fbpx

Business Associate Agreement (BAA)

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a legally binding contract between a HIPAA-covered entity (such as a healthcare provider, health plan, or clearinghouse) and a business associate (a third-party vendor that creates, receives, maintains, or transmits Protected Health Information on behalf of the covered entity). Examples of business associates include patient records management software, billing companies, shredding companies, cloud storage vendors, and transcription services.

The BAA outlines each party’s responsibilities to safeguard PHI and comply with HIPAA regulations. Without a valid BAA, sharing PHI with a vendor is considered a HIPAA violation. Hence, BAAs are very important for organizations to be HIPAA-compliant.

HIPAA Requirements for BAAs

Under the HIPAA Privacy Rule and the Security Rule, covered entities must:

  • Obtain signed BAAs with all business associates before disclosing PHI.
  • Ensure BAAs specify permitted uses and disclosures of PHI.
  • Require Business Associates to implement safeguards for PHI, report breaches, and comply with patient rights.
  • Keep executed BAAs for at least six years.

If a Business Associate delegates work to a subcontractor, the subcontractor must also sign a compliant BAA.

Why BAAs Matter

BAAs are critical not only because they extend responsibility for HIPAA compliance to vendors, preventing gaps in security, but they also clarify liability in the event of a data breach. Without a BAA, both the covered entity and the vendor may be fined for non-compliance in the event of a vendor-related breach.

Common Mistakes with BAAs

Here are some of the most common mistakes healthcare organizations make when it comes to preparing and maintaining BAAs.

  1. Working with vendors before a BAA is signed.
  2. Using template BAAs that don’t reflect actual services.
  3. Failing to update BAAs when regulations or services change.
  4. Not keeping BAAs on file for the required six years.
  5.  

Related Terms

Two Factor Authentication

End-to-End Encryption

Privacy Policy

LOGIN