A HIPAA business associate agreement (BAA) is a cornerstone document that establishes the guidelines and responsibilities for safeguarding protected health information (PHI) when handled by entities other than primary healthcare providers or health plans.
A BAA ensures that all entities involved in the handling of PHI understand their obligations and responsibilities regarding the safeguarding and permissible uses and disclosures of the data.
With the advancement of technology and increasing reliance on digital tools in the healthcare industry, entities must consider factors like cloud storage, electronic health record systems, and digital communication platforms when establishing and reviewing BAAs.
What Is a HIPAA Business Associate Agreement?
A HIPAA business associate agreement is a legally binding document that ensures that the business associate will:
- Implement the necessary safeguards to protect PHI following HIPAA regulations.
- Use and disclose PHI only as permitted or required by the agreement or as required by law.
- Assist the covered entity in responding to individuals’ rights requests and any Department of Health and Human Services investigations.
- Report any breaches or impermissible uses of PHI to the covered entity.
Additionally, the covered entity and the business associate can face significant penalties if they fail to comply with HIPAA regulations, making the BAA a critical risk management tool.
The HIPAA Business Associate Agreement is a contract covered entities must sign with any third-party service provider, called business associates, that will have access to protected health information.
Also called a business associate contract, this document is essential to protecting how sensitive health information is handled and achieving overall HIPAA compliance. [1]
Key Terminology
Here’s some key terminology to know when you’re creating a BAA:
What Is a Covered Entity?
A covered entity is any individual or organization that must comply with HIPAA, including healthcare providers, health plans, and healthcare clearinghouses.
Since covered entities are already required to follow the HIPAA privacy rule, one covered entity can disclose PHI to another covered entity without a business associate agreement.
The CMS-covered entity guidance tool can help determine if your practice must be HIPAA-compliant. [2]
What Is PHI?
The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information.” This means that common information in any form that could be used to identify someone, such as a person’s full name, address, or Social Security Number, must be restricted in how covered entities and business associates use it through a business associate agreement.
Additionally, medical data that is considered protected health information (PHI) includes:
- an individual’s past, present, or future physical or mental health,
- the extent and type of health care provided to an individual
- the past, present, or future payment for an individual’s health care
Who Is Considered a Business Associate?
A business associate is any individual, agency, or organization with access to protected health information (PHI) to perform a service for a covered entity.
Examples of business associates include:
- A CPA firm whose accounting services require a healthcare provider to disclose PHI.
- A consultant who performs utilization reviews for a hospital.
- A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a healthcare provider. Then, it forwards the processed transaction to an insurance payer.
- An independent medical transcriptionist who provides transcription services to a physician.
- A pharmacy benefits manager who manages a health plan’s pharmacist network.
A business associate can only use or disclose PHI as described in the business associate agreement.
Employees and contractors hired to work solely for the covered entity are not considered business associates and should instead sign a confidentiality agreement to ensure they meet HIPAA compliance requirements.
Who Needs a Business Associate Agreement (BAA)?
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to enter into business associate agreements with every third-party service provider that may come into contact with protected health information. [3]
Business associate agreements are just one aspect of HIPAA compliance, but they’re essential in ensuring business associates properly handle and safeguard PHI.
What Is a Business Associate Subcontractor?
A business associate subcontractor is an organization or individual that can access PHI when providing a service for a business associate.
Common examples of associate business subcontractors are:
- Email encryption providers
- Attorneys
- File sharing vendors
- Accountants
The subcontractor has no contact with a covered entity but must sign a business associate subcontractor agreement (BASA) with the business associate to comply with HIPAA.
What Happens If a Business Associate Violates a BAA?
If a business associate operating under a BAA mishandles PHI or otherwise violates the agreement, the covered entity must take steps to cure the breach, end the violation, or terminate the contract with the business associate to avoid being held liable under HIPAA.
Business associates must notify the covered entity of a breach within certain days specified in the business associate agreement and may also have to inform affected individuals.
Depending on the severity of the HIPAA violation, the perpetrator may face penalties like fines or jail time. So, creating a clear and detailed business associate agreement is essential to protect PHI.
Requirements
According to HIPAA, a business associate agreement must contain the following:
- The business associate’s permitted and required uses and disclosures of PHI.
- A clause stating the business associate will not use or further disclose PHI other than as permitted by the BAA or as required by law.
- The measures a business associate must take to keep PHI secure.
- The business associate must take steps in case of a breach or unauthorized disclosure of PHI.
Sample
View our HIPAA business associate agreement template below. Download it as a PDF or Word file: