Stop tracking Business Associate Agreements in a spreadsheet. Covenant gives you a BAA library, a §164.504(e) required-clause gap-check, automatic renewal reminders, and subcontractor flow-down tracking — free for up to 10 vendors.
Under HIPAA §164.308(b), a covered entity must obtain satisfactory assurances — in the form of a written Business Associate Agreement — from every vendor that creates, receives, maintains, or transmits PHI. When a BA uses subcontractors, those need downstream BAAs too (§164.504(e)(2)(ii)(D)). Missing or expired BAAs are a top finding in OCR enforcement.
Track each BAA's status — signed, pending, expired — with executed date, next-review date, and breach-notification SLA. Flags surface missing, expiring (≤30d), and overdue agreements.
Tick off the 11 required clauses against the HIPAA checklist. Covenant tells you instantly whether an executed BAA is complete or what's missing.
Record each business associate's subcontractors and whether they hold a downstream BAA — the chain covered entities routinely miss.
90/60/30-day review windows and overdue alerts, so a BAA never silently lapses before an audit.
Export the whole BAA inventory to CSV in one click — exactly what an OCR investigator or SOC 2 auditor asks for.
BAA tracking and 10 vendors cost nothing, with no card. It's our wedge, not a trial.
A BAA is a HIPAA-required contract (45 CFR §164.504(e)) between a covered entity and any vendor that handles PHI on its behalf. It binds the vendor to safeguard PHI, report breaches, and flow the same obligations down to its subcontractors.
Yes, if they can access systems that hold ePHI. Covenant flags PHI vendors as BAA-required and tracks the agreement's lifecycle so you can prove you have one.
No. Covenant tracks agreements about PHI; it is designed not to store PHI. We ask you to keep PHI out of evidence and the cloud sync carries only structured risk facts.
Add your vendors, mark who touches PHI, and let Covenant flag every missing or expiring agreement.
Start free →