If your organization is acknowledged as a “covered entity” by HIPAA standards, establishing BAAs becomes crucial. But what is a BAA Agreement, exactly?


A Business Associate Agreement (BAA) is a legally binding contract designed for entities operating under the Health Insurance Portability and Accountability Act (HIPAA). When a “business associate” — an individual or entity distinct from a covered entity’s workforce — provides services that grant them access to PHI, a BAA ensures that such access is governed with utmost caution.


This blog will cover everything about BAA agreements, why you need them, what to include, and how they impact data security.

Understanding the BAA Agreement

Before the introduction of the HITECH Act, Covered Entities frequently exchanged Protected Health Information (PHI) with Business Associates based merely on spoken promises of security. This approach had flaws; if a data mishap or breach occurred because of the Business Associate’s oversight, the Covered Entity could simply refer to these verbal commitments to avoid repercussions, sidestepping accountability. The Business Associate Agreement was born out of the need to seal this gap in accountability. According to section §164.504(e), the agreement’s main purposes include:
● Ensuring that Covered Entities actively oversee the actions of their Business Associates, verifying they don’t consistently break or bend HIPAA rules.
● Mandating that Covered Entities intervene and ensure appropriate actions are taken if any inconsistencies or breaches are detected with how PHI is handled.
● Granting Covered Entities the power to end the Business Associate Agreement if necessary, especially when repeated non-compliance is observed.

Scope of the BAA Agreement in Relation to PHI

The scope of business associate contracts is broad, enveloping any entity, healthcare organization, or individual that may come in direct contact with or has the potential to access PHI. The following table provides a concise overview of common interactions and whether a BAA is typically needed:

Service / Entity

Need a BAA?

Notes

Banks or other financial institutions

No
Normal banking transactions don’t require a BAA. Some specific transactions might.
Psychologists sharing office space
Not usually
Sharing of PHI should be avoided. Incidental disclosures with safeguards in place don’t require a BAA.
Shredding companies
It depends
Off-site shredding typically requires a BAA. On-site shredding under direct control may not.
IT or computer repair technicians
It depends
If the technician accesses PHI during service, a BAA is required.
Plumbers, electricians, maintenance workers
No
Services don’t require access to PHI. Incidental exposure is not a concern.
Housekeeping/maintenance crews in office
No
Work doesn’t involve PHI. Incidental disclosures don’t require a BAA.
USPS, UPS, or other delivery companies
No
They act as “conduits” and don’t require a BAA.
Cloud Storage Providers (e.g., Dropbox)
Yes
CSPs typically require a BAA even if data is encrypted.
Online Assessment Companies
It depends
Depends on specific service and if it involves PHI.
Email service providers
Yes (generally)
Considered Business Associates due to potential storage of PHI.
Attorneys providing services to the Covered Entity
Yes, if accessing PHI
BAA required if an attorney accesses PHI during services.
Court/judge during testimony
No
Judges aren’t considered Business Associates.
Online fax systems, Google Voice, VoIP platforms
It depends
Need to determine if these services store or access PHI.
Skype/VSee or video conferencing platforms
It depends
Need to assess if the platform meets HIPAA’s conduit exception or other requirements.

A Business Associate’s or Subcontractor’s missteps in adhering to these standards carry significant implications. As stated by the HHS:

“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.”

When a Business Associate or Subcontractor breaches or falls short of their BAA obligations, the burden falls on the Covered Entity to address and rectify the situation.
The Covered Entity is required to make reasonable efforts to resolve the breach or halt the violation. If these efforts prove fruitless, the next step is to end the contract with the non-compliant party.

When terminating the BAA contract is not a practical solution in business associate relationships, the Covered Entity must report the security incidents to the HHS Office for Civil Rights.

Parties Involved in a BAA Agreement

1. Covered Entities

Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
Examples:  
  • Healthcare providers
  • Hospitals
  • Health insurers
  • Doctors
  • Nursing homes
  • Pharmacies
  • Company health plans
Responsibilities:  
  • Safeguard PHI (Protected Health Information)
  • Establish BAAs (Business Associate Agreements) with Business Associates
  • Report breaches or violations to HHS (Department of Health & Human Services)
2. Business Associates (BA)
Organizations or persons working for or with Covered Entities that handle or process PHI.
Examples:

  • Billing companies
  • Cloud storage providers
  • EHR (Electronic Health Record) vendors
  • Lawyers
  • Medical transcription services
  • Data processing firms
  • Audit consultants
  • Third-party billing companies
  • Medical transcriptionist
Responsibilities:  
  • Comply with HIPAA rules when handling PHI
  • Enter into BAAs with Covered Entities
  • Report any PHI breaches to Covered Entities
3. Subcontractors and Downstream Business Associates
Entities hired by Business Associates to carry out functions, services, or activities involving PHI.
Examples:  
  • Shredding companies
  • IT consultants or software companies
  • Accounting firms
  • Human resource services
  • Logistics
Responsibilities:

  • Comply with the terms of BAAs signed with Business Associates
  • Safeguard the PHI they access or manage
  • Report breaches or potential risks to Business Associates

Key Elements of a BAA Agreement

Here are the key elements of a BAA agreement:

  • Identifies the Covered Entity and the Business Associate, specifying their names and signatures.
  • Describes the permitted and required uses and disclosures of PHI by the Business Associate.
  • Specifies the responsibilities of the Covered Entity and Business Associate.
  • Requires the Business Associate to use appropriate safeguards to prevent unauthorized use or disclosure of PHI beyond the contract’s provisions and the law.
  • Mandates the Business Associate to report to the Covered Entity any use or disclosure of PHI not provided for by its contract, including incidents constituting breaches of unsecured PHI.
  • Dictates that the Business Associate complies with requirements to carry out a Covered Entity’s obligations under the HIPAA Privacy Rule.
  • Details the return or destruction of all PHI at the agreement’s termination and permits the Covered Entity to terminate the BAA if the Business Associate breaches a material term.
  • Mandates that any subcontractors engaged by the Business Associate with access to PHI must adhere to the same restrictions and conditions that apply to the Business Associate.

BAA Agreement and Data Security

Data security stands as one of the most crucial aspects of any Business Associate Agreement (BAA), especially in the context of HIPAA.

Encrypting data helps prevent unauthorized access and ensures that even if data is intercepted, it remains unreadable to unauthorized individuals.

Business associates should utilize secure channels and protocols to ensure that information remains private and secure when transmitting data.
Additionally, when storing data such as medical records, one should implement stringent security measures, requiring proper authentication and authorization to access sensitive information.
Despite our best efforts, data breaches can occur. If you detect a data breach, assess its scope, notify affected parties, and collaborate with the Business Associate to rectify the situation.

BAA Agreement and Data Security

The HIPAA business associate agreement is a legally binding contract between a Covered Entity and a Business Associate.
Whereas, a Business Associate Policy is an internal document developed by the Covered Entity. It serves as a comprehensive guideline for employees and staff members on interacting with Business Associates and handling PHI when working with external entities.
Aspect

BAA

Business Associate Policy

Purpose

Legal contract for PHI handling responsibilities between entities.

Internal guide for staff interacting with Business Associates.

Scope
Services, PHI sharing, security, breach response.
Approach to selecting and working with Business Associates.
Enforcement
Legally binding with potential legal action.

Enforced internally via policies, risk assessments, and training.

Audience
Covered Entities, Business Associates.
Internal staff working with Business Associates.
Legal Requirement
Required by HIPAA.
Not strictly, but vital for HIPAA compliance.
Data Security Focus
Data protection, encryption, and legal compliance.
Employee education, PHI handling alignment.
Breach Consequences
Financial penalties for violations.
Internal discipline, breach implications

Sample Contracts for BAA Agreements

The HHS offers a sample BAA agreement, which serves as a government-standard example that aligns closely with federal guidelines
Our own BAA agreement is publicly available online and offers a comprehensive and easy-to-follow template that you can customize according to your specific needs.

Final Thoughts

Business associate agreements ensure greater accountability and data security over verbal assurances. The scope of the BAA is expansive, encompassing a wide range of entities that come into contact with PHI.

Don’t let data breaches or compliance concerns hinder your healthcare application’s potential. With MedStack, you can confidently sell your healthcare application, knowing that it adheres to the highest industry standards.

The future of secure and compliant digital healthcare is here with MedStack’s HIPAA compliance software. Your users deserve nothing less.