What is a HIPAA Business Associate Agreement (BAA)?

Keeping data safe is a fundamental priority for everybody who works with data today. In healthcare, even more so. Not only are service providers dealing with patients’ highly sensitive personal information, but any violations or non-compliance with applicable laws, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) can cost companies hefty fines. Today, the average cost of a healthcare data breach can exceed $11 million, not to mention the irreparable cost to a company's reputation.

To ensure that medical practices and all their external vendors understand these risks and follow best practices regarding data security, a contract called a business associate agreement is put in place.

Key takeaways

  • Data security in healthcare is essential for protecting patients’ sensitive information and avoiding costly penalties due to data breaches.
  • A Business Associate (BA) is a business that works with a healthcare provider and their protected health information (PHI). The BA is equally liable for the security of the PHI as the healthcare provider.
  • A Business Associate Agreement (BAA) is a contract between a healthcare provider and any business that handles their PHI.
  • Anyone who works with PHI must sign a BAA, including contractors and subcontractors.
  • Certain BAA exceptions exist, such as laboratories that receive patients’ medical info.
  • To create a BAA, you’ll need to review your vendors, gather the correct data, create the BAA, onboard the vendor, and review the BAA as necessary in the future.

What is a Business Associate?

A Business Associate is an organization or individual that works with a healthcare provider, like a doctor or health plan, and handles their medical information. For example, an accounting firm that provides financial services to a dentist is a business associate.

Since business associates have access to patient medical records and other sensitive data, such as a patient’s name and address or records of their health conditions, they are mandated by HIPAA to sign a business associate agreement (BAA) to safeguard that protected health information (PHI).

Any healthcare provider, also called a covered entity, that fails to implement a BAA with their vendors, contractors, and subcontractors risks severe penalties from the U.S. Department of Health and Human Services (HSS).

What is a business associate agreement?

A business associate agreement, or BAA, is a contract between a HIPAA-covered entity and a business associate that lays out each party’s responsibility for handling protected health information. Per HIPAA, covered entities should only work with business associates who can be trusted to manage PHI safely, according to the terms agreed upon in the contract.

A business associate agreement typically includes the following details to protect PHI:

  • A description of how the business associate is required and permitted to use PHI
  • The measures in place to ensure the data is only used as specified
  • How the BA would handle and report a data breach, including one caused by the BA’s subcontractors
  • How the BA would respond to an official HIPAA investigation

Compliance specialists strongly advise covered entities to get their business associate agreements vetted by a professional to ensure the contract covers everything necessary to mitigate a PHI security breach.

Another important note with these contracts is that business associates must sign a BAA with any of their subcontractors who work with sensitive medical information so that all parties are aware of the regulations and abide by them. If the whole ecosystem is not committed and mandated to keep the data secure, the risk of negligence or medical data errors increases.

HIPAA business associate examples

Today, most businesses, including those in healthcare, get help from other businesses to fulfill their services. In this regard, covered entities share their sensitive data with business associates, and business associates share that data with their business partners or subcontractors in turn. As a result, protected health data is distributed and used by a much broader ecosystem than merely the covered entity, pushing up the security risk the more people handle or transmit the data.

Since business associates include any company or individual that works with a covered entity’s PHI, examples of BAs include:

  • Cloud service providers
  • Outsourced IT services
  • Software-as-a-Service providers
  • Third-party administrators that assist with claims processing for a health plan
  • Third-party PHI disposal services, including a shredding service
  • Accountants
  • Attorneys
  • Consultants who perform utilization reviews for medical providers
  • Medical equipment manufacturers
  • A healthcare clearinghouse or any other community health info system that formats claims
  • A freelance medical transcriptionist that works with a physician or other healthcare organization
  • A pharmacy benefits manager that administers a health plan’s pharmacist network

However, it’s important to note that these providers only become business associates if they are dealing with PHI.

Who needs a HIPAA business associate agreement?

The BAA is entered into between the covered entity and the business associate. Along with the covered entity, anyone who works with their protected health information needs to complete a business associate agreement. This includes contractors and their subcontractors, plus any freelancers and consultants that handle PHI.

BAA exceptions

In some instances, there are exceptions to HIPAA business associate agreements. Companies that are merely a conduit for electronic PHI (ePHI), like the Postal Service or Fed-Ex, are one of those exceptions. These companies don’t have access to the data they’re transmitting, nor do they store copies of that data.

Other BAA exceptions include:

  • When a covered entity refers a patient to a specialist and shares the patient’s medical records
  • Laboratories that receive patients’ medical info
  • A group health plan’s disclosure of PHI to a plan sponsor, such as an employer

How to create a business associate agreement

Here are a few basic steps you can follow to create a BAA for the organizations or individuals you share PHI with.

How to create a HIPAA business associate agreement

1. Review potential vendors

Healthcare providers need to vet potential vendors to ensure they have the right policies, procedures, and technology in place to safeguard all medical and medical-related data they handle. A technical review of their systems and security controls is a key component, such as whether they have a security officer, what PHI training employees receive, and whether they have an incident response plan.

This is an important step for health plans and other covered entities, as they’re putting highly sensitive data in the hands of their chosen vendor. They need to trust the BA will securely handle PHI to prevent any security risks or liability backlash.

2. Gather data for the contract

Include basic information, such as the names of all parties, the date, and their role in the business associate contract.

Typically, a BAA also states what information the agreement will cover, what type of data cannot be modified or copied, the procedure for destroying or returning PHI, and the consequences of any breach of confidential data.

3. Create the business associate agreement

After you’ve gathered all the info for the BAA, then your team can draft the contract. Some companies choose to use BAA templates to fast-track the process. However, this may not be suitable for all BA relationships as some may be more complex and require additional specifications and rules.

Once the agreement is ready, HSS recommends having the contract reviewed by a lawyer or consulting firm that specializes in healthcare security and understands HIPAA thoroughly.

4. Onboard the vendor

Next, make sure that vendor or contractor training is in place to facilitate onboarding. All stakeholders should know the HIPAA rules, how to manage PHI, and the consequences of non-compliance. Onboarding also includes checking that everyone has appropriate access and that the necessary access controls are set up for BAs to work securely with the data. Consider using a cross-functional team, including information security, compliance, and legal teams, for instance, to develop and streamline your vendor onboarding process.

5. Reassess vendors regularly

It’s important for covered entities to continually reassess the security of their vendors in relation to PHI, reconfirming their HIPAA compliance. For example, a technical review would be a good idea if their business associate has recently merged with another company or changed their infrastructure model from on-premise to cloud.

While reassessing vendors' security annually is highly recommended, renewing the actual BAA each time may not be necessary, as these agreements remain valid indefinitely (if no termination date is stipulated).

The consequences for business associates that violate HIPAA regulations

Violating HIPAA regulations, such as the HIPAA Security Rule, can result in big fines of up to $1 million in some cases. Basically, any instance where a covered entity or business associate doesn’t safeguard PHI is considered a violation.

For example, if a covered entity fails to create a business associate agreement when they take on a new consultant that works with their medical information, they risk being fined by HSS.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.