HIPAA Business Associate Agreement Template

Here’s some key terminology to know when creating a BAA:

Covered Entity

A covered entity is any health care provider, health plan, or health care clearinghouse that must comply with HIPAA rules [1] . It can be an individual or an organization. Examples of covered entities include the following:

The CMS-covered entity guidance tool can help determine if your practice must be HIPAA-compliant [2] .

Protected Health Information

The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information.” [3] Covered entities and business associates must restrict how they use this information, including a person’s full name, address, or Social Security Number, through a BAA.

Some medical data that falls under the categorization of PHI includes the following:

• An individual’s past, present, or future physical or mental health.
• The extent and type of health care a physician provides to an individual.
• The past, present, or future payment for an individual’s health care.
• An individual’s patient incident reports.

Business Associate

A business associate is any individual, agency, or organization with access to protected health information (PHI) to perform a service for a covered entity. They can only use or disclose PHI as their BAA describes.

Data Safeguards

Data safeguards are controls business associates and covered entities implement to protect the PHI’s availability, integrity, and confidentiality.

With the advancement of technology and increasing reliance on digital tools in the health care industry, entities must consider factors like audit trails, encryption, access controls, cloud storage, electronic health record systems, and digital communication platforms when establishing and reviewing BAAs.

While the HIPAA Privacy Rule protects sensitive health information in any medium, the HIPAA Security Rule protects health information in electronic forms [4] .

The Code of Federal Regulations (CFR) outlines three main requirements that a BAA must contain [5] :

Permissible Uses

Here are the permissible uses to include in BAAs [6] :

1. The business associate may only use or disclose protected health information. You have two options:
   1. Provide a specific list of acceptable purposes.
   2. Reference an underlying service agreement.
2. The business associate may use or disclose PHI as the law requires.
3. The business associate agrees to make requests, disclosures, and uses for PHI under one of two conditions:
   1. Consistent with the covered entity’s policies and procedures for the minimum necessary rule.
   2. Subject to outlined minimum necessary requirements.
4. The business associate may not use or disclose PHI in a way that would violate 45 CFR Subpart E.
5. Optional: The business associate may use PHI for the proper management and administration of the business associate or to carry out their legal responsibilities.
6. Optional: The business associate may provide data aggregation services about the covered entity’s health care operations.

Business Associate Obligations

Here are some obligations a business associate must fulfill:

• To not use or disclose PHI as the agreement and HIPAA law forbid.
• To use appropriate safeguards and comply with 45 CFR Subpart C relating to electronic PHI.
• To report any prohibited use or disclosure of PHI or security incident to their covered entity (per 45 CFR § 164.410).
• To ensure any subcontractors that create, maintain, receive, or transmit PHI on the business associate’s behalf adhere to the same requirements, conditions, and restrictions that apply to the business associate (per 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2)).
• To make PHI available in a designated record set to the covered entity (per 45 CFR 164.524).
• To make any amendments to PHI in a designated record (per 45 CFR 164.526).
• To maintain and make available the necessary information to provide an accounting of disclosures to the covered entity (per 45 CFR 164.528).
• To make its records, books, and internal practices available to the Secretary, who can determine if they comply with HIPAA.

Termination Provisions

BAAs can terminate by an established end date or for cause if the associate violates a term.

Once the agreement terminates, a business associate has the following obligations:

• Only retain PHI that’s essential for their continued operations or legal responsibilities.
• Return to the covered entity (or destroy) any remaining PHI.
• Continue using appropriate safeguards for protecting electronic PHI.
• Do not disclose or use any remaining PHI for prohibited reasons.

Explore some examples of BAA failures so you can better understand this document’s purpose:

Asking Every Contractor to Sign a BAA

Some covered entities will insist every contractor enters a BAA even when unnecessary. For example, covered entities may unnecessarily enter into a BAA even though they don’t need it because they’re both subject to HIPAA. A covered entity may also ask a contractor to sign a BAA even if they don’t have access to PHI, which can waste time and resources.

Assuming HIPAA Compliance With a Signed BAA

Simply having a business associate sign a BAA doesn’t guarantee HIPAA compliance. Some covered entities won’t follow through with their due diligence obligations, like auditing business associates, because they assume automatic compliance by completing a BAA.

Not Having a BAA for Business Associates through Which Electronic PHI Passes

Even if you don’t directly disclose PHI to an entity, it might still pass through their systems electronically. If you don’t implement a BAA, you could violate HIPAA as a covered entity.

Only Implementing Encryption as a Safeguard

While encryption is an important safeguard for protecting PHI, you must also implement physical and administrative safeguards to ensure HIPAA compliance.

Explore the differences between a business associate and a subcontractor under HIPAA:

Business Associate

Explore what a business associate is below:

Definition

A business associate is an individual or entity that provides services to or performs specific activities or functions on behalf of a covered entity.

Who Can Be Considered One

Examples of business associates include:

• A CPA firm whose accounting services require a health care provider to disclose PHI.
• A consultant who performs utilization reviews for a hospital.
• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider. Then, it forwards the processed transaction to an insurance payer.
• An independent medical transcriptionist who provides transcription services to a physician.
• A pharmacy benefits manager who manages a health plan’s pharmacist network.

Specific Requirements

Here are some specific requirements for a business associate:

• Enter into and maintain a BAA with a covered entity.
• Offer “satisfactory assurances” that they’ll shield PHI appropriately.
• Comply with all pertinent HIPAA regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule.
• Maintain detailed records, including incident response plans, policies, procedures, security measures, and risk assessments.
• Cooperate with investigations.

Subcontractor

Explore what a subcontractor is and how they differ from a business associate:

Definition

A subcontractor is an organization or individual that can access PHI when providing a service for a business associate.

The subcontractor has no contact with a covered entity but must sign a business associate subcontractor agreement (BASA) with the business associate to comply with HIPAA.

Who Can Be Considered One

Common examples of associate business subcontractors are:

• Email encryption providers
• Attorneys
• File sharing vendors
• Accountants

Specific Requirements

Here are the specific requirements a subcontractor must meet:

• Abide by contractual obligations.
• Implement the proper security measures.
• Assure the business associate they’ll comply with HIPAA.
• Play their role in the chain of responsibility.

If a business associate operating under a BAA mishandles PHI or otherwise violates the agreement, the covered entity must take steps to cure the breach, end the violation, or terminate the contract with the business associate to avoid being held liable under HIPAA.

Business associates must follow the BAA’s guidelines for notifying the covered entity of a breach and may also have to inform affected individuals.

Depending on the severity of the HIPAA violation, the perpetrator may face penalties like fines or jail time. For example, in 2016, Care New England Health System (CNE) had to undergo a comprehensive corrective action plan and pay $400,000 to settle potential HIPAA violations [7] .

Step 1 – Provide the Agreement’s Basic Information

Provide the name of the covered health care provider (or health care plan/clearinghouse) and the business associate. List each party’s address. Include the date you’re entering the agreement.

Step 2 – Define the Business Associate’s Obligations and Activities

Specify that the business associate will gain access to PHI so it can help the covered entity complete its health care activities. Clarify that the information is not for the business associate’s independent use. Include optional activities/obligations, such as handling disclosure requests, amendments, and access requests.

Step 3 – List the Permitted Uses and Disclosures by the Associate

List the permitted uses and disclosures by the associate. Include any customizations, as you may want to specify unique purposes.

Step 4 – State Termination Protocols

State if the agreement terminates on a certain date or if the covered entity can terminate it for a specific cause. Clarify if the business associate has time to cure the breach or end the violation before termination.

Step 5 – Obtain Signatures

Obtain both parties’ signatures and write their titles.

Download a HIPAA business associate agreement template below in PDF or Word format: