Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

What is a HIPAA Business Associate Agreement?

Summary:

Business Associate Agreements (BAAs) for HIPAA Compliance What is a Business Associate Agreement (BAA)?A Business Associate Agreement (BAA) is a legally binding business associate contract between a Covered Entity (healthcare provider, health insurance companies, company health plans, etc.) and a Business Associate (BA) (Third party administrators (TPA), health insurance agent, IT professionals, attorneys, etc.). This […]

Business Associate Agreements (BAAs) for HIPAA Compliance

What is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a legally binding business associate contract between a Covered Entity (healthcare provider, health insurance companies, company health plans, etc.) and a Business Associate (BA) (Third party administrators (TPA), health insurance agent, IT professionals, attorneys, etc.). This agreement, required by law, outlines each party’s safeguarding responsibilities for Protected Health Information (PHI).

Why are BAAs Important?
HIPAA privacy rules require Covered Entities to ensure the BAs they work with meet the specific security standards necessary to handle protected health information. A BAA helps demonstrate this commitment and protects both parties in case of a data breach.

Who is a Business Associate (BA)?
Any person or entity providing services to a Covered Entity that may involve access to or disclosure of PHI is considered a BA.

Who needs to sign a Business Associate Agreement under HIPAA?

BAAs must be signed by any person or entity (BA) that creates, receives, maintains, or transmits PHI on behalf of the Covered Entity or another BA, including subcontractors.

Do Business Associate Agreements expire?

HIPAA does not require expiration dates on BAAs, which means it’s possible for them to remain in effect indefinitely. However, a BAA can have an expiration date, which is why it’s crucial for Covered Entities and BAs to continually review the agreement to ensure it hasn’t expired and complies with HIPAA. We encourage all clients to review agreements at least every three years.

Common BAs include:

  • Cloud storage providers: Companies that store PHI on remote servers
  • Billing companies: Businesses that handle medical billing and insurance claims
  • IT service providers: Companies that provide IT support for healthcare organizations
  • Law firms: Attorneys who handle legal matters involving healthcare organizations
  • Shredding companies: Businesses that securely destroy PHI
  • Medical equipment service companies: Companies that repair or maintain medical equipment that may contain PHI
  • Accounting firms: Accountants who handle financial information related to healthcare organizations
  • Consulting firms: Consultants who provide advice or assistance to healthcare organizations
  • Medical transcription services: Companies that transcribe medical records
  • Translation services: Companies that translate medical records into different languages
Infographic of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors

Identifying Business Associate Subcontractors (BASs)

A BA can also use a subcontractor (BAS) to perform some of its services. A Business Associate Subcontractor Agreement is required between the BA and the BAS if the BAS accesses PHI. It is important to ask your BAs if they have contractors they use on your behalf and if a proper BAA is in place. Remember, under the Common Agency Provision, your BAs issues become yours.

What Should a BAA Include?

According to the Department of Health and Human Services (HHS), a BAA should address:

  • Permitted or Required Uses of PHI: Clearly define how the BA can use PHI. This includes specifying whether the BA can handle PHI for treatment, payment, or healthcare operations.
  • Safeguards: Outline the security measures the BA will implement to protect PHI. These measures should include administrative, physical, and technical safeguards to protect the PHI’s confidentiality, integrity, and availability.
  • Disclosures: Specify how the BA can disclose PHI to other parties. For example, the BAA may allow the BA to disclose PHI to a subcontractor or law enforcement agency as required.
  • Term and Termination: Specify the duration of the agreement and the conditions under which either party can terminate it.
  • Data Ownership: Clarify who owns the PHI and who has the right to access it.
  • Audit Rights: Grants the Covered Entity the right to audit the BA’s compliance with HIPAA.
  • Notification of Breaches: Specify how the BA will notify the Covered Entity of any data breaches.
  • Subcontractor Agreements: If the BA uses subcontractors, the BAA should require the BA to have BAA agreements with its subcontractors.
  • Liability: Address the liability of the BA for any HIPAA violations.
  • Indemnification Clause: Address how your organization will be made whole if an action causes a data breach. While not explicitly required under HIPAA, this is a best business practice and will help facilitate a quicker resolution if any issues were to arise.
  • Governing Law: Specify the governing law that will apply to the agreement.
  • Dispute Resolution: Specify the method for resolving any disputes between the parties.

Consequences of Non-Compliance

Both Covered Entities and BAs can face significant civil and even criminal penalties for failing to comply with HIPAA regulations. These penalties can include fines, corrective actions, and even imprisonment.

Conclusion:
Having a BAA in place is essential for any organization working with PHI. By understanding BA requirements and ensuring your agreements are up to date, you can help maintain HIPAA compliance and protect sensitive patient data.

Next Steps:

Where Can I Get a Business Associate Agreement? We’ve got you covered!

DOWNLOAD BAA TEMPLATE

Learn More About our HIPAA Compliance Services

Consult with an Attorney: If you have questions about BAAs or HIPAA compliance, it’s recommended you consult with an attorney .

Remember, this agreement is only one piece of the compliance puzzle. To be fully compliant, you must complete a Risk Assessment, maintain current copies of all documents required by HIPAA, train your staff, and more.

Our HIPAA Prime program does all this and more, ensuring compliance for your business.

To learn more or get started, reach out to us via clarity call today.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts provides affordable rates and personalized solutions to help you become HIPAA compliant.

We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance.

Email us at info@totalhipaa.com to learn how we can help you protect your patients, employees, and business.

Sources

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
http://searchsecurity.techtarget.com/definition/business-associate
https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Yes, HIPAA protections continue long after a patient has passed away. Under the HIPAA Privacy Rule, Protected Health Information (PHI) remains safeguarded for 50 years following the date of death. During this time, the same privacy standards apply, though specific exceptions allow for disclosures to executors, funeral directors, and family members involved in the patient’s prior care.

HIPAA Compliance: A Constant Pulse, Not an Annual Event

HIPAA Compliance: A Constant Pulse, Not an Annual Event

Even though people talk about an “annual HIPAA audit,” compliance isn’t just a once-a-year task. To stay compliant, organizations can’t just “set it and forget it”; they need to constantly manage risks. Staying on top of things is the only way to be ready for an audit at any time.

The $245,000 Wake-Up Call: Why Your Employee Benefits Plan is a HIPAA Target

The $245,000 Wake-Up Call: Why Your Employee Benefits Plan is a HIPAA Target

The $245,000 settlement against a small health plan isn’t just a headline, it’s a warning. Many employers mistakenly believe their benefit plans are “too small to notice,” but federal regulators are proving otherwise. This post breaks down how a lack of formal risk analysis and missing security training can turn a routine oversight into a quarter-million-dollar disaster. Learn the specific steps you must take to shield your organization from becoming the next case study in HIPAA non-compliance.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)