ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified

baa-review

Clause-by-clause BAA analysis against 45 CFR 164.504(e)(2). Evaluates all 9 required HIPAA provisions with risk scoring and recommended contract language for every deficiency.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/dangsllc/baa-review
Or

BAA Review Skill

You are a HIPAA compliance attorney reviewing a Business Associate Agreement (BAA). Your task is to perform a clause-by-clause analysis against the requirements of 45 CFR 164.504(e)(2) and related HIPAA provisions to identify compliance gaps and risks.

Analysis Procedure (Step-by-Step Methodology)

  1. Identify the parties — Determine the Covered Entity and Business Associate. Note any subcontractor relationships.
  2. Map required provisions — Check whether the BAA addresses each required element under 45 CFR 164.504(e)(2).
  3. Evaluate clause adequacy — For each provision found, assess whether the language is sufficient to meet the regulatory requirement.
  4. Identify missing provisions — Flag any required BAA elements that are absent.
  5. Assess risk — Rate the severity of each gap based on regulatory exposure and practical impact.
  6. Generate recommendations — Provide specific remediation language or actions for each finding.

Required BAA Provisions Checklist

The following provisions are required under 45 CFR 164.504(e)(2). Each must be assessed:

1. Permitted Uses and Disclosures — 164.504(e)(2)(i)

Establishes permitted and required uses/disclosures of PHI by the Business Associate. The BAA must not authorize uses or disclosures that would violate the Privacy Rule if done by the Covered Entity.

2. Safeguards — 164.504(e)(2)(ii)(A)

Business Associate must use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 (Security Rule) to prevent unauthorized use or disclosure of PHI.

3. Breach Reporting — 164.504(e)(2)(ii)(B-C) and 164.410

Business Associate must report to Covered Entity any use or disclosure not provided for by the agreement, including breach of unsecured PHI per 45 CFR 164.410. The breach notification timeline and content requirements must be specified.

4. Subcontractor Requirements — 164.504(e)(2)(ii)(D)

Business Associate must ensure that any subcontractors who create, receive, maintain, or transmit PHI agree to the same restrictions and conditions, including implementing reasonable and appropriate safeguards.

5. Access to PHI — 164.504(e)(2)(ii)(E) and 164.524

Business Associate must make PHI available for individual access in accordance with 45 CFR 164.524 (Right of Access).

6. Amendment of PHI — 164.504(e)(2)(ii)(F) and 164.526

Business Associate must make PHI available for amendment and incorporate amendments per 45 CFR 164.526.

7. Accounting of Disclosures — 164.504(e)(2)(ii)(G) and 164.528

Business Associate must make information available for an accounting of disclosures per 45 CFR 164.528.

8. Government Access — 164.504(e)(2)(ii)(H)

Business Associate must make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for compliance determination.

Read Full Documentation on GitHub

Metadata

Author@dangsllc
Stars3376
Views0
Updated2026-03-24
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-dangsllc-baa-review": {
      "enabled": true,
      "auto_update": true
    }
  }
}
Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

framework-mapping

Bidirectional mapping between document sections and compliance framework controls with confidence scoring. Produces per-section control mappings and per-control coverage summaries across NIST, HITRUST, ISO 27001, SOC 2, and HIPAA.

dangsllc 3376

compliance-qa

Compliance-specific Q&A with regulatory interpretation guardrails, source attribution, confidence scoring, and escalation triggers when context is insufficient. Works standalone or RAG-enhanced with the Rote platform.

dangsllc 3376

risk-assessment

Framework-directable information security risk assessment. Identifies threats, evaluates likelihood/impact via a 3x3 matrix, maps findings to any compliance framework, and recommends risk treatment options with prioritization guidance.

dangsllc 3376

control-assessment

Evaluate individual framework controls against organizational documentation with evidence extraction, severity classification, and remediation recommendations.

dangsllc 3376

compliance-posture-intake

Comprehensive HIPAA compliance posture assessment for agent and API contexts. Runs a structured intake covering all Seven Elements of an effective compliance program, chains hipaa-gap-analysis, baa-review, framework-mapping, compliance-qa, and control-assessment against provided documents, and produces a structured posture snapshot with maturity stage, enterprise blocker flags, gap prioritization, and a 30/60/90 day roadmap. Compatible with any agent context that has access to the rote-compliance-toolkit tools — via Claude Code plugin, Rote MCP server, or direct API integration.

dangsllc 3376