = active | business_associate_agreements.status + access control integration |
| §164.504(e)(2)(i)(A) | BAA must establish permitted uses and disclosures | permitted_uses and permitted_disclosures JSONB fields (required, non-null) | business_associate_agreements table |
| §164.504(e)(2)(i)(B) | BA agrees not to use/disclose PHI except as permitted | Contract clause + audit logging | Template library + audit_trail |
| §164.504(e)(2)(ii)(A) | BA agrees to use appropriate safeguards | security_requirements_level + specific controls in encryption_required, access_control_requirements | business_associate_agreements table |
| §164.504(e)(2)(ii)(B) | BA agrees to report security incidents | breach_notification_timeline_hours + incident management integration | business_associate_agreements.breach_notification_timeline_hours + webhook integration |
| §164.504(e)(2)(i)(D) | BA ensures subcontractor compliance | authorized_subcontractors + subcontractor chain verification | business_associate_agreements.parent_baa_id + chain report |
| §164.504(e)(2)(ii)(E) | BA provides access to PHI for individual rights | Contract clause in template | Template library (clause 5.1) |
| §164.504(e)(2)(ii)(F) | BA provides access for amendment | Contract clause in template | Template library (clause 5.2) |
| §164.504(e)(2)(ii)(G) | BA provides accounting of disclosures | Contract clause + audit trail | Template library (clause 5.3) + audit_trail |
| §164.504(e)(2)(ii)(H) | BA makes internal practices available for HHS review | Contract clause in template | Template library (clause 6.1) |
| §164.504(e)(2)(i)(H) | BAA includes termination provisions | termination_notice_period_days + termination workflow | business_associate_agreements + state machine |
| §164.504(e)(2)(i)(I) | BAA requires return or destruction of PHI | phi_disposal_method + disposal workflow | business_associate_agreements.phi_disposal_method + termination workflow |
| §164.504(e)(1)(ii) | CE authorized to terminate for violations | Contract clause + termination workflow | Template library (clause 8.2) + state machine |
| §164.504(e)(3) | BAA for group health plan sponsors | Not applicable (biosciences QMS, not health plan) | N/A |
| HITECH §13402 | BA must notify CE of breaches | breach_notification_timeline_hours + incident integration | business_associate_agreements.breach_notification_timeline_hours + incident management webhook |
11. Security and Access Control
11.1 RBAC for BAA Management
Integration with existing RBAC model (see 21-rbac-model.md):
| Role | BAA Permissions | Justification |
|---|---|---|
| HIPAA_PRIVACY_OFFICER | All permissions (create, edit, approve, terminate, review, export) | Regulatory responsibility (HIPAA §164.530(a)(1)) |
| COMPLIANCE_MANAGER | Create, edit, review, export (no approve/terminate) | Operational support for Privacy Officer |
| LEGAL | Review, approve (legal stage), view all | Contract approval authority |
| VENDOR_MANAGER | Create, edit (draft only), view assigned BAs | Vendor relationship management |
| AUDITOR | View all, export (read-only) | Audit and inspection |
| ADMIN | View all, cancel (no approve) | System administration (limited compliance authority) |
| SYSTEM_OWNER | View own vendor BAs only | Operational need-to-know |
11.2 Row-Level Security (RLS)
Multi-tenancy enforcement:
-- Applied to all BAA tables
ALTER TABLE business_associate_agreements ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON business_associate_agreements
USING (tenant_id = current_setting('app.current_tenant')::uuid);
Additional scoping:
- Vendors can only view BAAs where they are the
business_associate_id - Auditors have read-only access across all tenants (for cross-tenant audits)
11.3 Audit Trail Requirements
All BAA actions are logged at Level 4 (highest sensitivity) per the existing audit trail architecture:
| Action | Audit Level | Logged Fields | Retention |
|---|---|---|---|
| BAA created | L4 | actor_id, baa_id, all fields, timestamp | 7 years |
| BAA status change | L4 | actor_id, baa_id, old_status, new_status, timestamp | 7 years |
| BAA approved | L4 | approver_id, baa_id, approval_stage, timestamp | 7 years |
| BAA activated (PHI access enabled) | L4 | actor_id, baa_id, phi_access_enabled, timestamp | 7 years |
| BAA terminated (PHI access blocked) | L4 | actor_id, baa_id, phi_access_blocked, termination_reason, timestamp | 7 years |
| Amendment created | L4 | actor_id, amendment_id, changes_summary, timestamp | 7 years |
| Review completed | L4 | reviewer_id, review_id, compliance_status, timestamp | 7 years |
| Notification sent | L3 | notification_id, recipients, timestamp | 6 years |
| Document viewed | L2 | actor_id, baa_id, document_type, timestamp | 6 years |
| Report exported | L3 | actor_id, report_type, timestamp | 6 years |
12. Implementation Roadmap
Phase 1: Core BAA Management (Sprint 1-2)
- Database schema implementation (all 5 tables)
- API endpoints (CRUD operations)
- Basic dashboard (KPI cards, BAA list)
- State machine workflow (Draft → Active)
- RLS and RBAC integration
- Audit trail integration
Deliverable: MVP BAA module with manual workflow
Phase 2: Automation & Notifications (Sprint 3-4)
- Notification engine integration
- Renewal alert system (90/60/30/7-day schedule)
- Automated status changes (expiration day)
- Email templates
- Slack webhook integration
- Escalation matrix
Deliverable: Automated renewal and expiration management
Phase 3: Compliance & Reporting (Sprint 5-6)
- Annual review workflow
- 15-item compliance checklist
- Subcontractor chain tracking
- BAA inventory report (PDF/CSV)
- Compliance gap analysis
- Breach notification compliance report
Deliverable: OCR audit-ready compliance reporting
Phase 4: Advanced Features (Sprint 7-8)
- Template library
- Template version control
- E-signature integration (DocuSign)
- PHI inventory per BAA
- Security assessment tracking
- Advanced dashboard visualizations (timeline, chain explorer)
Deliverable: Full-featured BAA management system
Phase 5: Integrations (Sprint 9-10)
- Vendor management system integration
- Document management system integration
- Incident management system integration
- Workflow engine integration
- Compliance dashboard integration
- Webhook event system
Deliverable: Fully integrated BAA module
13. Success Metrics
| Metric | Target | Measurement Method |
|---|---|---|
| BAA Coverage | 100% of vendors with PHI access have active BAAs | (vendors_with_active_baa) / (vendors_with_phi_access) |
| On-time Renewals | >95% of BAAs renewed before expiration | (renewed_before_expiry) / (total_renewals) |
| Late Notifications | 0 renewals missed (expired without action) | Count of status changes from active to expired |
| Annual Review Completion | 100% of BAAs reviewed within 12 months | (reviews_completed_on_time) / (reviews_due) |
| Compliance Gap Resolution Time | <7 days from detection to BAA activation | AVG(baa_activated_at - gap_detected_at) |
| Breach Notification Compliance | 100% of BA breaches reported within BAA timelines | (on_time_notifications) / (total_notifications) |
| Subcontractor BAA Coverage | 100% of authorized subcontractors have valid BAAs | (subcontractors_with_baa) / (total_subcontractors) |
| OCR Audit Readiness | <1 hour to generate complete BAA inventory report | Time to generate report |
14. Risk Mitigation
| Risk | Impact | Likelihood | Mitigation Strategy | Residual Risk |
|---|---|---|---|---|
| BAA expires, PHI access continues | Critical (HIPAA violation) | Medium | Automated PHI access blocking on expiration day | Low |
| Vendor uses unauthorized subcontractor | High (HIPAA violation) | Medium | Continuous monitoring, subcontractor authorization required in BAA | Low |
| Late breach notification from BA | High (OCR penalties) | Low | BAA timeline enforcement, automated tracking, compliance reporting | Low |
| Missing BAA for new vendor | Critical (HIPAA violation) | Medium | Onboarding workflow integration, PHI access blocked until BAA active | Low |
| Subcontractor chain breaks | Medium (compliance gap) | Low | Quarterly subcontractor verification, automated alerts | Low |
| Renewal process stalls | Medium (expiration risk) | Medium | Multi-stage escalation (90/60/30/7 days), executive visibility | Low |
| Template not HIPAA-compliant | Critical (all BAAs invalid) | Very Low | Legal review workflow, template version control, HHS model basis | Very Low |
| BAA document lost/corrupted | Medium (audit failure) | Low | Document hash verification, cloud backup, version control | Very Low |
Copyright 2026 AZ1.AI Inc. All rights reserved. Developer: Hal Casteel, CEO/CTO Product: CODITECT-BIO-QMS | Part of the CODITECT Product Suite Classification: Internal - Confidential