We receive a lot of calls from agents confused on which Business Associate Agreement (BAA) goes to which party. First, imagine a downstream model. At the top is a Covered Entity then comes the Business Associate, then the Subcontractor.
The health insurance agent is a Business Associate. The employer or the group health plan is the Covered Entity. The Subcontractor is someone who works for a Business Associate and has possible exposure to Protected Health Information. But, a vendor (such as an IT vendor) can be both a Business Associate, if working for a covered entity, and a Subcontractor, if working for Business Associate.
Business Associate Agreement
To answer the question, the Business Associate Agreement is supposed to come from your client (Covered Entity) but in all likelihood they won’t send you one. We recommend you take a proactive position, sign the BAA and send it to your client. You do not need to get it back because it’s their responsibility to have one on file with your signature. As always, make sure you keep a copy of it so you have something for your records.
Business Associate Subcontractor Agreement
The Business Associate Subcontractor Agreement is a document you send to everyone that may have exposure to PHI: your building manager, cleaning crew, shredding company, your IT vendor, and any other company that is your contractor or gets a 1099 from you. In this case the Subcontractor should sign the agreement and return it to you. A signature is not enough. The subcontractor must also have Policies and Procedures in place, complete a risk assessment and be trained.