Business Associate Agreement Tracker¶
HIPAA Rule: §164.308(b), §164.314(a)
A BAA is required with every vendor (Business Associate) that creates, receives, maintains, or transmits PHI on our behalf.
Current BAA Status¶
| Vendor | Service | PHI Contact | BAA Status | BAA Date | Notes |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (NVS + NHC accounts) | Yes | ✅ Signed | — | Covers all HIPAA-eligible AWS services |
| (Add vendor) | ⚠️ Review needed |
Vendors to Review¶
The following categories of tools commonly used in web/app development may contact PHI and require BAAs. Review each one in use:
| Category | Examples | Action |
|---|---|---|
| Error tracking | Sentry, Bugsnag, Rollbar | Confirm PHI is not in error payloads; obtain BAA if so |
| APM / monitoring | Datadog, New Relic, Grafana Cloud | Confirm PHI is not in metrics/traces; obtain BAA if so |
| Email / SMS delivery | SendGrid, Twilio, AWS SES | If sending PHI in messages, BAA required |
| Log management | Papertrail, Loggly, Splunk Cloud | If PHI appears in logs, BAA required |
| CI/CD | GitHub, CircleCI, AWS CodePipeline | If source code or build artifacts contain PHI, BAA required |
| Video / comms | Zoom, Slack | If PHI is discussed, BAA required |
AWS HIPAA-Eligible Services¶
Not all AWS services are covered by the AWS BAA. Confirm any service used with PHI is on the AWS HIPAA Eligible Services list.
Key eligible services relevant to this project: - EC2, EBS, ELB/ALB - S3 - RDS - KMS - CloudTrail - CloudWatch - GuardDuty - AWS Config - AWS Backup - Systems Manager (SSM) - WAF
Warning
Services not on the HIPAA-eligible list must not process or store PHI. Check before adopting any new AWS service.
BAA Review Schedule¶
| Activity | Frequency |
|---|---|
| Review all vendor BAAs for expiration | Annual |
| Inventory new tools for PHI contact | Quarterly |
| Update this tracker | As tools are added/removed |