The HIPAA hosting checklist most BAAs miss — and the controls auditors actually ask for

Every mid-market healthcare practice we've onboarded comes with the same BAA on the table and the same gap behind it. The BAA documents the obligations between covered entity and business associate. The controls implementing those obligations are where the audit risk actually lives — and where most practices have soft spots they don't know about.

The HIPAA Security Rule is structured into three control families: administrative, physical, and technical safeguards. The technical safeguards are the easy ones to claim — most hosting providers say 'AES-256 at rest' and call it done. The administrative and physical safeguards are where the harder questions come from, and where most BAAs get vague.

Here's the 12-item checklist we run for every healthcare engagement before we sign a BAA. It's our internal pre-flight; we publish it because the practices that ask the same questions of every prospective vendor end up with measurably better OCR audit outcomes.

1. PHI inventory: do we have a complete list of every system, database, file share, and integration that touches PHI? Most practices think they do, then find out at audit time that the EHR backup share, the analytics warehouse, and the marketing-automation tool also see PHI.

2. Encryption at rest, with key custody documented: AES-256 is the minimum. The interesting question is who holds the keys. BYOK (customer-held keys, optionally HSM-backed) means the vendor cannot read your PHI even if compelled. We default to BYOK on regulated tiers.

3. Encryption in transit, end-to-end: TLS 1.3, mTLS for service-to-service, no plaintext on the wire anywhere PHI flows. Verify with packet capture, not paperwork.

4. Access control with documented least-privilege: role-based access control, with reviews quarterly. Standing admin access is the most common finding in OCR audits — and the easiest to fix with just-in-time access patterns.

5. Audit logging at the workload, not just the perimeter: every read of PHI, every privileged action, captured at the database or application layer with the actor identity. Logs retained 6 years per the Security Rule's retention requirement.

6. Backup, restore, and DR drilled quarterly: encrypted off-site backups with verified restore procedures. Drilled — not assumed. Most audit failures come from 'we have backups' practices that have never tested the restore path.

7. Breach notification path documented: who detects, who notifies, what the OCR-required timelines are, who the comms point of contact is. Document the workflow before you need it.

8. Workforce training and acknowledgement: annual HIPAA training, signed acknowledgements on file, with new-hire onboarding. Boring but required.

9. Risk analysis and management: documented annual risk analysis covering all PHI systems. This is the single most-cited finding in OCR enforcement actions.

10. Subcontractor BAAs: every downstream subprocessor that touches PHI signs its own BAA. Maintain a current subprocessor list.

11. Identity-everywhere (zero-trust posture): every privileged action verified against a current identity, not inferred from network location. The Security Rule doesn't mandate zero-trust by name, but the audit conversation is converging on it — implementing zero-trust now is the cheapest way to land on the right side of the Security Rule for the next five years.

12. Incident response playbook tested annually: tabletop exercises with the IR team, with documented outcomes and remediation. Most practices test their backups but never test their incident response. Auditors are increasingly asking for both.

The HIPAA Hosting Checklist (gated) goes deeper on each of these and includes the specific controls Ultiblob implements at each layer. If you'd rather walk through your environment, the 30-minute HIPAA posture review with one of our senior engineers usually returns a written gap analysis within a week.