Updated on May 24th, 2023
A business associate agreement (BAA) is a contract between a covered entity and a business associate before activities that involve the disclosure of protected health information (PHI). It is a requirement under the Health Insurance Portability and Accountability Act (HIPAA) to protect the security of individuals’ health information.
A business associate agreement is required to be authorized before a business associate can receive, maintain, create, or transmit PHI on a covered entity’s behalf. (45 CFR 164.502(e)(2))
A business associate agreement outlines the obligations of an individual or company that will be accessing a covered entity’s PHI which includes:
- Safeguards. Implementing proper measures to minimize a security breach or unwanted disclosure of PHI. (45 CFR 164.306 and 45 CFR 164.308)
- Compliance with HIPAA Security Rule. To provide administrative safeguards, physical safeguards, and technical safeguards. (45 CFR 164.306 – 318)
- Accessibility. To allow patients to obtain, add, or amend their medical records and information. (45 CFR 164.524)
- Reporting. In a breach, the business associate agrees to report all its details to the covered entity. (45 CFR 164.410)
- Subcontractors. If any subcontractors are used by the business associate, that obtain access to PHI, they also agree to the same rules and regulations. (45 CFR 164.502(e)(1)(ii) and 45 CFR 164.308(b)(2))
What is a Business Associate?
In the context of HIPAA, a business associate is a contractor, business entity, or service provider performing certain covered entity functions involving the disclosure of PHI.
If any of the following obtain access to PHI, they are considered a business associate:
- Accountants. Bookkeepers or CPAs are hired to assist with a covered entity’s finances and tax records.
- Attorneys and law firms. Legal counsel hired by a covered entity for consultation or representation.
- Billing companies. If a 3rd party is used to assist with the coding and billing of specific patients.
- Claims processing companies. For any company, other than insurance, that assists the covered entity in processing claims.
- Consultants. 3rd party hired to assist in an audit, compliance, or other services.
- Contractors. Individuals hired on a short or long-term basis to provide services.
- Data or IT storage providers. Hosting, server companies, or EHR vendors.
- Subcontractors. Similar to contractors, although they use a separate subcontractor agreement between the contractor (not the covered entity).
NOT a Business Associate
- Employees, interns, and volunteers. Although, they would need to authorize a confidentiality agreement.
- Financial institutions. Banks, credit unions, and credit card companies that process payments and do not include medical information during the billing process.
- Healthcare providers. Other healthcare providers that work with the covered entity, such as doctors, nurses, pharmacists, hospitals, etc.)
- Insurance companies. They are considered a covered entity and specifically are not considered a business associate under HIPAA.
- Postal companies. USPS, FedEx, UPS, and any other postal company that handles medical records for delivery.
- Property staff. If a medical office is located in an office complex with cleaners and janitors.
BUSINESS ASSOCIATE AGREEMENT
THIS AGREEMENT is entered into on [DATE], by and between:
Covered Entity: [COVERED ENTITY’S NAME], with a mailing address of [COVERED ENTITY’S ADDRESS] (“Covered Entity”), and
Business Associate: [BUSINESS ASSOCIATE’S NAME], with a mailing address of [BUSINESS ASSOCIATE’S ADDRESS] (“Business Associate”).
WHEREAS, Business Associate provides certain services to or on behalf of Covered Entity, and in connection with those services, Business Associate creates, receives, maintains, or transmits protected health information (PHI);
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
1. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
a. Business Associate agrees to not use or disclose PHI other than as permitted or required by the Agreement or as required by law.
b.Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
2. PROHIBITION ON UNAUTHORIZED USE OR DISCLOSURE
a. Business Associate will not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
3. MITIGATION OF HARMFUL EFFECTS
a. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
4. OBLIGATIONS OF BUSINESS ASSOCIATE
a. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of the PHI other than as provided for by this Agreement.
b. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware.
c. Business Associate agrees to ensure that any agent, including a subcontractor, agrees to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
5. DUTIES UPON TERMINATION
a. Upon termination of this Agreement for any reason, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
a. Business Associate agrees to indemnify, defend and hold harmless Covered Entity and its directors, officers, employees, and agents from and against all claims, damages, liabilities, judgments, costs, and expenses (including reasonable legal fees and expenses) arising out of or in connection with any breach of this Agreement by Business Associate, or any negligent or wrongful act or omission of Business Associate concerning its use or disclosure of PHI.
a. Business Associate will maintain a policy or policies of insurance with coverage amounts that are commercially reasonable and customary for the risks associated with this Agreement.
8. TERM AND TERMINATION
a. The Term of this Agreement shall be effective as of mentioned herein and shall terminate when all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information.
b. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
i. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate the contract if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
ii. Immediately terminate the contract if Business Associate has breached a material term of the contract and cure is not possible; or
iii. If neither termination nor cure is feasible, report the violation to the Secretary.
a. Business Associate shall train its employees and subcontractors on the requirements of HIPAA and the BAA.
10. DATA OWNERSHIP
a. It is agreed that all PHI is owned by the Covered Entity.
11. DISPUTE RESOLUTION
a. The parties agree to negotiate in good faith to resolve any disputes that arise out of this Agreement.
This Agreement is executed the day and year first written above and is binding upon the parties, their successors, and assigns.
Signature: ____________________________ Date: ______________
Signature: ____________________________ Date: ______________