HIPAA Business Associate Agreement Requirements
Understanding when you need a business associate agreement and what it must include under HIPAA.
Article by
HIPAA Guidelines Editorial Team
A Business Associate Agreement (BAA) is a written contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the business associate.
Who Is a Business Associate?
A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. Common examples include:
- IT service providers — Cloud hosting, software vendors, managed service providers
- Billing and claims processors
- Consultants and auditors who access PHI
- Legal, accounting, and actuarial services
- Data analysis and de-identification services
When Is a BAA Required?
A BAA is required whenever a business associate will create, receive, maintain, or transmit PHI on behalf of a covered entity. The Omnibus Rule extended BAA requirements to subcontractors of business associates as well.
Required Provisions
A valid BAA must include:
- Permitted uses and disclosures — Specify exactly what the BA may do with PHI
- Safeguard requirements — The BA must implement appropriate safeguards
- Breach reporting — The BA must report breaches and security incidents
- Return or destruction of PHI — At termination of the agreement
- Prohibition on unauthorised use — The BA may not use PHI for its own purposes
- Subcontractor requirements — The BA must ensure subcontractors agree to the same restrictions
Common Mistakes
Organisations often make these errors with BAAs:
- Failing to execute a BAA before sharing PHI
- Using outdated agreements that don't reflect current regulations
- Not extending BAAs to subcontractors
- Not reviewing and updating agreements when services change
- Assuming vendor security certifications replace the need for a BAA
Best Practices
- Maintain a comprehensive inventory of all business associates
- Review and update BAAs annually or when services change
- Verify that BAAs include all required provisions
- Conduct due diligence on BA security practices
- Monitor BA compliance through periodic assessments
Enforcement
Failure to have a proper BAA in place is a HIPAA violation that can result in significant penalties. The HHS Office for Civil Rights has enforced penalties specifically for BAA failures.
A well-crafted BAA protects both parties and ensures that PHI is handled appropriately throughout the chain of custody.
Further Reading
Article by
HIPAA Guidelines Editorial TeamThe editorial team at HIPAA Guidelines researches and writes authoritative guides on HIPAA compliance, privacy regulations, and healthcare data protection.
Related Articles
HIPAA Security Rule Explained
A comprehensive guide to implementing the administrative, physical, and technical safeguards required by the HIPAA Security Rule.
How to Conduct a HIPAA Risk Assessment
Learn how to conduct a comprehensive HIPAA security risk assessment to identify vulnerabilities and protect health information.