What Is a HIPAA Business Associate Agreement?
A HIPAA business associate agreement (BAA) is a mandatory contract between a covered entity and a business associate that governs the use and disclosure of protected health information (PHI). If a business associate participates in any of the following, they must enter into this contract with the covered entity:
- Creating PHI (generating new health records from raw information)
- Receiving PHI (taking in data from a covered entity for a specific business purpose, such as processing insurance claims)
- Maintaining PHI (storing or holding data on behalf of a client)
- Transmitting PHI (moving data from one location to another, physically or electronically)
This requirement is found under the HIPAA Privacy Rule (45 CFR § 164.502(e) and 164.504(e)). Without this agreement in place, the covered entity is not allowed to share PHI with a vendor or contractor.
With this contract, the business associate becomes directly liable to the Office for Civil Rights for any HIPAA violations. If there is no contract and the vendor loses or misuses PHI, the covered entity is solely responsible for any data breach.
A HIPAA business associate agreement is an effective risk management tool. It becomes enforceable against both parties if either fails to comply with HIPAA regulations. However, once entered, it does not guarantee automatic compliance. The covered entity must conduct audits to hold the associate accountable.
Who Are the Parties to a HIPAA Business Associate Agreement?
Explore the two parties to a HIPAA business associate agreement, a covered entity and a business associate, in more detail:
What Is a Covered Entity?
A covered entity is any health care provider, health plan, or health care clearinghouse that transmits PHI in connection with HIPAA-standard transactions. Covered entities may be individuals or organizations, but they must comply with HIPAA rules. Examples of covered entities include the following:
- Pharmacies
- Nursing homes
- Chiropractors
- Dentists
- Psychologists
- Clinics
- Doctors
- Government programs paying for medical care (like Medicaid, Medicare, and military health care programs)
- Company health plans
- HMOs
- Health insurance companies
How Do I Know What Counts as a Covered Entity?
Use the Centers for Medicare & Medicaid Services’ (CMS’s) Covered Entity Decision Tool to help determine if your practice qualifies as a covered entity.
Who Is a Business Associate?
A business associate is any individual, agency, or organization with access to PHI to perform a service for a covered entity. They can only use or disclose PHI as permitted by their BAA and HIPAA. Obligations of a business associate included in a BAA are:
- To use appropriate safeguards and comply with 45 CFR Subpart C relating to electronic PHI
- To report any prohibited use or disclosure of PHI or security incident to their covered entity (45 CFR § 164.410)
- To ensure any subcontractors that handle PHI on the business associate’s behalf adhere to the same conditions that apply to the business associate (45 CFR 164.502(e)(1)(ii) and 164.308(b)(2))
- To make PHI available in a designated record set to the covered entity (45 CFR 164.524)
- To make any amendments to PHI in a designated record (45 CFR 164.526)
- To maintain and make available the necessary information to provide an accounting of disclosures to the covered entity (45 CFR 164.528)
- To make its records, books, and internal practices available to the Secretary, who can determine if they comply with HIPAA
If you’re hiring an employee who will work with PHI, have them sign a HIPAA employee confidentiality agreement instead of a HIPAA business associate agreement.
What Are Examples of PHI in a BAA?
The HIPAA Privacy Rule defines PHI as all individually identifiable health information. Covered entities and business associates must restrict how they use this information through a BAA. Some medical data, which can be in physical or electronic format, that counts as PHI includes the following:
- An individual’s past, present, or future physical or mental health
- The extent and type of health care a physician provides to an individual
- The past, present, or future payment for an individual’s health care
- An individual’s patient incident reports
How to Write a HIPAA Business Associate Agreement
Writing a business associate agreement for HIPAA compliance helps a covered entity and a business associate protect sensitive PHI. Learn about the HIPAA business associate agreement requirements below.
Step 1 – Provide the Parties’ Information
Provide the name of the covered health care provider (or health care plan/clearinghouse) and the business associate. List each party’s address to further identify them.
Step 2 – Discuss the Business Associate’s Obligations
Discuss the business associate’s reporting and turnaround obligations:
- Access requests. Define the specific timeframe and procedures for providing patient health records to the covered entity or the individual.
- Data amendments. Set a deadline for processing record corrections received from the covered entity.
- Disclosure records. Establish the number of days allowed to fulfill a covered entity’s request for a formal log of health information disclosures.
Step 3 – Describe the Permitted Uses
List the permitted uses and disclosures by the associate. Here are the key permitted uses to include in your BAA:
- The business associate may only use or disclose protected health information. You have two options:
- Provide a specific list of acceptable purposes.
- Reference an underlying service agreement.
- The business associate may use or disclose PHI as required by law.
- The business associate agrees to make requests, disclosures, and uses for PHI under one of two conditions:
- Consistent with the covered entity’s policies and procedures for the minimum necessary rule.
- Subject to the outlined minimum necessary requirements.
- The business associate may not use or disclose PHI in a way that would violate 45 CFR Subpart E.
Include any customizations, as you may want to specify unique purposes. For example, you can allow its use for data aggregation or internal business purposes, while prohibiting uses for their own benefit unless you explicitly permit it.
Step 4 – Explain Safeguards & Breaches
Discuss the data safeguards that the business associate should implement. These safeguards help protect the availability and confidentiality of PHI. Some safeguards you can incorporate into your agreement include the following:
- Audit trails
- Encryption
- Access controls
You can also define a specific window for the business associate to report and remedy a breach. This can facilitate a timely solution and ensure that the covered entity has time to meet its own regulatory deadlines. It also informs the business associate that the BAA will be terminated if they don’t comply.
Step 5 – Provide Final Contract Details
Name the representatives who will sign the business associate agreement on behalf of both parties. Include the governing law for the BAA and the agreement’s effective date.
What If the Business Associate Hires Subcontractors?
If a business associate hires a subcontractor to perform a service for them (requiring the subcontractor to handle PHI), the parties must enter into a separate HIPAA subcontractor agreement.
The subcontractor has no contact with a covered entity, but must enter into a separate agreement with the business associate to comply with HIPAA. This contract ensures the subcontractor follows the same strict HIPAA privacy and security rules as the business associate.
Terminating a HIPAA Business Associate Agreement
A HIPAA business associate agreement can terminate by an established end date or for cause if the associate violates a term. In a for-cause situation, the covered entity should terminate the BAA by issuing a written termination notice stating the reason.
Once the agreement terminates, a business associate has the following obligations:
- Only retain PHI that’s essential for their continued operations or legal responsibilities.
- Return any remaining to the covered entity (or destroy it).
- Continue using appropriate safeguards for protecting electronic PHI.
- Do not disclose or use any remaining PHI for prohibited reasons.
HIPAA Business Associate Agreement Sample
See an example of our HIPAA business associate agreement. Reviewing its structure can help you better understand how to write your own. When you’re ready, use Legal Templates’s guided form to draft your own. The final version will be ready for you to download in PDF or Word format.
