GRCWatch
Sign inStart free trial

HIPAA OR-1.2: Business Associate Contract Requirements

Business associate contracts are your first line of defense against ePHI breaches. OR-1.2 mandates specific contractual provisions that establish permitted uses, enforce HIPAA compliance, and protect patient data throughout the business relationship. Get this control wrong, and you expose your organization to regulatory penalties and patient harm.

What this means

OR-1.2 requires that any contract with a business associate (vendor, processor, or service provider handling ePHI) must explicitly include four critical elements: (1) permitted and required uses and disclosures of electronic protected health information (ePHI), (2) requirements that the business associate comply with applicable HIPAA Security Rule standards, (3) mandatory incident reporting obligations when security incidents occur, and (4) explicit provisions requiring the return or certified destruction of all ePHI upon contract termination. These provisions create a binding compliance framework that extends your security obligations to third parties and ensures accountability across your ecosystem.

How to comply

  1. 1.Inventory all vendors and service providers that access, process, store, or transmit ePHI
  2. 2.Draft or update business associate agreements (BAAs) to include explicit permitted and required use/disclosure language tied to your specific operational needs
  3. 3.Embed HIPAA Security Rule compliance requirements in all BAA language, including administrative, physical, and technical safeguards applicable to your environment
  4. 4.Define incident reporting procedures: timeframe (typically 24-48 hours), escalation path, and required notification content
  5. 5.Specify data return or destruction methods at contract end (certified deletion, secure wiping, or physical destruction with attestation)
  6. 6.Require business associates to certify compliance before contract execution and periodically thereafter (annual attestations recommended)
  7. 7.Document all BAAs and maintain a centralized registry for audit readiness

Evidence auditors look for

  • Executed business associate agreements with documented permitted uses and disclosure restrictions
  • Incident response procedures referenced in BAA with 24-48 hour reporting obligations
  • Data destruction certificates or return confirmations from terminated business associates
  • Annual compliance certifications or attestations from active business associates
  • BAA amendment log showing updates to reflect current HIPAA Security Rule requirements
  • Vendor audit reports or SOC 2 Type II reports with ePHI controls documented

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates BAA tracking and incident reporting workflows, eliminating manual contract audits and alerting you when vendors miss compliance deadlines or fail to report incidents on time.

See how GRCWatch handles this control automatically

Start free trial

Related controls

HIPAA Security Rule 164.308(b) — Business Associate Contracts and Other ArrangementsHIPAA Breach Notification Rule 164.404 — Notification to IndividualsHIPAA Security Rule 164.504(e) — Business Associate Documentation Requirements