Cloud storage providers, billing companies, IT consultants, law firms, and marketing agencies are among the entities that need business associate agreements (BAAs) because they handle protected health information (PHI) on behalf of covered entities. Any organization that accesses, processes, or transmits PHI on behalf of a healthcare provider, health plan, or healthcare clearinghouse must sign a BAA to ensure HIPAA compliance.
A business associate is any individual or organization that handles protected health information (PHI) on behalf of a covered entity. Under HIPAA regulations, business associates must implement safeguards to prevent unauthorized access, breaches, or misuse of PHI.
According to the U.S. Department of Health and Human Services (HHS), the Privacy Rule requires covered entities to obtain written assurances, such as a contract or agreement, confirming that business associates will properly safeguard any PHI they receive or create.
Read also: What is the purpose of a business associate agreement?
Organizations that handle PHI on behalf of covered entities are legally required to sign BAAs. These agreements outline each party’s responsibilities in safeguarding patient data and ensuring compliance with HIPAA’s privacy and security rules. Without a BAA, both the covered entity and the business associate could face penalties for non-compliance.
Read more: When should you ask for a business associate agreement?
Cloud service providers that store PHI for covered entities, such as Google Cloud, Microsoft Azure, and AWS, must have a BAA in place. Similarly, IT consultants and managed service providers who maintain electronic health records (EHRs) and healthcare systems also need BAAs. Companies offering cybersecurity or network security solutions to healthcare providers must also ensure compliance with HIPAA through a BAA.
Medical billing services process patient data to manage insurance claims and payments. Because they handle PHI, they must enter into a BAA with covered entities to ensure compliance with HIPAA requirements. Medical coding services that classify and structure patient data for billing purposes also fall under this category.
Law firms representing healthcare providers or handling cases involving PHI need BAAs. Legal professionals accessing patient records for litigation, compliance reviews, contract negotiations, or healthcare fraud investigations must follow HIPAA guidelines. Additionally, firms providing legal counsel on regulatory compliance often work with PHI and require BAAs.
Marketing firms that work with covered entities and use patient information for outreach, appointment reminders, or healthcare promotions must sign a BAA. HIPAA compliance is necessary when handling PHI for marketing purposes. Agencies conducting patient surveys or engagement analytics must also adhere to these rules.
Medical transcription services that convert voice-recorded reports into written documents must sign BAAs. Similarly, data processing firms that analyze, format, or structure patient information for reporting or analytics must follow HIPAA regulations.
Healthcare consultants advising on compliance, data security, or operational improvements often handle PHI and require BAAs. Third-party auditors conducting HIPAA compliance assessments or reviewing medical documentation also need agreements to ensure secure data handling.
Related: What does a HIPAA compliant BAA look like?
On August 4, 2016, Advocate Health Care (AHC) agreed to pay $5.55 million in the largest HIPAA settlement at the time due to multiple violations in 2013, affecting nearly 4 million patient records. The breaches included stolen desktop computers from an unsecured office, a stolen laptop containing ePHI, and failure to secure a business associate agreement (BAA) with a vendor. AHC's noncompliance stemmed from inadequate physical security, lack of encryption, and failure to formalize vendor agreements. As part of the settlement, AHC committed to addressing all HIPAA deficiencies within two years.
No. A BAA is only required if the vendor handles, processes, or stores PHI on behalf of a covered entity. Services that do not involve PHI access, such as office cleaning or general administrative support, do not need BAAs.
If a business associate hires a subcontractor to handle PHI, they must also sign a BAA to ensure continued compliance. The primary business associate remains responsible for ensuring their subcontractors meet HIPAA requirements.
If a business associate refuses to sign a BAA, the covered entity cannot share PHI with them, as this would violate HIPAA regulations. Without a signed agreement, the business relationship cannot legally proceed if PHI is involved.
Organizations should review BAAs every two to three years or whenever there are changes in services, regulations, or security practices. Updates should be made promptly if there are shifts in HIPAA requirements or significant business changes.
Learn more: HIPAA Compliant Email: The Definitive Guide