Reviewing your BAA

Reviewing a business associate agreement (BAA) involves ensuring the agreement continues to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations and protects the covered entity and business associate.

Purpose of a BAA

A BAA is a legal agreement between a covered entity and a business associate that outlines how protected health information (PHI) will be handled, safeguarded, and used. Its primary goal is to ensure that the business associate complies with HIPAA regulations. According to the HHS, “The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.”

Go deeper: What is the purpose of a business associate agreement?

Why review your BAAs?

Reviewing BAAs ensures continued compliance with HIPAA regulations, protects sensitive PHI, and mitigates legal, financial, and reputational risks. Regular reviews help align BAAs with evolving laws, clarify roles and responsibilities, and address changes in services or relationships. They also enhance data security, establish accountability, and ensure subcontractor compliance. By proactively identifying risks and maintaining robust agreements, organizations safeguard PHI, prevent breaches, and uphold trust and reputation in the healthcare industry.

Review checklist

Verify key definitions

• Business associate: Ensure the agreement clearly defines who the business associate is and what services they provide.
• Protected health information (PHI): Confirm the scope of PHI covered by the agreement, including electronic PHI (ePHI).

Review the core HIPAA obligations

The BAA must include:

• Permitted uses and disclosures: Define how the business associate can use or disclose PHI.
• Safeguards: Ensure the business associate commits to implementing appropriate administrative, physical, and technical safeguards for PHI.
• Subcontractor agreements: Require the business associate to ensure subcontractors comply with the same HIPAA obligations.
• Reporting of breaches: Specify the business associate’s obligation to report breaches, security incidents, or unauthorized disclosures of PHI promptly.

Assess data security provisions

Ensure the BAA includes:

• HIPAA Security Rule compliance: The business associate must comply with standards for ePHI protection.
• Data encryption: Confirm whether encryption is required for data storage and transmission.
• Breach notification timelines: Check the timeliness and process for notifying the covered entity of a breach.

Confirm the termination provisions

• Termination for breach: The agreement should allow termination if the business associate violates its obligations.
• Return or destruction of PHI: Upon termination, the business associate must return or destroy all PHI, unless infeasible, in which case the agreement should specify protections.

Verify liability and indemnification

• Check if the agreement specifies liability for breaches or noncompliance.
• Review indemnification clauses to see how financial responsibility for breaches or HIPAA violations is allocated.

Ensure compliance with State Laws

• Some states have stricter privacy laws than HIPAA. Verify that the BAA accounts for applicable state requirements.

Evaluate the responsibilities of both parties

Ensure both the covered entity and the business associate have clear, actionable responsibilities, such as:

• Providing necessary PHI to the business associate.
• Ensuring the covered entity monitors the business associate’s compliance as needed.

Confirm the agreement includes the required language

The BAA should include:

• A clause that the business associate will mitigate the harmful effects of a violation.
• Prohibition on using PHI for marketing or sale without consent.
• A statement that the business associate is directly liable for HIPAA violations.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

When should you review your BAAs?

• Before entering into a new agreement with a business associate
• When regulations or privacy laws are updated
• If the scope of work or relationship with the business associate changes
• Periodically, as part of routine compliance audits (e.g., annually)

Who is responsible for reviewing a BAA?

The covered entity is primarily responsible for ensuring a BAA is in place and compliant. Legal teams, compliance officers, and privacy specialists often assist in the review process.

Where can you find resources for drafting or reviewing BAAs?

You can consult:

• HIPAA guidelines from the Department of Health and Human Services (HHS).
• Legal counsel or HIPAA compliance specialists.
• Templates and resources from healthcare compliance organizations.