OPS-SOP-033 — BAA Registry & Breach Response
1. Purpose & Scope
This SOP establishes the Business Associate Agreement (BAA) registry that Operations maintains for all vendors receiving, creating, maintaining, or transmitting PHI on behalf of the Unity Care Member Plan Master Trust, and documents the full HIPAA breach response process. A properly maintained BAA registry is a foundational HIPAA compliance requirement. Failure to have executed BAAs in place with all Business Associates that handle PHI may constitute a HIPAA violation independent of whether a breach has occurred.
This SOP applies to: Operations Director, Legal Counsel, and any staff responsible for vendor management or PHI oversight.
2. BAA Requirement — Legal Standard
HIPAA Rule (45 CFR § 164.502(e)): A covered entity (the health plan) may only disclose PHI to a Business Associate if it obtains satisfactory assurances that the Business Associate will appropriately safeguard the information. These assurances must be memorialized in a written Business Associate Agreement. A vendor that receives PHI without an executed BAA is an unauthorized recipient, and the disclosure may constitute a reportable breach.
A Business Associate is any person or entity that performs functions or activities on behalf of the plan that involve the use or disclosure of PHI. This includes: TPAs, PBMs, utilization management firms, data analytics vendors, actuaries, cloud storage providers used for PHI, and legal counsel when they handle PHI.
3. Current BAA Registry
GRADIENT AI — BAA NOT EXECUTED (CRITICAL)
Gradient AI does not currently have an executed BAA with Unity Care Solutions. PHI must not be submitted to Gradient AI until this is remediated. Operations Director must track this as an open compliance action item and escalate to Legal Counsel for immediate resolution. See OPS-SOP-030 for Gradient AI screening process restrictions.
| Vendor / Party |
BAA Status |
Execution Date |
Renewal / Expiration |
PHI Types Shared |
Signatory Role |
Allied Benefit Systems
(TPA) |
✔ Executed |
[On file] |
[Confirm annually] |
Claims data, eligibility, enrollment, EOBs, full member records |
Operations Director |
ProAct
(PBM) |
✔ Executed |
[On file] |
[Confirm annually] |
Prescription drug claims, member Rx records |
Operations Director |
| Varipro |
✔ Executed |
[On file] |
[Confirm annually] |
[Confirm PHI types at annual review] |
Operations Director |
HealthEquity
(HSA/HRA) |
✔ Executed |
[On file] |
[Confirm annually] |
HSA/HRA enrollment and contribution data, member IDs |
Operations Director |
Unity Care Solutions LLC
(Plan Sponsor / Administrator) |
✔ Executed |
[On file] |
[Confirm annually] |
Plan administration functions; all PHI related to plan operation |
Operations Director |
Gradient AI
(Risk Analytics) |
✗ NOT EXECUTED — CRITICAL |
— |
— |
Claims data, Rx utilization, diagnosis data (intended) |
Pending — Legal Counsel to initiate |
Note: Execution dates, renewal dates, and signatory details are to be confirmed and populated from executed BAA files on record. This table serves as the live registry and must be updated whenever a BAA is executed, renewed, or terminated.
4. BAA Registry Maintenance
Operations Director is responsible for maintaining the BAA Registry. The registry must be updated:
- Immediately upon execution of any new BAA
- Immediately upon renewal or amendment of an existing BAA
- Immediately upon termination of a vendor relationship (mark BAA as terminated, confirm PHI return/destruction per BAA terms)
- Annually as part of the annual BAA review (see Section 5)
The full BAA Registry record for each vendor must include:
| Field | Description |
|---|
| Vendor Name | Legal entity name of the Business Associate |
| Vendor Function | Description of what the vendor does for the plan (TPA, PBM, analytics, etc.) |
| BAA Execution Date | Date the BAA was fully signed by both parties |
| BAA Expiration / Renewal Date | Date BAA expires or requires renewal; or "Evergreen" if no fixed expiration |
| PHI Types Shared | Description of what PHI categories are shared with this vendor |
| Signatory (Unity Care) | Role of the Unity Care signatory (Operations Director, Legal Counsel, etc.) |
| Signatory (Vendor) | Role of the vendor's authorized signatory |
| BAA File Location | Path or reference to where the executed BAA document is stored |
| Status | Active / Expired / Terminated / Pending |
5. Annual BAA Review
Operations conducts an annual review of all BAAs, typically in conjunction with the annual compliance renewal cycle (OPS-SOP-024). The annual review must confirm:
- All active vendors with PHI access have an executed, current BAA on file
- BAA terms cover the actual PHI data flows occurring (i.e., the PHI types and purposes described in the BAA match current operations)
- No BAAs have expired without renewal
- Terminated vendor relationships have been processed (PHI return/destruction confirmed)
- Any new vendors added during the year have executed BAAs before receiving PHI
Annual review is documented with a sign-off by the Operations Director and filed with compliance records.
6. Breach vs. Security Incident — Distinction
| Event Type | Definition | Notification Required? |
|---|
| Security Incident | Any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. Includes phishing attempts, failed login attempts, and suspicious activity that did not result in PHI exposure. | No mandatory external notification, but must be documented and investigated internally. |
| Breach | The acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the PHI. A breach is presumed to require notification unless a four-factor risk assessment demonstrates low probability of compromise. | Notification required: affected individuals (within 60 days), HHS (within 60 days if 500+ affected), media (if 500+ in a state). See Section 7. |
When in doubt — treat it as a breach. The four-factor risk assessment is conducted after initial notification to Legal Counsel. Do not perform the risk assessment independently before notifying Legal Counsel; that decision requires legal guidance.
7. Breach Response Process
Step 1Identify Scope of the Breach
The staff member who discovers the breach or potential breach immediately documents: what happened, what PHI may have been involved, how many members may be affected, when it occurred (if known), and whether the PHI was acquired, accessed, used, or disclosed without authorization. Do not attempt to resolve or cover up the incident — document everything.
Step 2Contain the Breach
Take immediate steps to stop ongoing unauthorized access or disclosure: revoke access credentials if a user account is compromised, remove improperly shared documents from shared locations, contact vendors if the breach occurred at a Business Associate. Document all containment actions and timestamps.
Step 3Notify Operations Director Immediately
The discovering staff member notifies the Operations Director the same business day. If the Operations Director is unavailable, escalate to Leadership immediately. The clock on all notification deadlines starts at this point.
Step 4Notify Legal Counsel Within 24 Hours
Operations Director notifies Legal Counsel (Dickinson Wright PLLC) within 24 hours of discovery. Legal Counsel advises on: whether the event constitutes a breach under HIPAA, the four-factor risk assessment, notification obligations, and regulatory strategy.
Step 5Conduct Four-Factor Risk Assessment (with Legal Counsel)Legal Counsel leads the risk assessment to determine probability of PHI compromise. The four factors are:
- Nature and extent of PHI involved (identifiers, sensitivity)
- Who used or received the PHI and whether they have an obligation to protect it
- Whether PHI was actually acquired or viewed vs. merely at risk
- Extent to which risk has been mitigated through containment
If the assessment demonstrates low probability of compromise, notification may not be required — but the analysis must be documented thoroughly.
Step 6Notify Affected Individuals (if breach confirmed)
If the breach is confirmed and notification is required, affected individuals must be notified within 60 days of discovery. Notification must be in plain language and include: description of what happened, types of PHI involved, steps members should take to protect themselves, what Unity Care is doing to investigate and mitigate, and contact information for questions.
Step 7Notify HHS (if 500+ members affected)
If the breach affects 500 or more individuals, HHS must be notified within 60 days of discovery via the HHS Breach Notification web portal. If fewer than 500 individuals are affected, HHS notification is logged and submitted in Unity Care's annual breach log (due to HHS by March 1 of the following year).
Step 8Media Notification (if 500+ in a single state/jurisdiction)
If the breach affects 500 or more individuals in a single state or jurisdiction, a prominent media outlet in that state must be notified within 60 days of discovery. Legal Counsel drafts the media notification.
Step 9Full Documentation
All breach response actions, decisions, notifications, and supporting evidence must be documented and retained for a minimum of 6 years. Documentation must include: timeline of events, containment steps, risk assessment findings, notification content and dates, and all communications with Legal Counsel, HHS, and affected individuals.
8. Business Associate Breach
If a Business Associate (vendor) experiences a breach involving Unity Care PHI, the Business Associate must notify Unity Care without unreasonable delay and within 60 days of discovering the breach (per standard BAA terms). Upon receiving notice of a Business Associate breach:
- Operations Director is notified immediately
- Legal Counsel is notified within 24 hours
- The breach response process (Section 7) is initiated, with Unity Care as the notifying covered entity
- Unity Care's notification deadlines to individuals and HHS run from the date Unity Care discovered (or was notified of) the breach
9. Roles & Responsibilities
| Role | Responsibilities in This SOP |
|---|
| Operations Director | Owns BAA registry; leads breach response coordination; responsible for all notification timelines; executes annual BAA review |
| Legal Counsel (Dickinson Wright) | Negotiates and reviews BAA language; leads four-factor breach risk assessment; advises on notification obligations; drafts breach notifications |
| All Staff / Contractors | Immediately report any discovered or suspected breach to Operations Director; do not attempt independent investigation or remediation before reporting |
| Leadership | Receives notification of confirmed breaches; approves media and external communications; provides resources for breach response |
| Business Associates (Vendors) | Must notify Unity Care within 60 days of discovering a breach involving Unity Care PHI; must cooperate with Unity Care's breach investigation |