If your company works with healthcare organizations and handles protected health information (PHI) in any way, you may need a HIPAA business associate agreement (BAA). But what exactly is it, and why is it so important?

 

A BAA is a legally required contract that outlines how a business associate must handle PHI when working with a HIPAA-covered entity. It ensures that both parties comply with HIPAA regulations to protect sensitive patient data. Failing to have a proper BAA can lead to hefty fines and legal trouble. 

 

In this article, we’ll cover everything companies need to know about HIPAA BAAs – who needs them, what they must include, and the consequences of non-compliance.

 

What is a HIPAA business associate agreement (BAA)?

 

A HIPAA business associate agreement (BAA) is a legally required contract between a HIPAA-covered entity (such as a healthcare provider, health plan, or clearinghouse) and a business associate (a third-party vendor that handles PHI on behalf of the covered entity).

 

The BAA ensures that the business associate follows HIPAA’s Privacy, Security, and Breach Notification Rules to safeguard PHI from unauthorized access, breaches, or misuse.

 

Example:

 

A cloud storage provider that stores patient records for a hospital must sign a BAA with the hospital to confirm that they will comply with HIPAA security measures.

 

Who needs a HIPAA business associate agreement (BAA)?

 

A BAA is required whenever a third-party vendor or service provider interacts with PHI.

 

Covered entities that must obtain BAAs:

 

• Hospitals, clinics, and doctor’s offices.
• Health insurance companies.
• Pharmacies.
• Healthcare clearinghouses.

 

Business associates that require a BAA:

 

• IT service providers handling PHI (cloud storage, software providers).
• Billing and medical coding companies.
• Legal or accounting firms that access PHI.
• Telehealth platforms and health tech vendors.
• Data analytics firms processing patient data.

 

Subcontractors must also comply.

 

If a business associate hires a subcontractor (e.g., a data hosting service), that subcontractor must also sign a BAA and comply with HIPAA.

 

Example:

 

A medical billing company working for a hospital must have a BAA with the hospital. If that billing company uses a third-party data entry service, the data entry provider must also sign a HIPAA business associate agreement (BAA).

 

A quick read: HIPAA certification for healthcare providers

 

Who qualifies as a HIPAA business associate?

 

Not every third-party service provider working with a healthcare organization is considered a business associate under HIPAA. The key factor is whether the vendor creates, receives, maintains, or transmits PHI as part of its services. If no PHI is involved, the company will not be a business associate, and a BAA will not be required.

 

For example, a law firm representing a healthcare provider is only classified as a business associate if it needs access to patient records for legal purposes. Similarly, an accounting firm handling financial audits for a hospital is not a business associate unless PHI is shared during the process.

 

Examples of HIPAA business associates

 

Several vendors commonly qualify as business associates because their services require handling PHI. These include:

 

• Cloud storage providers that host patient records or medical data.
• Email and communication platforms used by healthcare teams to exchange PHI.
• EHR (Electronic Health Record) software vendors that store and manage patient data.
• Billing and claims processing companies that handle payment information tied to PHI.
• IT service providers that maintain or secure healthcare networks containing PHI.
• Medical transcriptionists who convert doctor’s audio notes into written records.
• Shredding and disposal services that securely destroy documents with PHI.
• Third-party scheduling platforms that manage patient appointments.

 

A quick read: HIPAA certification for medical couriers: What you need to know

 

 

What should be included in a HIPAA BAA?

 

A properly drafted HIPAA business associate agreement (BAA) must go beyond simply permitting or restricting PHI use. It should establish specific legal and security obligations for the business associate and any subcontractors handling PHI.

 

Here are the key elements that must be included in a HIPAA BAA:

 

1. Permissible uses and disclosures of PHI

 

• The contract must specify how the business associate and subcontractors can use and disclose PHI.
• The business associate cannot use or share PHI beyond the agreed-upon purposes or as required by law.

 

2. Patient rights under the HIPAA Privacy Rule

 

The business associate must assist in fulfilling patient rights, including:

 

• Providing copies of PHI upon request.
• Amending incorrect PHI.
• Providing an accounting of disclosures upon request.

 

3. Implementation of appropriate safeguards

 

The business associate must implement physical, technical, and administrative safeguards to protect PHI from unauthorized access or breaches.

 

4. Breach notification and reporting requirements

 

If the business associate accidentally discloses, loses, or improperly accesses PHI, they must:

 

• Notify the covered entity immediately.
• Report all security incidents, including breaches of unsecured PHI.
• Cooperate with investigations and remediation efforts.

 

5. Compliance with audits and investigations

 

The business associate must maintain records related to PHI use and disclosures and provide access for:

 

• Audits and investigations by regulatory agencies like the HHS Office for Civil Rights (OCR).
• Requests from covered entities ensuring compliance.

 

6. Subcontractor compliance requirements

 

• Any subcontractors handling PHI on behalf of a business associate must also comply with the same HIPAA restrictions and security requirements.
• The business associate is responsible for ensuring its subcontractors sign a BAA and follow HIPAA rules.

 

7. Return or destruction of PHI upon contract termination

 

When the contract ends, the business associate must return or securely destroy PHI unless retention is required by law.

 

8. Contract termination for HIPAA violations

 

• If the business associate fails to comply with HIPAA rules, the covered entity has the right to terminate the contract immediately.
• Similarly, the business associate can terminate the agreement if the covered entity violates HIPAA rules.

 

Quick link: (ADHICS) Abu Dhabi Healthcare Information and Cyber Security Standard

 

What happens if you don’t have a BAA?

 

Failing to have a HIPAA-compliant BAA can lead to severe financial penalties. The U.S. Department of Health & Human Services (HHS) enforces HIPAA compliance, and violations can result in:

 

1. Civil penalties

 

• Tier 1: $100–$50,000 per violation (if unaware of the violation)
• Tier 2: $1,000–$50,000 per violation (reasonable cause)
• Tier 3: $10,000–$50,000 per violation (willful neglect but corrected)
• Tier 4: $50,000 per violation (willful neglect, not corrected)

 

2. Criminal penalties

 

• Up to $250,000 in fines and 10 years in prison for knowingly misusing PHI.

 

Example:

 

In 2020, CHSPSC LLC, a business associate providing IT and management services to hospitals, was fined $2.3 million by HHS after a security breach exposed the PHI of 6 million individuals. The fine was due to insufficient security safeguards and failure to report the breach on time.

 

CyberArrow: Your all-in-one solution for HIPAA compliance and vendor risk management

 

Managing HIPAA compliance while working with multiple business associates can be complex. CyberArrow simplifies compliance management by automating key compliance processes, ensuring your vendors meet HIPAA requirements, and keeping your organization audit-ready.

 

With CyberArrow’s third-party risk management, you can also run third-party risk assessments to evaluate whether your vendors follow the necessary security protocols to protect PHI. This ensures that your business associates comply with HIPAA and maintain strong security standards.

 

Learn how CyberArrow improved risk assessments across departments for DCD – Abu Dhabi.

 

See what they say about CyberArrow: