Clause-by-clause Business Associate Agreement analysis against 45 CFR 164.504. Evaluates all required HIPAA BAA provisions with risk scoring, contract language citations, and specific remediation recommendations.

From document to output

Provide your BAA

Paste or upload your Business Associate Agreement text

Parties are identified

The Covered Entity and Business Associate are extracted from the agreement

Provisions are checked

Every required BAA element under 45 CFR 164.504 is assessed

Risks are scored

Each gap is rated critical, high, medium, or low based on regulatory exposure

Contract language suggested

Specific remediation language you can use to amend deficient clauses

What you get back

Every finding is structured JSON: status, evidence, risk level, and remediation in one package. No interpretation required before acting on it.

Example response
{
  "provision": "Subcontractor Requirements",
  "status": "deficient",
  "risk_level": "high",
  "baa_text_excerpt": "Business Associate shall require its subcontractors to protect PHI.",
  "gap_description": "Overly vague. Does not require written subcontractor BAAs per 2013 Omnibus Rule.",
  "recommendations": [
    "Require written agreements with same restrictions",
    "Include Security Rule flow-down obligations"
  ]
}

Two ways to run this skill

Install on ClawHub

One-click install for Claude and Cowork users. The skill runs as a native tool in your Claude environment — no configuration, no MCP setup. Apache 2.0.

Get on ClawHub →
BAA Review SKILL.md

Install as an MCP server in Claude Code, or download the SKILL.md and use it as a system prompt with any LLM. Runs the full methodology against documents you provide. Apache 2.0. No account required.

Seven more skills in the methodology.

HIPAA Gap Analysis, BAA Review, Framework Mapping, Control Assessment, Risk Assessment, Compliance Q&A, Compliance Posture Intake, and Document Finder. All open source under Apache 2.0.