Skip to main content
HashnodeMedcurity HIPAA Compliance BlogMedcurity HIPAA Compliance Blog

Command Palette

Search for a command to run...

BAA Annual Verification: The 2026 HIPAA Update's Most Underrated Workflow

Updated
6 min read
J
Joe Gellatly
Co-founder at Medcurity, helping healthcare organizations achieve and maintain HIPAA compliance. Writing about healthcare cybersecurity, security risk analysis, and compliance automation.

If you're doing your first post-2026 HIPAA Security Risk Analysis right now and you're focused on the headline items — MFA mandates, encryption-at-rest, asset inventory — you're probably going to miss the most operationally-painful change in the 2026 update.

It's the annual Business Associate Agreement (BAA) verification step.

Until 2026, BAA workflows were one-and-done: collect the signed agreement at vendor onboarding, file it, never look at it again. The 2026 rule changes that. You now have to actively confirm, every twelve months, that each Business Associate is still meeting its obligations. Not just that the contract exists. That the BA is operating in compliance.

For a typical small practice, that's 15–40 vendors per year. For an FQHC with multi-site operations, it can be 60–100. None of the off-the-shelf compliance platforms I've seen handle this elegantly. Most teams I've talked to don't even know it's a requirement yet.

This post is the practical workflow I'd build if I were starting from scratch.

What "annual verification" actually requires

The 2026 rule doesn't prescribe a specific verification format. What it requires is documented evidence that the covered entity has actively confirmed each Business Associate is still meeting four obligations:

  1. No undisclosed security incidents in the past 12 months that affected the covered entity's data

  2. Subcontractor stability — any new sub-Business Associates that touch your PHI have to be disclosed

  3. Breach-notification process integrity — the BA still has functioning incident-response procedures

  4. Their own SRA cadence — the BA has completed at least one SRA in the past 12 months

If you can't produce the documented verification during an OCR audit, the Business Associate relationship gets treated as if the BAA never existed. That's not a small finding.

The workflow that scales

Build a single annual questionnaire that captures the four obligations above, plus two operational fields:

1. Has any security incident affecting Medcurity (or our data) occurred 
   in the past 12 months that has not yet been disclosed to us? Y/N
2. Have you added or removed any subcontractors with access to our 
   data in the past 12 months? List any.
3. Confirm your current breach-notification process. Attach or link 
   your most recent IR runbook revision date.
4. Confirm the date of your most recent Security Risk Analysis. 
   Attach the executive summary if available.
5. Have any of the named contacts on file (DPO, CTO, Compliance 
   Officer) changed? List replacements.
6. Confirm or update: contract end date, renewal terms, 
   notice-of-termination requirements.

Fields 5 and 6 aren't strictly required for HIPAA compliance, but rolling them into the same annual cycle saves the legal team a separate touchpoint.

How to actually send + track

The lowest-friction implementation that I've seen work in the field:

  1. Sequence the cycle by tier. Batch BAs into thirds of the year by tier. Tier 1 (EHR, billing, telehealth platforms — the ones with deep PHI access) get verified Q1. Tier 2 (cloud backup, messaging, pharmacy interfaces) get Q2. Tier 3 (everything else — printers, paper-shredder vendors, transcription) gets Q3. Q4 is for follow-ups, terminations, and onboarding new vendors.

  2. Use a form that timestamps at submission. Don't email a Word doc. Build a Gravity Forms / Typeform / equivalent that captures the answers + timestamps automatically. Attach the submission record to the vendor's compliance record.

  3. Set a 14-day response window. Day 0: send. Day 7: friendly nudge. Day 14: escalate to the named compliance contact. Day 21: escalate to the BA's executive sponsor. Day 30: trigger a contract review.

  4. Record refusal as a finding. A BA that won't answer the questionnaire — or whose answers are visibly stale year-over-year — is a risk signal. Document it. The 2026 rule explicitly contemplates this scenario: persistent non-response is grounds for contract termination and is exactly what the annual verification was designed to surface.

  5. Tie the verification to renewal. The cleanest enforcement mechanism: BAs that haven't returned a current verification can't have their contract auto-renewed. This makes the verification a procurement requirement, not a compliance afterthought.

What you cannot delegate to AI

You can use an LLM to summarize the BA's responses, flag inconsistencies year-over-year, and generate questions for the BA's compliance contact. What you cannot delegate:

  • The decision to terminate a Business Associate relationship

  • The decision to accept a flagged risk

  • The signature on the renewal

The 2026 rule's risk-acceptance log requires a named executive's sign-off on residual risk. An LLM cannot be that named executive.

Common implementation mistakes

Three patterns I've seen go wrong in the field already:

  1. Sending the questionnaire from the wrong sender. If the BA gets it from a generic compliance@ inbox, response rates drop below 60 percent. Send it from the named contract-owner's inbox. The BA is more likely to respond to a person they know than to a compliance shared mailbox.

  2. Not closing the loop on terminations. When a BA exits, your data should be returned or destroyed per the BAA's data-disposition clause. The annual verification is the natural moment to confirm exits are clean. Skipping this is how stale BA relationships persist on paper after the actual contract is over.

  3. Verifying only the BA, not their subcontractors. The 2026 rule's annual cycle covers your direct BAs. But if a BA discloses a new sub-Business Associate, that sub now has access to your PHI through them. Decide your tolerance ahead of time: either require all subs to be flowed-down, or require a separate verification cycle for any sub that the BA grants direct access.

The upshot

The 2026 BAA annual verification step is a real workflow change, not a paperwork tweak. Most healthcare orgs underestimate it because the new MFA and encryption mandates dominate the headlines. But the BAA workflow is what turns up first in OCR audits — every modern OCR enforcement action I've read in the past year has had a BA-management finding somewhere in it.

Build the annual cycle now, before your first post-2026 SRA. The questionnaire is straightforward. The discipline of sending it on cadence is the hard part.

Medcurity builds HIPAA compliance software for small and mid-market healthcare organizations. If you're scoping post-2026 BAA workflows, our 2026 SRA software pillar lays out the full scope.

#hipaa#compliance#hipaa-compliance#healthcare#security
8 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

M

Medcurity HIPAA Compliance Blog

15 posts