Business Associate Due Diligence Review


45 CFR §164.308(a)(8)


Covered Entities are often exposed to unidentified risks through the use of Business Associates, each brings their own unique risks. Covered Entities need to perform a Business Associates Due Diligence (BADD) review to examine how they manage each of their Business Associate relationships in order to understand and identify the risks involved and how to reduce them.

Many Covered Entities don’t know the specifics of how their Business Associates operate or what information they are accessing, or being aware of the technology they use. Administrative workforce personnel is often responsible for managing Business Associate Agreements (BAAs) without having an understanding of HIPAA or the potential impact, to both their financial well-being and reputation, of a violation to the Covered Entities and Business Associates.

Covered Entities need to understand and manage their relationships with their Business Associates:

  • • Understand how their Business Associates are accessing and using Protected Health Information 
  • • Identify what systems, software, and hardware, they are accessing
  • • Identify who within the Business Associate’s organization is accessing them
  • • Verify you have a current signed Business Associate Agreement for each Business Associate who createsreceivesmaintains, stores, and/or transmits protected health information
  • • Identify when they last conducted their enterprise-wide risk analysis


Covered Entities must obtain satisfactory assurances from all their Business Associates that they have appropriately implement HIPAA security measures and are maintaining compliance. One way to accomplish this is to perform a BADD Review.

We’re here to help you!

Our Business Associates Due Diligence (BADD) Review verifies and documents where your Business Associates stand with their HIPAA compliance based on our in-depth analysis.

Schedule a call with us today!