360 ◾ Information Security Management Handbook
Business Associate Agreements
ere appear to be many deficiencies noted by CMS when it comes to the agreements between
business associates and the covered entity. First, the covered entities reviewed had business associ-
ates, but there were no business associate agreements (BAAs) between them. Second, there may
have been a BAA, but it was not signed by both parties as required. Finally, the BAAs did not
address certain requirements dictated by the regulation such as addressing the HIPAA/HITECH
Security Rule, developing a comprehensive risk management program, reporting vulnerabili-
ties, reporting breaches, performing activities, and the right of the covered entity to perform an
audit on the busine ...