Download Business Associate Agreement (BAA)

HIPAA Compliance Program – Business Associate (BA)

1. Determination of HIPAA Applicability

1.1 Classification Under HIPAA
The organization is classified as a Business Associate (BA) under the Health Insurance Portability and Accountability Act (HIPAA). As a BA, the organization creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of Covered Entities and is therefore subject to the HIPAA Security Rule, Privacy Rule obligations as delegated through Business Associate Agreements, and the Breach Notification Rule.

1.2 Definition and Scope of PHI
Protected Health Information (PHI) includes individually identifiable health information stored or transmitted in any form. In the context of Brainmark’s operations as a Business Associate, PHI includes cognitive, physiological, neurofeedback, fatigue, and mental performance data when associated with personal identifiers such as name, email, DOB, employee number, or biometric identifiers.

1.3 Operational Scope of HIPAA Applicability
HIPAA requirements apply to all systems, environments, devices, personnel, APIs, software platforms, and processes involved in the collection, processing, storage, analysis, or transmission of PHI. HIPAA obligations apply jointly to physical, administrative, and technical safeguards implemented across the organization.

2. Business Associate Agreements (BAAs)

2.1 Requirement for Business Associate Agreements
In accordance with 45 CFR §164.308(b) and §164.502(e), the organization must execute a Business Associate Agreement (BAA) with each Covered Entity prior to the creation, receipt, maintenance, or transmission of PHI. BAAs establish legally required responsibilities for safeguarding PHI and define permitted uses and disclosures.

2.2 BAAs with Covered Entities
The organization shall maintain active BAAs with all Covered Entities for whom PHI is processed. Covered Entities typically include healthcare providers, clinical institutions, telemedicine organizations, and corporate or government health programs. No PHI may be collected or processed without a fully executed BAA.

2.3 BAAs with Subcontractors
All subcontractors and service providers who may access, store, or process PHI on behalf of the organization must sign downstream BAAs. Only vendors offering HIPAA-compliant services may be used for PHI-related functions. The organization will maintain a complete record of subcontractor BAAs as required by HIPAA.

2.4 Documentation and Record Maintenance
A BAA Register shall be maintained listing all Covered Entities and subcontractors with active BAAs. The register shall include execution dates, renewal dates, authorized contacts, and scope of services. All BAAs shall be reviewed annually.

3. Administrative Safeguards

3.1 HIPAA Security Management Process
The organization implements policies and procedures to prevent, detect, contain, and correct security violations. This includes conducting periodic risk analyses, implementing risk management measures, and performing regular internal audits.

3.2 Workforce Security
Access to PHI is limited based on job role. Employees receive training on HIPAA requirements, privacy, and security procedures. Procedures exist for termination or role changes to revoke access as appropriate.

3.3 Information Access Management
Procedures define how employees are granted access to PHI, including authorization, modification, and termination of access privileges. Access rights are reviewed at least annually.

3.4 Security Awareness and Training
All workforce members receive HIPAA training at onboarding and annually thereafter, covering PHI handling, recognizing potential security threats, and breach reporting protocols.

4. Physical Safeguards

4.1 Facility Access Controls
Physical access to locations storing PHI is restricted. Access requires proper authorization, and visitor logs are maintained where applicable.

4.2 Workstation Security
Workstations and devices used to access PHI are secured to prevent unauthorized access. Procedures for workstation use, storage, and disposal are enforced.

4.3 Device and Media Controls
PHI on devices or media is managed securely, including proper disposal and reuse. Encryption and secure transport methods are applied when PHI is moved outside secure areas.

5. Technical Safeguards

5.1 Access Control
Access to ePHI is restricted through unique user IDs, secure passwords, and role-based permissions. Multi-factor authentication is enforced where possible.

5.2 Audit Controls
All systems processing PHI maintain detailed audit logs recording access, creation, modification, or deletion of PHI. Audit logs are monitored and reviewed periodically.

5.3 Integrity Controls
Mechanisms are in place to ensure ePHI is not improperly altered or destroyed. Hashing and checksums may be used to validate data integrity.

5.4 Transmission Security
ePHI transmitted across networks is encrypted using standards-compliant protocols such as TLS 1.2+ to protect against unauthorized access during transmission.

5.5 Device and System Security
Systems are regularly patched and updated. Antivirus and endpoint protection are maintained. Remote access to PHI requires secure VPN connections and MFA.

6. Breach Notification Policy

6.1 Purpose
To comply with HIPAA Breach Notification Rule (45 CFR §164.400-414), the organization maintains procedures to identify, respond to, and notify affected parties of any unauthorized access, use, or disclosure of PHI.

6.2 Breach Identification
All personnel are required to report suspected breaches immediately. Security monitoring systems and audit logs assist in detecting unauthorized access or disclosure.

6.3 Notification Procedures
In the event of a breach, notifications will be issued as follows:
- Affected individuals: within 60 days of discovery
- Department of Health and Human Services (OCR): immediately if more than 500 individuals affected
- Media notification if required by HIPAA

6.4 Documentation
All breaches, investigations, and notifications are documented in the Breach Log. Corrective actions and mitigation steps are recorded.

7. Security Risk Assessment (SRA)

7.1 Purpose
To identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, in compliance with 45 CFR §164.308(a)(1)(ii)(A).

7.2 Methodology
- Identify systems storing, processing, or transmitting ePHI
- Analyze potential threats and vulnerabilities
- Evaluate likelihood and impact
- Implement mitigation and risk management strategies
- Document findings and corrective actions

7.3 Frequency
Comprehensive Security Risk Assessments are performed at least annually and upon major system changes affecting PHI.

8. Incident Response Plan

8.1 Purpose
To ensure timely and effective response to any suspected or confirmed security incidents involving PHI.

8.2 Procedures
- Incident identification and reporting
- Incident assessment and containment
- Investigation and root cause analysis
- Notification to affected parties and OCR as required
- Remediation and preventive measures

9. Training & Workforce Compliance

9.1 HIPAA Training Program
All workforce members receive mandatory HIPAA training at onboarding and annual refresher courses. Training covers PHI handling, privacy and security policies, breach reporting, and technical safeguards.

9.2 Documentation
Training completion is logged and maintained for all personnel. Attendance, dates, and topics covered are recorded for audit purposes.

10. Vendor Management & Auditing

10.1 Vendor Risk Assessment
All vendors and subcontractors accessing or processing PHI undergo a risk assessment to confirm HIPAA compliance before engagement.

10.2 Ongoing Vendor Monitoring
Vendor compliance is reviewed annually. Any changes in vendor operations that could impact PHI security are reassessed. Non-compliant vendors are remediated or replaced.

10.3 Audit Plan
Internal audits of policies, procedures, and vendor practices are conducted periodically to ensure continued HIPAA compliance.