BAA tracking
If you handle PHI, every business associate needs a current, complete Business Associate Agreement (HIPAA §164.308(b)). Covenant tracks the BAA lifecycle, checks it against the §164.504(e) required clauses, follows subcontractor flow-down, and keeps a renewal calendar.
The BAA record (vendor detail)
On a vendor's detail page, the Business Associate Agreement (BAA) card holds:
| Field | Meaning |
|---|---|
| BAA status | none / pending / signed / expired. |
| Breach-notification SLA (days) | How quickly the BA must notify you of a breach. |
| Executed date | When the BAA was signed. |
| Next review date | Drives the review flag (see below). |
| Term end (expiry) | When the agreement term ends — drives the executed-document expiry flag. |
Lifecycle flags
Covenant computes a flag from the status and next-review date, relative to today:
| Flag | When | Severity |
|---|---|---|
| BAA required, none on file | PHI vendor with no BAA | critical |
| BAA pending signature | Status = pending | high |
| Review overdue by N days | Review date in the past | critical |
| Review due in N days | Within 30 days | high |
| Review due in N days | 31–90 days | medium |
| Signed, review in N days | More than 90 days out | info |
| No BAA required | Non-PHI vendor, no BAA | info |
A missing BAA on a PHI vendor also subtracts −15 from the composite score (see Risk scoring).
§164.504(e) required-clause gap-check
The card lists the eleven HIPAA-required BAA clauses. Tick each clause your executed agreement actually contains. Covenant shows a running count (e.g. "8/11 (3 missing)") and marks the BAA ✓ complete when all required clauses are present.
| Clause | CFR |
|---|---|
| Permitted uses & disclosures | §164.504(e)(2)(i) |
| No further use/disclosure | §164.504(e)(2)(ii)(A) |
| Safeguards | §164.504(e)(2)(ii)(B) |
| Breach reporting | §164.504(e)(2)(ii)(C) |
| Subcontractor flow-down | §164.504(e)(2)(ii)(D) |
| Access to PHI | §164.504(e)(2)(ii)(E) |
| Amendment of PHI | §164.504(e)(2)(ii)(F) |
| Accounting of disclosures | §164.504(e)(2)(ii)(G) |
| Availability to HHS | §164.504(e)(2)(ii)(H) |
| Return/destruction at termination | §164.504(e)(2)(ii)(I) |
| Termination for breach | §164.504(e)(2)(iii) |
Subcontractor flow-down chain
HIPAA requires a business associate to flow down BAA obligations to its own subcontractors. Add each subcontractor and mark whether a downstream BAA exists. A subcontractor without a downstream BAA is flagged, so a gap deep in the chain is visible.
- Type the subcontractor name.
- Tick has downstream BAA if confirmed.
- Click Add. Use ✕ to remove one.
Executed-document tracking & expiry
Distinct from the review-date flag, Covenant separately tracks whether the executed BAA file is on record and whether its term is still current:
| State | Meaning |
|---|---|
| missing-doc | No executed BAA file attached (and one is required). |
| current | Executed BAA on file, term not near expiry. |
| expiring | Term ends within 60 days. |
| expired | Term has ended. |
| na | No BAA document required. |
Attach the executed BAA in the Evidence attachments card (kind = baa) and set Term end to drive the expiry flag. See Evidence attachments.
The BAAs tab: renewal calendar & inventory
Renewal calendar & reminders
The BAAs tab opens with a BAA renewal calendar & reminders panel. It buckets every PHI BAA on a 90/60/30-day cadence and shows:
- Chips counting Missing / Pending / Overdue / ≤30d / ≤60d / ≤90d / Future.
- Reminders firing today — exactly which vendors a reminder job would notify now, and why, with urgency.
- A Renewal calendar table, soonest-first.
BAA inventory + CSV export
Below the calendar, the BAA inventory lists every PHI vendor and BAA, sorted by urgency (missing and overdue first), with status, executed date, next review, breach SLA, and flag. Click Export BAA inventory (CSV) for an auditor-ready covenant-baa-inventory.csv.