Business Associate Agreement: Everything Explained

The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.

The HIPAA Omnibus Rule changed how BAs and Business Associate Subcontractors (BAS) can be held liable for potential HIPAA violations. Therefore, it is in the Covered Entity’s and the BA’s best interest to maintain a thorough understanding of their relationship and how they expect one another to secure patient, client, or employee data.

But let’s face it, running a business without any help from third parties is difficult, if not impossible. Hiring outside help when you need extra hands or have special needs often makes good business sense.

Who is a Business Associate or a Business Associate Subcontractor and what needs to be in the agreement between these businesses?

This week, we discuss the requirements of a BA and BAS and the specifics of a Business Associate Agreement (BAA). Before we break down the details of classifying your vendors, take a look at this infographic to get an understanding of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors.

Infographic of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors

What is a Business Associate Agreement?

A Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

HIPAA requires Covered Entities to only work with Business Associates who assure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA.1

HHS can audit BAs and Subcontractors for HIPAA compliance, not just Covered Entities. This means that organizations must have a Business Associate Agreement (BAA) for all three levels in order to meet the requirements of HIPAA. It’s in both of your best interests to have an agreement since all three classifications are responsible for protecting PHI.

The Business Associate/Subcontractor Agreement must include the following information, according to HHS:

  • Describe the permitted and required PHI uses by the Business Associate/Subcontractor
  • Provide that the Business Associate/Subcontractor will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
  • Require the Business Associate/Subcontractor to use appropriate safeguards to prevent inappropriate PHI use or disclosure

Once Covered Entities, Business Associates, and Business Associate Subcontractors have identified their relationship with one another, it is necessary to ensure that any third-parties will guard the PHI they receive. A signed agreement documents that the BA knows they must safely handle PHI. 

Understanding Who Your Business Associates and Business Associate Subcontractors Are

Who are Your Business Associates?

You need to be able to identify the classification of your workforce before you know what HIPAA requires. As defined by the Health Information Portability and Accountability Act (HIPAA), a Business Associate is any organization or person working in association with or providing services to a Covered Entity who generates, handles, or discloses Protected Health Information (PHI).2

Potential Business Associates are people or companies like:

  • Accounting or consulting firms
  • Cloud vendors
  • Consultants hired to conduct audits, perform coding reviews, etc.
  • Lawyers
  • Medical equipment service companies handling equipment that holds PHI
  • Translator services
  • Shredding services
  • File sharing vendors
  • Information Technology vendors

According to HHS, Covered Entities may only disclose PHI to an entity to help carry out its healthcare functions, not for the Business Associate’s independent use or purposes.”1 For example, a Business Associate/Subcontractor cannot use the PHI from the Covered Entity for its own email campaign.

Who are Business Associate Subcontractors?

A Business Associate Subcontractor is a person or entity to which a Business Associate delegates a function, activity or service.3 While a Covered Entity receives help from a Business Associates, BAs employ their own help. HIPAA refers to these people and companies as Business Associate Subcontractors.

Similarly, Business Associates must have a Business Associate Subcontractor Agreement with their BASs. The BA and BAS Agreements are almost identical, so the primary difference is the definition of the category. 

Who is not considered a Business Associate/Subcontractor?

Business Associate/Subcontractor exceptions include, but are not limited to, the following examples considered ‘conduits’ for PHI:

  • Internet Service Providers
  • US Postal Service
  • and other courier services1

Contractors and Confidentiality Agreements

Contractors working exclusively for your company, individuals with other clients, and workers hired through a business are not Business Associates. However, your company is responsible if one of these individuals breaches PHI.

For these types of employees who are not Business Associates, Total HIPAA recommends this: If the “employee” is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate policies and procedures for privacy and security like a BA or BAS. It is meaningless to ask them to sign a BAA or a Subcontractor BAA because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement. We include these items in the confidentiality agreements we provide for our clients:

  • Firstly, clarify the type of information the agreement covers.
  • What type of information cannot be copied or modified?
  • Information must be returned upon employer’s request
  • Disciplinary action for persons responsible for a breach of confidential information

Additionally, we recommend that the entity includes important individuals in all training activities.

For more information on contractors, take a look at our blog post, Preparing Contractors for HIPAA Compliance, as well as our podcast, Should Employers Train Contractors Who See PHI? 

What Happens If My Business Associate/Subcontractor Discloses PHI?

Finally, a Business Associate/Subcontractor’s failure to meet the requirements of an agreement could result in substantial ramifications:

“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.”4

When a Business Associate/Subcontractor breaches or violates a BAA, the Covered Entity must take reasonable steps to cure the breach or end the violation. “If such steps are unsuccessful, they must terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a Covered Entity is required to report the problem to HHS Office for Civil Rights.”1

Where Can I Get a Business Associate Agreement?

Good news! We offer a FREE Business Associate Agreement template on our site. Click the button below and enter your email to receive your BAA today.

Remember, having this agreement is only one piece of the compliance puzzle. To be fully compliant, you must complete a Risk Assessment, maintain current copies of all documents required by HIPAA, train your staff, and more. Our HIPAA Prime program does all this and more, ensuring compliance for your business.

To learn more or get started, email today.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.


Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)