You must have a HIPAA Business Associate Agreement ( BAA ) in place if you’re a HIPAA-covered entity. To maintain PHI security and overall HIPAA compliance, it must be in place with each of your partners.
Try our Business Associate Agreement template and learn how to use it properly.
What is a HIPAA Business Associate Agreement?
A HIPAA Business Associate Agreement is a contract covered entities must sign with any third-party service provider, called business associates, that will have access to PHI (protected health information).
Also called a Business Associate Contract, this document is essential to protecting how sensitive health information is handled and achieving overall HIPAA compliance. 
Who Needs a Business Associate Agreement (BAA)?
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to enter into business associate agreements with every third-party service provider that may come into contact with protected health information (PHI). 
Business associate agreements are just one aspect of HIPAA compliance, but they’re essential in ensuring business associates properly handle and safeguard PHI.
What is a Covered Entity?
A covered entity is any individual or organization that must comply with HIPAA, including healthcare providers, health plans, and healthcare clearinghouses.
Since covered entities are already required to follow the HIPAA privacy rule, one covered entity can disclose PHI to another covered entity without a business associate agreement.
The CMS-covered entity guidance tool can help determine if your practice must be HIPAA-compliant. 
What is PHI?
The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information”. This means that common information in any form that could be used to identify someone, such as a person’s full name, address, or Social Security Number, must be restricted in how covered entities and business associates use it through a business associate agreement.
Additionally, medical data that is considered protected health information (PHI) includes:
- an individual’s past, present, or future physical or mental health,
- the extent and type of health care provided to an individual, and
- the past, present, or future payment for an individual’s health care
Who is Considered a Business Associate?
A business associate is any individual, agency, or organization that has access to protected health information (PHI) in order to perform a service for a covered entity.
Examples of business associates include:
- A CPA firm whose accounting services require a healthcare provider to disclose PHI.
- A consultant who performs utilization reviews for a hospital.
- A healthcare clearinghouse translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider and then forwards the processed transaction to an insurance payer.
- An independent medical transcriptionist who provides transcription services to a physician.
- A pharmacy benefits manager who manages a health plan’s pharmacist network.
A business associate can only use or disclose PHI as described in the business associate agreement.
Employees and contractors hired to work solely for the covered entity are not considered business associates and should instead sign a confidentiality agreement to ensure they meet HIPAA compliance requirements.
What is a Business Associate Subcontractor?
A business associate subcontractor is an organization or individual that can access PHI when providing a service for a business associate.
Common examples of associate business subcontractors are:
- Email encryption providers
- File sharing vendors
The subcontractor has no contact with a covered entity but must sign a business associate subcontractor agreement (BASA) with the business associate to comply with HIPAA.
HIPAA Business Associate Agreement Requirements
According to HIPAA, a Business Associate Agreement must contain the following:
- What are the business associate’s permitted and required uses and disclosures of PHI are
- A clause stating the business associate will not use or further disclose PHI other than as permitted by the BAA or as required by law
- What measures the business associate must take to keep PHI secure
- The steps the business associate must take in the event of a breach or unauthorized disclosure of PHI
Our free business associate agreement template also includes optional clauses to consider, like how amendments to the agreement should be handled.
Business Associate Agreement Sample
What Happens if a Business Associate Violates a BAA?
If a business associate operating under a BAA mishandles PHI or otherwise violates the agreement, the covered entity must take steps to cure the breach, end the violation, or terminate the contract with the business associate to avoid being held liable under HIPAA.
Business associates must notify the covered entity of a breach within certain days specified in the business associate agreement and may also have to inform affected individuals.
Depending on the severity of HIPAA violations can come with penalties such as fines or jail time, so creating a clear and detailed business associate agreement is essential to protect PHI.