Use our HIPAA business associate agreement to give a third-party service provider access to protected health information (PHI).
Updated January 18, 2024
Written by Sara Hostelley | Reviewed by Brooke Davis
A HIPAA business associate agreement (BAA) establishes the guidelines and responsibilities for safeguarding protected health information (PHI) when a primary health care provider or health plan needs another entity to handle the sensitive information.
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to enter into business associate agreements with every third-party service provider that may come into contact with protected health information.
Business associate agreements are just one aspect of HIPAA compliance, but they’re essential in ensuring business associates properly handle and safeguard PHI.
A HIPAA business associate agreement is a contract covered entities must sign with any third-party service provider (the “business associate”) that will have access to protected health information. This legally binding document ensures the business associate will:
Additionally, a business associate contract is a critical risk management tool because the covered entity and business associate can face significant penalties if they fail to comply with HIPAA regulations.
This document is essential to protecting how external entities handle sensitive health information and achieve overall HIPAA compliance.
Here’s some key terminology to know when creating a BAA:
A covered entity is any health care provider, health plan, or health care clearinghouse that must comply with HIPAA rules [1] . It can be an individual or an organization. Examples of covered entities include the following:
The CMS-covered entity guidance tool can help determine if your practice must be HIPAA-compliant [2] .
The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information.” [3] Covered entities and business associates must restrict how they use this information, including a person’s full name, address, or Social Security Number, through a BAA.
Some medical data that falls under the categorization of PHI includes the following:
A business associate is any individual, agency, or organization with access to protected health information (PHI) to perform a service for a covered entity. They can only use or disclose PHI as their BAA describes.
Employees and contractors that a health care provider hires solely to work for a covered entity are not business associates. Instead, they should sign a confidentiality agreement to meet HIPAA compliance requirements.
Data safeguards are controls business associates and covered entities implement to protect the PHI’s availability, integrity, and confidentiality.
With the advancement of technology and increasing reliance on digital tools in the health care industry, entities must consider factors like audit trails, encryption, access controls, cloud storage, electronic health record systems, and digital communication platforms when establishing and reviewing BAAs.
While the HIPAA Privacy Rule protects sensitive health information in any medium, the HIPAA Security Rule protects health information in electronic forms [4] .
The Code of Federal Regulations (CFR) outlines three main requirements that a BAA must contain [5] :
Here are the permissible uses to include in BAAs [6] :
Here are some obligations a business associate must fulfill:
BAAs can terminate by an established end date or for cause if the associate violates a term.
Once the agreement terminates, a business associate has the following obligations:
Explore some examples of BAA failures so you can better understand this document’s purpose:
Some covered entities will insist every contractor enters a BAA even when unnecessary. For example, covered entities may unnecessarily enter into a BAA even though they don’t need it because they’re both subject to HIPAA. A covered entity may also ask a contractor to sign a BAA even if they don’t have access to PHI, which can waste time and resources.
Simply having a business associate sign a BAA doesn’t guarantee HIPAA compliance. Some covered entities won’t follow through with their due diligence obligations, like auditing business associates, because they assume automatic compliance by completing a BAA.
Even if you don’t directly disclose PHI to an entity, it might still pass through their systems electronically. If you don’t implement a BAA, you could violate HIPAA as a covered entity.
While encryption is an important safeguard for protecting PHI, you must also implement physical and administrative safeguards to ensure HIPAA compliance.
Explore the differences between a business associate and a subcontractor under HIPAA:
Explore what a business associate is below:
A business associate is an individual or entity that provides services to or performs specific activities or functions on behalf of a covered entity.
Examples of business associates include:
Here are some specific requirements for a business associate:
Explore what a subcontractor is and how they differ from a business associate:
A subcontractor is an organization or individual that can access PHI when providing a service for a business associate.
The subcontractor has no contact with a covered entity but must sign a business associate subcontractor agreement (BASA) with the business associate to comply with HIPAA.
Common examples of associate business subcontractors are:
Here are the specific requirements a subcontractor must meet:
Like a covered entity and a business associate must enter a BAA, a business associate and a subcontractor must enter a similar agreement.
If a business associate operating under a BAA mishandles PHI or otherwise violates the agreement, the covered entity must take steps to cure the breach, end the violation, or terminate the contract with the business associate to avoid being held liable under HIPAA.
Business associates must follow the BAA’s guidelines for notifying the covered entity of a breach and may also have to inform affected individuals.
Depending on the severity of the HIPAA violation, the perpetrator may face penalties like fines or jail time. For example, in 2016, Care New England Health System (CNE) had to undergo a comprehensive corrective action plan and pay $400,000 to settle potential HIPAA violations [7] .
Provide the name of the covered health care provider (or health care plan/clearinghouse) and the business associate. List each party’s address. Include the date you’re entering the agreement.
Specify that the business associate will gain access to PHI so it can help the covered entity complete its health care activities. Clarify that the information is not for the business associate’s independent use. Include optional activities/obligations, such as handling disclosure requests, amendments, and access requests.
List the permitted uses and disclosures by the associate. Include any customizations, as you may want to specify unique purposes.
State if the agreement terminates on a certain date or if the covered entity can terminate it for a specific cause. Clarify if the business associate has time to cure the breach or end the violation before termination.
Obtain both parties’ signatures and write their titles.
Download a HIPAA business associate agreement template below in PDF or Word format: