A business associate agreement (BAA) is not required for organizations or individuals, such as janitorial services, whose functions don’t involve protected health information (PHI). HIPAA permits incidental exposure, as long as it’s a by-product of their work, minimal, and cannot be reasonably prevented.
A BAA is a contract that outlines how business associates protect PHI when working with a covered entity, like a healthcare provider. These contracts clarify what the business associate can do with PHI and their responsibilities to protect patient information.
Read more: FAQs: Business associate agreements (BAAs)
Not every external service provider qualifies as a business associate. According to the HHS, "A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all."
For example, janitorial staff who clean a medical office may come into contact with PHI, such as seeing documents left on a desk or screen. Since the exposure is incidental and does not involve handling PHI as part of their job, HIPAA does not require a BAA with the cleaning company. In these cases, access is limited and can’t be easily prevented, making it permissible under HIPAA’s incidental use rule (45 CFR 164.502(a)(1)).
A BAA is required if a service provider will access or handle PHI as part of their work with a healthcare organization. For example, an IT company managing a healthcare provider’s electronic records or a shredding service disposing of patient records requires a BAA. These organizations handle PHI in the normal course of their work, making them business associates under HIPAA.
Related: When should you ask for a business associate agreement?
To determine whether a BAA is needed, consider the following:
If a business associate violates HIPAA, they may face fines, contract termination, and other penalties. Covered entities may also be held accountable for not securing PHI with proper agreements.
Yes, covered entities are subject to fines if they don’t have a BAA with vendors handling PHI, as this is considered a failure to safeguard patient information under HIPAA.
No, a BAA is not required if the data has been de-identified according to HIPAA standards, as de-identified data is no longer considered PHI.
Read more: How to de-identify protected health information for privacy