You need to have a HIPAA Business Associate Agreement ( BAA ) in place if you’re a HIPAA-covered entity. To maintain PHI security and overall HIPAA compliance it must be in place with each of your partners.
Try our Business Associate Agreement template and learn more about how to use it properly.
What is a HIPAA Business Associate Agreement?
A HIPAA Business Associate Agreement is a contract that covered entities are required to sign with any third-party service provider, called business associates, that will have access to PHI (protected health information).
Also called a Business Associate Contract, this document is an essential part of protecting how sensitive health information is handled and achieving overall HIPAA compliance. 
Who Needs a Business Associate Agreement (BAA)?
The Health Insurance Portability and A2ccountability Act (HIPAA) requires covered entities to enter into business associate agreements with every third-party service provider that may come into contact with protected health information (PHI). 
Business associate agreements are just one aspect of HIPAA compliance, but they’re essential in ensuring business associates are properly handling and safeguarding PHI.
What is a Covered Entity?
A covered entity is any individual or organization that must comply with HIPAA, including healthcare providers, health plans, and healthcare clearinghouses.
Since covered entities are already required to follow the HIPAA privacy rule, one covered entity can disclose PHI to another covered entity without a business associate agreement.
The CMS covered entity guidance tool can help determine if your practice must be HIPAA-compliant. 
What is PHI?
The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information”. This means that common information in any form that could be used to identify someone such as a person’s full name, address, or Social Security Number must be restricted in how it’s used by covered entities and business associates through a business associate agreement.
Additionally, medical data that is considered protected health information (PHI) includes:
- an individual’s past, present or future physical or mental health,
- the extent and type of health care provided to an individual, and
- the past, present, or future payment for an individual’s health care
Who is Considered a Business Associate?
A business associate is any individual, agency, or organization that has access to protected health information (PHI) in order to perform a service for a covered entity.
Examples of business associates include:
- A CPA firm whose accounting services require a healthcare provider to disclose PHI.
- A consultant who performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider, and then forwards the processed transaction to an insurance payer.
- An independent medical transcriptionist who provides transcription services to a physician.
- A pharmacy benefits manager who manages a health plan’s pharmacist network.
A business associate can only use or disclose PHI as described in the business associate agreement.
Employees and contractors that are hired to work solely for the covered entity are not considered business associates, and should instead sign a confidentiality agreement to ensure they meet HIPAA compliance requirements.
What is a Business Associate Subcontractor?
A business associate subcontractor is an organization or individual that can access PHI when providing a service for a business associate.
Common examples of business associate subcontractors are:
- Email encryption providers
- File sharing vendors
The subcontractor has no contact with a covered entity but must sign a business associate subcontractor agreement (BASA) with the business associate to comply with HIPAA.
HIPAA Business Associate Agreement Requirements
According to HIPAA, a Business Associate Agreement must contain the following:
- What the business associate’s permitted and required uses and disclosures of PHI are
- A clause stating the business associate will not use or further disclose PHI other than as permitted by the BAA or as required by law
- What measures the business associate must take to keep PHI secure
- The steps the business associate must take in the event of a breach or unauthorized disclosure of PHI
Our free business associate agreement template also includes optional clauses to consider, like how amendments to the agreement should be handled.
Business Associate Agreement Sample
HIPAA Business Associate Agreement
What Happens if a Business Associate Violates a BAA?
If a business associate operating under a BAA mishandles PHI or otherwise violates the agreement, the covered entity is required to take steps to cure the breach, end the violation, or terminate the contract with the business associate to avoid being held liable under HIPAA.
Business associates are required to notify the covered entity of a breach within a certain number of days specified in the business associate agreement, and may also have to inform affected individuals.
HIPAA violations can come with penalties such as fines or jail time depending on the severity, so it’s essential to create a clear and detailed business associate agreement to protect PHI.