Who is responsible for ensuring the BAA is in place?

The covered entity is responsible for ensuring that a business associate agreement (BAA) is in place with any business associate who has access to protected health information (PHI). 

Who is responsible for the BAA?

While both the covered entity and the business associate share responsibility for HIPAA compliance, the primary responsibility for ensuring that a BAA is in place rests with the covered entity. Here’s a breakdown of the responsibilities:

Covered entity’s responsibility

According to the HHS, “If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.” This puts the onus on the covered entity to ensure a BAA is in place before any PHI is shared with a business associate. 

The responsibilities of the covered entity involve:

• Identifying business associates: The covered entity must identify all external vendors, contractors, or service providers who will have access to PHI and who perform functions such as billing, IT support, data storage, or claims processing.
• Negotiating and signing the BAA: Before sharing any PHI, the covered entity must ensure that the business associate signs the BAA.
• Monitoring compliance: After the BAA is signed, the covered entity must ensure that the business associate adheres to the agreement. Regular audits and assessments may be necessary to verify compliance.

Business associate’s responsibility

While the covered entity holds the primary responsibility, business associates also have a significant role to play:

• Complying with the BAA: Once signed, business associates must comply with the terms of the BAA, ensuring PHI is handled securely and used only for the purposes specified in the agreement.
• Implementing safeguards: The business associate must put in place the necessary technical, administrative, and physical safeguards to protect PHI from unauthorized access, use, or disclosure.
• Reporting breaches: If a data breach or security incident occurs, the business associate is responsible for promptly notifying the covered entity. Depending on the terms of the BAA, the business associate may also need to assist in investigating and mitigating the breach.

Read also: Can you be a covered entity and a business associate?

Best practices for covered entities when managing BAAs

Here are some best practices for covered entities to ensure effective management of BAAs:

• Create a list of all business associates: Regularly review and update a list of all external vendors, contractors, and service providers who might access PHI.
• Review the BAA carefully: Ensure that the BAA contains all the necessary clauses to comply with HIPAA requirements, including breach notification procedures, confidentiality agreements, and security protocols.
• Maintain documentation: Keep records of all signed BAAs for auditing and compliance purposes.
• Monitor ongoing compliance: Periodically review business associates’ practices to ensure they are following the security and privacy measures outlined in the BAA.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What happens if a covered entity doesn’t have a BAA in place?

If a covered entity shares PHI with a business associate without a BAA, they may face HIPAA violation penalties. The covered entity and business associate may be liable for compliance violations, including substantial fines and reputational damage.

What information is typically included in a BAA?

A BAA includes the following details:

• Scope of services and activities performed by the business associate
• Permitted uses and disclosures of PHI
• Safeguards to protect PHI
• Breach notification procedures
• Responsibilities for returning or destroying PHI at the end of the agreement
• Penalties for non-compliance

How often should a covered entity review its BAAs?

It’s good practice for covered entities to review their BAAs annually or whenever there are changes to services, regulations, or business associates. Regular reviews ensure ongoing compliance and that the BAA remains aligned with current laws and practices.