A business associate agreement (BAA) should remain in effect for the entire relationship between the covered entity and the business associate. The agreement should also account for the period after the relationship ends, ensuring that any retained protected health information (PHI) continues to be handled securely and complies with HIPAA regulations. The length of time a BAA should last depends on several factors, including the nature of the services provided, the type of PHI involved, and legal data retention requirements.
What is a business associate, and when is a business associate agreement required?
A business associate is any individual or organization that performs tasks or provides services involving the use or disclosure of protected health information (PHI) on behalf of a covered entity. Common examples include billing, data storage, and IT support. To ensure PHI is handled according to HIPAA's privacy and security rules, a business associate agreement (BAA) is required when a business associate has regular or intentional access to PHI.
The Department of Health and Human Services (HHS) clarifies that a BAA is unnecessary if access to PHI is incidental and not part of the core service provided. For example, tasks performed without managing PHI and where any exposure is unintentional do not require a BAA. However, if services like document shredding or IT support involve routine handling of PHI, a BAA is mandatory.
In some cases, services performed under the direct supervision of the covered entity—such as on-site work—can allow the covered entity to treat those individuals as part of its workforce, eliminating the need for a BAA in those specific situations.
Factors to consider in the duration of a BAA
The length of a BAA isn’t just about the time the agreement is active. It also needs to address how PHI will be managed after the business relationship ends. A well-structured BAA considers both the active relationship period and post-termination obligations.
Active relationship period
The BAA should remain valid for as long as the covered entity and business associate continue working together. As long as the business associate has access to PHI, the agreement must be in place to ensure HIPAA compliance. Ongoing services like billing, data storage, IT support, or any other function that requires the handling of PHI also fall under this requirement. The BAA must remain in effect if a business associate continues to process or store PHI on behalf of the covered entity, even temporarily.
In situations where a business associate provides periodic or project-based services, the BAA should still cover the entirety of the service period. Any access to PHI, even during non-continuous relationships, requires a BAA to be in place.
Post-termination requirements
Once the business relationship ends, the BAA should specify how PHI will be handled. The business associate must either return or securely destroy any PHI they possess unless doing so is not feasible. In cases where destruction is not possible, the agreement should require ongoing protection of PHI in accordance with HIPAA standards to prevent unauthorized access or breaches long after the relationship ends.
The BAA should also outline clear timelines for data return or destruction and any specific procedures the business associate must follow to remain compliant. For example, the agreement may require the business associate to provide written confirmation that all PHI has been returned or destroyed within a specified timeframe.
Read also: How to securely dispose of PHI according to HIPAA standards
PHI retention policies
Many healthcare organizations have specific data retention policies, often dictated by state or federal laws. The BAA should align with these policies to ensure PHI is managed appropriately throughout its lifecycle. For example, if a healthcare provider retains medical records for seven years, the BAA should account for how the business associate will handle PHI during and after this period. The BAA should also specify how long the business associate must retain PHI in compliance with legal and contractual requirements.
When data retention policies differ between the covered entity and the business associate, the BAA should clearly specify which policy takes precedence. Defining this ensures both parties have a shared understanding of their PHI retention obligations and helps avoid potential confusion or conflicts.
Read more: What is a HIPAA retention policy?
Renewal and review
The BAA should include provisions for regular reviews to ensure it stays up-to-date with any changes in HIPAA regulations or business practices. Technology and security protocols change over time, and a compliant BAA when signed may need updates to reflect new standards. Regular reviews can also help both parties identify any necessary amendments, such as updates to security protocols, breach notification procedures, or subcontractor arrangements.
Setting specific timelines for BAA reviews, for example, every two to three years ensures the agreement remains relevant and compliant. During these reviews, both the covered entity and the business associate can discuss any changes in the services provided, potential risks, or new legal requirements that may affect the agreement.
Industry best practices
Many industry best practices recommend that BAAs remain in effect for a minimum of six years after the termination of the business relationship, as this aligns with HIPAA’s documentation retention requirements. Some organizations may choose to extend this period further to account for specific state laws or internal policies. Establishing a clear timeline for how long the BAA’s obligations extend after the contract ends helps ensure that both parties remain compliant with HIPAA regulations.
In the news
In April 2016, Raleigh Orthopaedic Clinic in North Carolina agreed to a $750,000 settlement with the Department of Health and Human Services' Office for Civil Rights (OCR) after failing to secure a BAA before sharing the PHI of 17,300 patients. The breach, reported on April 30, 2013, involved providing a vendor with X-ray films for digitization without a signed BAA, which was a violation of HIPAA’s Privacy Rule. OCR stated that obtaining BAAs is not just a formality but a necessary measure to ensure third-party vendors handle PHI appropriately. As part of the settlement, the clinic agreed to implement a corrective action plan, including policy updates, staff training, and a review of existing BAAs to address compliance gaps.
FAQs
What is the primary purpose of a business associate contract?
A business associate contract outlines the responsibilities of business associates in handling PHI, and ensuring compliance with HIPAA.
When is a business associate contract not required?
A BAA is not required when the person or organization’s contact with PHI is purely incidental, as HHS notes: “A business associate contract is not required...where any access to protected health information by such persons would be incidental, if at all.”
What happens if a BAA isn’t in place when needed?
Without a BAA, covered entities risk penalties, legal action, and potential loss of patient trust if a data breach occurs.
What should be included in a business associate contract?
A BAA should specify data protection measures, breach notification procedures, and conditions for termination to define each party’s responsibilities clearly.
Learn more: HIPAA Compliant Email: The Definitive Guide
Farah Amod
