What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

Understanding HIPAA and PHI

According to NCBI, "Protected health information breaches have impacted over 176 million patients in the United States from 2009 to 2020. Most of these breaches have occurred due to the carelessness of employees and failure to comply with HIPAA rules versus external hackers." HIPAA establishes national standards for the protection of PHI, which includes any information about health status, provision of healthcare, or payment for healthcare that can be linked to an individual. Covered entities and business associates must adhere to these regulations to ensure patient privacy and data security.

Who is considered a business associate?

HIPAA defines business associates as individuals or entities that perform or assist in performing activities involving using or disclosing PHI. This includes claims processing, data analysis, quality assurance reviews, and more.

Employees of covered entities, internet service providers, and courier service partners are not considered business associates. However, a covered entity can be a business associate of another covered entity.

Read more: What does it mean to be a business associate? 

Why are business associate agreements necessary?

Business associate agreements are necessary because they maintain HIPAA compliance for covered entities. These agreements outline the permissible and impermissible uses of PHI, establish each party's liabilities, and specify the consequences of non-compliance. 

According to HIPAA regulations, only certain entities are considered covered entities and are required to establish business associate agreements. These include health plans, healthcare clearinghouses, healthcare providers, hybrid entities, and other entities involved in healthcare services, care, or supplies.

Furthermore, The HIPAA Privacy Rule Summary states that "when a covered entity uses a contractor or other non-workforce member to perform 'business associate' services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement."

Read also: How to know if you’re a covered entity 

Creating a business associate agreement

When creating a business associate agreement, it is important to include certain key elements to ensure its effectiveness and compliance with HIPAA regulations.

Basic information

• Date: Include the date at the top and bottom of the agreement to indicate when it was created and signed.
• Names of the parties: Clearly state the full legal names of the covered entity and the business associate.
• Acceptance: Determine how the parties will indicate their acceptance of the terms, such as traditional eSignatures.
  
  

Business associate agreement-specific requirements

After including the basic information, the agreement should address specific requirements related to HIPAA compliance.

• Acknowledgment: Clearly explain the relevance of HIPAA to the business relationship and the liability of both parties.
• Nature of PHI involved: Outline the specific types of PHI that the business associate and its subcontractors may access.
• Permissible vs. impermissible: Define what constitutes permissible and impermissible uses of PHI based on relevant case law, rules, and legislation.
• Liability and consequences: Clearly state the responsibilities and potential consequences for both parties in the event of a breach of PHI.
• Safeguards and compliance: Require the business associate to implement appropriate technical, physical, and administrative safeguards to protect the integrity, confidentiality, and availability of PHI.
• Employee HIPAA training: Establish a protocol for employee HIPAA training to ensure that both parties' employees and subcontractors understand their obligations in safeguarding PHI.
• Data breach procedures: Outline the procedures to be followed in the event of a data breach, including steps to mitigate harm and prevent further unauthorized access to PHI.
• PHI return and destruction: Describe the process for returning or destroying PHI when requested.

Related: Business associate agreement provisions 

FAQs

What types of organizations need BAAs?

Cloud storage providers, billing companies, IT consultants, law firms, and marketing agencies are among the entities that need BAAs as they handle PHI on behalf of covered entities.

What information should be included in a BAA?

A BAA should define permitted PHI uses, security standards, breach procedures, subcontracting rules, and termination clauses. 

Do standard BAA templates suffice?

While templates can be starting points, customization to address unique risks is important. Consulting a legal professional with HIPAA expertise is recommended. 

How long should a BAA last?

BAAs should remain effective throughout the relationship and extend beyond PHI's data retention period. 

What happens if a business associate breaches the BAA?

The BAA defines breach notification processes and potential consequences, including termination, corrective action plans, and financial penalties. 

Who needs to sign the BAA?

Authorized representatives from the covered entity and the business associate should sign the BAA.

See also: HIPAA Compliant Email: The Definitive Guide