From juggling schedules, providing care, and managing day-to-day operations, so much goes into managing a healthcare organization. 

Luckily, there are third-party vendors that can help relieve some of the burden from your team to let them focus on what’s most important. But using third-party organizations and tools often means sharing protected health information, or PHI.

So how do you safely use tools and resources while maintaining HIPAA compliance? 

The answer’s simple: Business Associate Agreements. 

Business Associate Agreements (BAAs) are a type of contract mandated by HIPAA to protect PHI when shared with a third party. 

Sometimes referred to as Business Associate Contracts, creating effective BAAs is a crucial part of becoming HIPAA compliant

Below, we dig into why you need BAAs and how to create them.

What is a business associate?

A business associate is any individual, vendor, or organization that comes into contact with a healthcare organization's PHI. Business associates work with covered entities to perform services such as storing and processing PHI. 

Because a business associate handles PHI, it is just as responsible for protecting patient health care data as a covered entity. 

Examples of business associates include: 

  • Accountants
  • Administrators
  • Billing companies
  • Cloud storage services
  • Lawyers
  • IT personnel
  • Attorneys
  • Data and document storage services
  • Data transmission services
  • Web hosting organizations
  • Paper shredding companies
  • Consultants and auditors
  • Medical transcription services

What is a business associate agreement?

If a covered entity outsources the handling of PHI to a third party, HIPAA requires that those third parties provide assurances that they will protect PHI. To prove this, a business associate must enter into a BAA with the covered entity. 

A BAA is a legally binding agreement between a covered entity and a business associate that ensures the protection of PHI. These agreements are mandated by the HIPAA Security Rule

The agreement must clearly define what a third party can and can’t do with PHI,  as well as the consequences for noncompliance with the agreement. 

Both covered entities and business associates benefit from entering into a BAA. These agreements remove the guesswork of how to handle PHI.

Who needs a business associate agreement?

Any business associate that handles PHI for a covered entity needs to complete a BAA. BAAs are also required if a business associate uses a subcontractor that will handle the PHI shared by a covered entity. 

A covered entity’s internet service providers and courier service partners are not considered business associates and do not need to complete a BAA. 

A covered entity’s employees are also not considered business associates. However, employees working for a covered entity still fall under the jurisdiction of HIPAA. This means the covered entity must provide HIPAA training for all employees on the proper handling and protection of PHI. 

We always recommend clarifying any specifics with your legal department to ensure your BAAs cover all necessary topics.

What should a BAA include?

HIPAA outlines a few essential topics to cover within a BAA. 

  • Permitted uses of PHI
  • Safeguards to prevent PHI use or disclosure violations
  • Compliance with the HIPAA Security Rule
  • Reporting of unauthorized uses and disclosures
  • Agreements with subcontractors
  • Who can access PHI
  • Amendments to PHI
  • Delegation of the covered entity’s duties
  • Records available to the Secretary of the HHS
  • Processes to return or destroy PHI at termination
  • Termination provisions

Business associate agreement template

We’ve created a business associate agreement example to help as you create your own. 

Remember that there’s more to creating a BAA than filling in the blanks. Use this template as a starting point and customize it as needed to fit your agreement. 

What happens when a business associate agreement is violated?

When a BAA is violated, the covered entity must take steps to address the breach or end the violation caused by a business associate. If these steps are unsuccessful, the covered entity must terminate the contract to safeguard PHI. 

Even if a breach is caused by a business associate, both parties share the responsibility to address the breach. Those responsibilities may include:

  • Reporting the breach to the HHS
  • Notifying the affected individuals by first-class mail
  • Notifying the media (if more than 500 individuals are affected)
  • Providing information to affected individuals who have questions about the breach

What happens if there’s not a BAA in place?

The U.S. Department of Health and Human Services (HHS) has the right to audit covered entities, business associates, and subcontractors at any time. 

If the HHS discovers a business to be noncompliant with HIPAA, that business may face legal and financial consequences. 

If there’s no BAA in place, both parties may find themselves on the hook for HIPAA penalties — not just the business that caused the violation. 

For this reason, BAAs are critical not only for ensuring all third parties handle PHI safely, but also for protecting your own organization from HIPAA violations

Examples of business associate agreement failures

Common BAA failures on the part of business associates include:

  • Failure to comply with the requirements of the HIPAA Security Rule
  • Failure to provide breach notification to a covered entity or another business associate
  • Impermissible uses and disclosures of PHI
  • Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
  • Failure to provide an accounting of disclosures
  • Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf 
  • Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement

Penalties for HIPAA business associate agreement failures

As mentioned, failure to create and comply with BAAs can result in legal and financial consequences. 

HIPAA categorizes noncompliance events into two categories: civil and criminal penalties. The penalties can include fines, corrective action plans, or even jail time.

HIPAA penalties range in severity based on the nature of the offense and the knowledge the offender had of the violation.

How Secureframe can help you create and maintain business associate agreements 

How Secureframe can help you create and maintain business associate agreements 

Business associate agreements serve as a line of defense that protects not only patient information but also your organizational liability. 

There are many factors to consider when creating ironclad BAAs. Our team of experts are well-versed in creating BAAs that satisfy the rigorous requirements of HIPAA. 

To find out how Secureframe can streamline your HIPAA compliance, request a demo with our team today. 

Business associate agreement FAQ

What is a HIPAA Business Associate Agreement?

A HIPAA Business Associate Agreement (BAA) is a contract between a HIPAA-covered entity and a business associate (or between two business associates) that outlines the protective measures that must be put in place to safeguard Protected Health Information (PHI) under HIPAA regulations.

The BAA must specify the permitted and required uses of PHI by the business associate, ensure that the business associate will not use or disclose the PHI other than as permitted or required by the contract or as required by law, and require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information.

How often do business associate agreements need to be renewed?

A BAA lasts for as long as the vendor contract between the covered entity and business associate lasts. These agreements do not need to be signed on a recurring basis and are effectively evergreen documents. 

However, it’s considered best practice to review BAAs on a regular schedule to make sure information is current and up to date with any changes to HIPAA or state laws.

When adjustments are made to the use or disclosure of PHI for business associates, be sure to have both parties sign and date to acknowledge the update. 

If, as a Business Associate, I share ePHI with other companies, do I need to sign an agreement with them?

Yes, business associates are required to enter an agreement with any subcontractor that will create, maintain, transmit, or receive PHI from the business associate. These agreements are known as subcontractor BAAs. 

HIPAA requires business associates to ensure that any subcontractor with access to PHI agrees and adheres to the same restrictions and conditions outlined in the original covered entity/business associate agreement.

What is the difference between a BAA and a NDA?

A BAA is a legally binding agreement that a HIPAA covered entity and business associate must enter into to protect PHI. It is mandated by the HIPAA Security Rule. A NDA is also a legally binding agreement — however, it is not required by HIPAA and it is not entered into to ensure the protection of PHI. This type of agreement can be made between many types of entities and individuals in order to ensure the signer keeps certain information confidential.

Who needs a Business Associate Agreement?

A Business Associate Agreement is required between a HIPAA-covered entity (like healthcare providers, health plans, and healthcare clearinghouses) and a business associate. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI.

If a business associate subcontracts with another entity to perform work that involves PHI, a BAA is also required between the business associate and the subcontractor.