What is a HIPAA Business Associate Agreement: Why Your Organization Needs a BAA

One of the most important regulations in healthcare is the US Health Insurance Portability and Accountability Act (HIPAA). Within that are Business Associate Agreements (BAAs) between healthcare organizations and professionals and third-party suppliers, vendors, and non-medical professionals.


HIPAA Business Associate Agreement (BAA)

Photo Attribution: IIIerlok_xolms/Shutterstock.com

HIPAA-compliant BAAs and practices "Business Associates" put into place need to align with HIPAA regulations to safeguard sensitive patient data. These apply when non-medical organizations and vendors work with "Covered Entities" (CE).

HIPAA Covered Entities cannot afford to risk patient data with a Business Associate that is incapable of protecting it. 

But what exactly are Business Associate Agreements (BAA)? Why are they fundamental to ensuring HIPAA compliance between businesses operating under HIPAA? This article explains HIPAA BAAs and underscores their significant role in the healthcare sector.

What are Business Associate Agreements (BAAs)?

A Business Associate Agreement (BAA) is a legally binding contract that stipulates the obligations and responsibilities of a partner or third-party supplier who processes, manages, or has access to confidential health data. They regulate the relationships between HIPAA Covered Entities and third-party providers, vendors, contractors, and other self-employed professionals.

These Agreements should document exactly what steps the Business Associate will proactively take to protect patient data they collect, store, process, or analyze in some way on behalf of the healthcare organization they're working with.

Examples might be:

  • Managing Protected Health Information (PHI) data in automatic log-offs when employees are not at their computers
  • The level of encryption required when sharing data

BAAs should list other practical processes for safeguarding patient data and sensitive information. This is despite whether or not patients can be identified in the data an organization is storing for healthcare providers.

How do Business Associate Agreements Relate to HIPAA Compliance?

Business Associate Agreements (BAAs) establish a contractual relationship between healthcare professionals, organizations, and third parties that are part of the healthcare supply chain, such as software vendors.

Under HIPAA, there are two types of organizations. First are those that directly collect and handle patient data, usually involved in patient care, known as "Covered Entities".

Then, there are organizations not involved in patient care that do work with those types of companies and professionals.  These organizations can be businesses, independent contractors, professionals, etc. This usually gives them access to patient data, which makes them "Business Associates" under HIPAA, and therefore, a BAA is required.

What is a Covered Entity?

A "Covered Entity" (CE) under HIPAA is any organization or medical professional responsible for treating patients or is connected to them directly. A Covered Entity can be as large as a whole network of hospitals and healthcare providers under one umbrella organization. Or it can be a solo-practicing doctor, dentist, or psychologist.

Whether your organization is a Covered Entity or a Business Associate, HIPAA compliance is mandatory if you handle PHI. It's that simple. It is not the responsibility of a Covered Entity to ensure a Business Associate they work with is compliant. However, if they fail to comply, it will almost certainly end the business relationship.

What are Business Associates?

A "Business Associate" is a non-medical company that handles, stores, or processes patient data, also known as Protected Health Information (PHI), e.g., sensitive patient data.

According to the Department of Health and Human Services (HHS), a business associate is:

"A person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of or provides certain services to, a covered entity that involves access by the business associate to protected health information. A business associate (BA) also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another BA."

In order for that contractual relationship to be compliant under HIPAA, a BAA is required.

List of Business Associate Organizations and Professionals

Business Associates include (but are not limited to):

  • Software providers (SaaS) with healthcare clients
  • Hardware and cloud service providers with healthcare clients
  • Data storage providers
  • EHR providers
  • Document shredding services
  • IT and ITSM service vendors
  • Medical billing and payment processing companies
  • Insurance providers
  • Attorneys with patients who are clients
  • Attorneys with healthcare sector clients
  • CPA and other businesses with access to PHI under HIPAA

This is a non-exhaustive list, as other vendors in the supply chain might also need BAA legal coverage. Hospital cleaning companies, food suppliers, and suppliers of essential medical and non-medical products, for example, could, for the sake of legal compliance, require Business Associate Agreements.

Regardless, it is organizations that get involved in data in any format that could not operate in the healthcare sector without them. This is because the risk of data breaches or mismanagement can have serious repercussions for all parties involved.

Why Are BAAs Important for Healthcare Businesses or Organizations with Healthcare Customers?

The significance of a BAA in the healthcare industry lies in its facilitation of timely, compliant, and operative data management environments.

When HIPAA covered entities engage with third-party service providers that interact with patient data, they are legally deemed "Business Associates" under HIPAA regulations. In almost every case, it is necessary for these Business Associates to hold BAAs. This is to maintain compliance with HIPAA for their own operations, as well as sustain a business relationship with a Covered Entity.

How/Where to Get a Business Associate Agreement?

If you need a BAA quickly and do not want to pay expensive legal fees to have one drafted, you might be able to find a template online you can modify. However, in most cases, a Covered Entity will have BAAs that are compliant with every aspect of HIPAA ready for third parties.

It is worth having your own lawyers or in-house counsel check the contract and ensure compliance is already strong on your side to avoid any problems in the future.

If you have never signed a BAA before, make sure your processes and systems are already HIPAA compliant before entering into a BAA contract. Alternatively, have lawyers prepare a version you can present to a Covered Entity client at the due diligence stage.

Once everything has been agreed upon, you can work with healthcare providers without worrying about ending up on the HHS Breach Portal, also known as the HIPAA compliance "Wall of Shame."

Giva HIPAA-Compliant Cloud Help Desk Software

Giva's HIPAA-compliant cloud help desk software protects electronic health & medical records. Discover how Giva exceeds the key elements of HIPAA compliance.

Learn more about HIPAA compliance from our HIPAA Resource Center.