Simplifying HIPAA agreements

Signing a business associate agreement (BAA) might seem like a routine administrative step for healthcare providers and businesses, but treating it as a mere formality can lead to compliance risks. A well-structured BAA does more than meet legal requirements—it helps ensure covered entities and business associates follow HIPAA standards. When given proper attention, it strengthens the foundation of a solid compliance program.

What is a business associate agreement (BAA)?

A business associate agreement is a legal contract that outlines how a third-party service provider must manage PHI when performing services for a healthcare organization, which is a covered entity under HIPAA. The agreement clarifies the responsibilities of both parties to safeguard patient data in compliance with the Health Insurance Portability and Accountability Act.

Business associates (BAAs) can vary in type. They might include billing agencies, data analytics firms, IT support providers, or other entities handling PHI on behalf of a covered entity. The BAA specifies their obligations regarding the use, sharing, and protection of PHI.

The U.S. Department of Health and Human Services (HHS) states that “The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

Read also: What is the purpose of a business associate agreement? 

What must a BAA say?

HIPAA clearly defines the required elements of a BAA under 45 CFR 164.504(e), and the U.S. Department of Health and Human Services (HHS) provides sample agreements for reference. These agreements outline the minimum requirements but often require additional tailoring to address specific risks and operational needs. A valid BAA must:

• Establish the permitted and required uses and disclosures of protected health information (PHI) by the business associate.
• Prohibit the business associate from using or disclosing PHI beyond what is permitted by the agreement or required by law.
• Require the business associate to implement safeguards, including compliance with the HIPAA security rule, to protect electronic PHI from unauthorized use or disclosure.
• Mandate that the business associate reports any unauthorized use, disclosure, or breach of PHI to the covered entity.
• Specify that the business associate will assist the covered entity with fulfilling individual rights, such as providing access to, amending, and accounting for PHI.
• Ensure that the business associate complies with any applicable privacy rule requirements when performing duties on behalf of the covered entity.
• Require the business associate to make its internal practices, books, and records available to HHS to determine compliance with HIPAA.
• Include provisions for returning or securely destroying PHI upon contract termination, if feasible.
• Ensure subcontractors that handle PHI agree to the same restrictions and conditions as the business associate.
• Allow the covered entity to terminate the agreement if the business associate violates a material term of the contract.

These elements are non-negotiable and must be included in every BAA to meet HIPAA compliance.

Read also: Who needs to sign the BAA? 

What should parties consider when negotiating BAAs?

Noncompliant or nonexistent agreements

Despite clear HIPAA requirements, some parties mistakenly assume that standard confidentiality agreements or nondisclosure agreements (NDAs) are sufficient. Overlooking the need for a valid BAA can result in severe fines and penalties for HIPAA violations. Failing to execute a proper agreement constitutes an impermissible disclosure of PHI and may trigger breach notifications.

Outdated agreements

Old-form agreements may fail to reflect updated HIPAA regulations, such as those introduced by the HITECH Act and the Omnibus Rule. Agreements that predate regulatory changes often omit provisions, leaving both parties vulnerable to non-compliance. As new laws and guidance are introduced, BAAs must be regularly updated and reviewed.

Overly restrictive terms

BAAs often go beyond HIPAA’s minimum requirements, and overly restrictive provisions can hinder a business associate’s ability to perform services. For example, a BAA that excludes the business associate’s use of PHI for its own management or legal obligations can create operational challenges. Terms should strike a balance between compliance and functionality.

Unclear reporting obligations

Some BAAs transfer the covered entity’s breach reporting responsibilities to the business associate. While this delegation is allowed, it can create practical difficulties if the business associate lacks the infrastructure to meet these obligations. Parties should clearly define reporting roles and responsibilities to ensure compliance.

Unrealistic reporting timelines

Strict reporting deadlines, such as requiring notification within days of a security incident, may be unrealistic for business associates, especially if third parties are involved. Negotiating reasonable reporting timelines can help both parties fulfill their responsibilities without creating unnecessary compliance risks.

Why careful review and negotiation matter

HIPAA allows BAAs to include additional terms that are not inconsistent with the law. These terms may address:

• Indemnification and liability
• Injunctive relief
• State-specific privacy laws
• Compliance with related federal laws, such as the Cures Act and Part 2 Privacy Rules

Reviewing and negotiating BAAs thoroughly allows covered entities and business associates to ensure the agreement aligns with their operational needs while maintaining compliance. These agreements should never be treated as one-size-fits-all documents.

Related: How long should a BAA last? 

FAQs

What types of organizations need BAAs?

Cloud storage providers, billing companies, IT consultants, law firms, and marketing agencies are among the entities that need BAAs as they handle PHI on behalf of covered entities.

What information should be included in a BAA?

A BAA should define permitted PHI uses, security standards, breach procedures, subcontracting rules, and termination clauses. 

Do standard BAA templates suffice?

While templates can be starting points, customization to address unique risks is important. It is recommended that you consult a legal professional with HIPAA expertise. 

How long should a BAA last?

BAAs should remain effective throughout the relationship and extend beyond PHI's data retention period. 

What happens if a business associate breaches the BAA?

The BAA defines breach notification processes and potential consequences, including termination, corrective action plans, and financial penalties. 

Who needs to sign the BAA?

Authorized representatives from the covered entity and the business associate should sign the BAA.

See also: HIPAA Compliant Email: The Definitive Guide