What is a Business Associate Agreement and with Whom Do I Need One?

Many organizations would be hard pressed running a business without hiring third-party help. With everything it takes to make a business run smoothly, hiring outside help when you need extra hands or because an area isn’t your expertise makes good business sense. To stay HIPAA compliant, the HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) you hire that may come in contact with PHI. The HIPAA Omnibus Rule changed how Business Associates and Business Associate Subcontractors (BAS) can be held liable for potential HIPAA violations. This means it’s in both the Covered Entity’s and the Business Associate’s best interest to have a thorough understanding of their relationship and how they are expected to maintain patient, client, or employee data security.

Who is a Business Associate or a Business Associate Subcontractor and what needs to be in the agreement between these businesses? This week, we’ll discuss the requirements of a Business Associate and Business Associate Subcontractor, as well as what a Business Associate Agreement is and the specifics associated with it. Before we break down the details of classifying your vendors, take a look at this infographic to get an understanding of the differences among Covered Entities, Business Associates, and Business Associate Subcontractors.

Click Infographic to Enlarge

What is a Business Associate Agreement?

A Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI. HIPAA requires that a Covered Entity is assured by its Business Associate that the Business Associate will appropriately safeguard any PHI it receives or creates on behalf of the Covered Entity. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA.1

As of February 18, 2010, HHS can audit Business Associates and Business Associate Subcontractors for HIPAA compliance, not just Covered Entities. This means that a Business Associate Agreement must be in place for all three levels in order to meet the requirements of HIPAA. It’s in both of your best interests to have an agreement in place since all three classifications are responsible for the safekeeping of PHI.

The Business Associate/Subcontractor Agreement must include the following information, according to HHS:

  • Describe the permitted and required PHI uses by the Business Associate/Subcontractor
  • Provide that the Business Associate/Subcontractor will not use or further disclose PHI other than as permitted or required by the contract or as required by law;
  • Require the Business Associate/Subcontractor to use appropriate safeguards to prevent inappropriate PHI use or disclosure

Once Covered Entities, Business Associates, and Business Associate Subcontractors have identified their relationship with one another, it is necessary to ensure that any third-parties will guard the PHI they receive. A signed agreement documents that the BA knows they must safely handle PHI. 

Understanding Who Your Business Associates and Business Associate Subcontractors Are

Who are Your Business Associates?

You need to be able to identify the classification of your workforce before you know what HIPAA requires. As defined by the Health Information Portability and Accountability Act (HIPAA), a Business Associate is any organization or person working in association with or providing services to a Covered Entity who generates, handles, or discloses Protected Health Information (PHI).2

Potential Business Associates are people or companies like:

  • Accounting or consulting firms
  • Cloud vendors
  • Consultants hired to conduct audits, perform coding reviews, etc.
  • Lawyers
  • Medical equipment service companies handling equipment that holds PHI
  • Translator services
  • Shredding services
  • File sharing vendors
  • Information Technology vendors

According to Department of Health and Human Services (HHS), Covered Entities may disclose PHI to an entity only to help the Covered Entity carry out its health care functions – not for the Business Associate’s independent use or purposes.”1 This means that a Business Associate/Subcontractor cannot use the PHI from the Covered Entity for its own email campaign, for example.

Who are Business Associate Subcontractors?

A Business Associate Subcontractor is a person or entity to which a Business Associate delegates a function, activity or service.3 While a Covered Entity receives help from a Business Associates, BAs employ their own help – and those people or companies are considered their Business Associate Subcontractors. The Business Associate is required to have a Business Associate Subcontractor Agreement with them. The BA and BAS Agreements are almost identical – the primary difference is the definition of the category. 

Who is not considered a Business Associate/Subcontractor?

Business Associate/Subcontractor exceptions include, but are not limited to, the following examples considered ‘conduits’ for PHI:

  • Internet Service Providers
  • US Postal Service
  • and other courier services1

Contractors and Confidentiality Agreements

If an individual is a contractor working exclusively for your company, an individual with other clients, or someone hired through a business, they are not considered a Business Associate, but your company will be responsible if one of these individuals breaches PHI.

For these types of employees who are not Business Associates, Total HIPAA recommends this: If the “employee” is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate policies and procedures for privacy and security as required of either a Business Associate or a Subcontractor BA. It is meaningless to ask them to sign a Business Associate Agreement or a Subcontractor Business Associate Agreement because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement.These are a few of the items included in the confidentiality agreement provided by Total HIPAA:

  • What information is covered with the agreement
  • The types of information that can not be copied or modified
  • Information must be returned upon request by the employer
  • Disciplinary action for persons responsible for a breach of confidential information

Total HIPAA also recommends the individual be included in all training activities.

For more information on contractors, take a look at our blog, Preparing Contractors for HIPAA Compliance, as well as our podcast, Should Employers Train Contractors Who See PHI? 

What Happens If My Business Associate/Subcontractor Discloses PHI?

Failure for a Business Associate/Subcontractor to meet the requirements of an agreement could result in substantial ramifications:

”A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.”4

If a Business Associate/Subcontractor breaches or violates a Business Associate/Subcontractor Agreement, the Covered Entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a Covered Entity is required to report the problem to HHS Office for Civil Rights.”1

How can Total HIPAA help me with my Employees, Contractors, Business Associates, and/or Business Associate Subcontractors?

Total HIPAA offers a comprehensive solution for each and every relationship your organization has. From an award-winning HIPAA training solution for your employees, to contracts and agreements, we can service your needs so that you’ve protected your business. HIPAA compliance isn’t a suggestion – it’s the law. Call us today at 800.344.6381.



  1. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
  2. http://searchsecurity.techtarget.com/definition/business-associate
  3. https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__
  4. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html