What is a HIPAA business associate agreement (BAA)?

A HIPAA business associate agreement (BAA) is a written contract between a covered entity and a business associate that governs the use and disclosure of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that is subject to the HIPAA Privacy and Security Rules. A business associate is a person or organization that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity, such as a third-party billing company, IT service provider, or medical transcription company.

The BAA specifies the permitted uses and disclosures of PHI by the business associate, as well as the business associate's obligations with respect to protecting the privacy and security of PHI. The BAA may include provisions related to:

  • Safeguards for protecting PHI, such as encryption and access controls
  • Reporting of security incidents and breaches
  • Restrictions on the use and disclosure of PHI
  • Compliance with HIPAA requirements and applicable laws and regulations
  • Termination of the BAA and the disposition of PHI

Under HIPAA regulations, covered entities are required to enter into written BAAs with their business associates before any PHI is shared with the business associate. The BAA must be carefully drafted to ensure that both parties understand their obligations under HIPAA and are in compliance with the law.

Failure to have a BAA in place with a business associate can result in significant fines and penalties, as well as damage to an organization's reputation. Therefore, it is important for covered entities to establish and maintain effective BAA agreements with their business associates to protect the privacy and security of PHI.