Understanding Business Associate Agreements (BAAs) for HIPAA Compliance

What is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a legally binding contract between a Covered Entity (Healthcare provider, health insurance companies, company health plans, etc.) and a Business Associate (BA) (Third party administrators (TPA), health insurance agent, IT professionals, attornies, etc.). This agreement outlines each party’s safeguarding Protected Health Information (PHI) responsibilities.

Why are BAAs Important?
HIPAA requires Covered Entities to ensure that BAs they work with meet specific security standards for handling PHI. A BAA helps demonstrate this commitment and protects both parties in case of a data breach.

Who is a Business Associate (BA)?
Any person or organization providing services to a Covered Entity that may involve access to PHI is considered a BA.

Common BAs include:

Cloud storage providers: Companies that store PHI on remote servers.
Billing companies: Businesses that handle medical billing and insurance claims.
IT service providers: Companies that provide IT support for healthcare organizations.
Law firms: Attorneys who handle legal matters involving healthcare organizations.
Shredding companies: Businesses that securely destroy PHI.
Medical equipment service companies: Companies that repair or maintain medical equipment that may contain PHI.
Accounting firms: Accountants who handle financial information related to healthcare organizations.
Consulting firms: Consultants who provide advice or assistance to healthcare organizations.
Medical transcription services: Companies that transcribe medical records.Translation services: Companies that translate medical records into different languages.

Identifying Business Associate Subcontractors (BASs)
A BA can also use a subcontractor (BAS) to perform some of its services. A BAA is required between the BA and the BAS if a BAS accesses PHI. It is important to ask your BAs if they have contractors they use on your behalf and if a BAA is in place. Remember, under the Common Agency Provision, your BAs issues become yours.

What Should a BAA Include?
According to the Department of Health and Human Services (HHS), a BAA should address:
Permitted Uses of PHI: Clearly define how the BA can use PHI. This includes specifying whether the BA can use PHI for treatment, payment, or healthcare operations.

Safeguards: Outline the security measures the BA will implement to protect PHI. These measures should include administrative, physical, and technical safeguards to protect PHI’s confidentiality, integrity, and availability.
Disclosures: Specify how the BA can disclose PHI to other parties. For example, the BAA may allow the BA to disclose PHI to a subcontractor or law enforcement agency as required.Term and Termination: Specify the duration of the agreement and the conditions under which either party can terminate it.
Data Ownership: Clarify who owns the PHI and who has the right to access it.
Audit Rights: Grants the Covered Entity the right to audit the BA’s compliance with HIPAA.
Notification of Breaches: Specify how the BA will notify the Covered Entity of any data breaches.
Subcontractor Agreements: If the BA uses subcontractors, the BAA should require the BA to have BAA agreements with its subcontractors.
Liability: Address the liability of the BA for any HIPAA violations.
Indemnification Clause: Address how your organization will be made whole if an action causes a data breach. While not explicitly required under HIPAA, this is a best business practice and will help facilitate quicker resolution if an issue arises.
Governing Law: Specify the governing law that will apply to the agreement.
Dispute Resolution: Specify the method for resolving any disputes between the parties.

Consequences of Non-Compliance

Both Covered Entities and BAs can face significant civil and even criminal penalties for failing to comply with HIPAA regulations. These penalties can include fines, corrective actions, and even imprisonment for individuals.

Conclusion:
Having a BAA in place is essential for any organization working with PHI. By understanding BA requirements and ensuring your agreements are up-to-date, you can help maintain HIPAA compliance and protect sensitive patient data.

Next Steps:

Where Can I Get a Business Associate Agreement? We’ve got you covered!

DOWNLOAD BAA TEMPLATE

Learn More About our HIPAA Compliance Services
Consult with an Attorney: If you have questions about BAAs or HIPAA compliance, it’s recommended to consult with an attorney who specializes in healthcare law.

Remember, having this agreement is only one piece of the compliance puzzle. To be fully compliant, you must complete a Risk Assessment, maintain current copies of all documents required by HIPAA, train your staff, and more. Our HIPAA Prime program does all this and more, ensuring compliance for your business.

To learn more or get started, email info@totalhipaa.com today.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

Sources

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
http://searchsecurity.techtarget.com/definition/business-associate
https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2024

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Virtru: A Comprehensive Review of HIPAA Compliant Email Encryption

Introduction In today's digital age, protecting sensitive patient information (PHI) is paramount for healthcare organizations. HIPAA compliance mandates stringent security measures, including the...

RMail: A Comprehensive Review of HIPAA Compliant Email Encryption

Introduction In today's digital age, protecting sensitive patient information (PHI) is paramount for healthcare organizations. HIPAA compliance mandates stringent security measures, including the...

ProtonMail: A Comprehensive Review of HIPAA Compliant Email Encryption

Introduction In today's digital age, protecting sensitive patient information (PHI) is paramount for healthcare organizations. HIPAA compliance mandates stringent security measures, including the...

.wp-block-audio :where(figcaption){color:#555;font-size:13px;text-align:center;}.is-dark-theme .wp-block-audio :where(figcaption){color:rgba(255,255,255,.65);}.wp-block-audio{margin:0 0 1em;}.wp-block-code{border:1px solid #ccc;border-radius:4px;font-family:Menlo,Consolas,monaco,monospace;padding:.8em 1em;}.wp-block-embed :where(figcaption){color:#555;font-size:13px;text-align:center;}.is-dark-theme .wp-block-embed :where(figcaption){color:rgba(255,255,255,.65);}.wp-block-embed{margin:0 0 1em;}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center;}.is-dark-theme .blocks-gallery-caption{color:rgba(255,255,255,.65);}:root :where(.wp-block-image figcaption){color:#555;font-size:13px;text-align:center;}.is-dark-theme :root :where(.wp-block-image figcaption){color:rgba(255,255,255,.65);}.wp-block-image{margin:0 0 1em;}.wp-block-pullquote{border-bottom:4px solid;border-top:4px solid;color:currentColor;margin-bottom:1.75em;}.wp-block-pullquote cite,.wp-block-pullquote footer,.wp-block-pullquote__citation{color:currentColor;font-size:.8125em;font-style:normal;text-transform:uppercase;}.wp-block-quote{border-left:.25em solid;margin:0 0 1.75em;padding-left:1em;}.wp-block-quote cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;font-style:normal;position:relative;}.wp-block-quote:where(.has-text-align-right){border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em;}.wp-block-quote:where(.has-text-align-center){border:none;padding-left:0;}.wp-block-quote.is-large,.wp-block-quote.is-style-large,.wp-block-quote:where(.is-style-plain){border:none;}.wp-block-search .wp-block-search__label{font-weight:700;}.wp-block-search__button{border:1px solid #ccc;padding:.375em .625em;}:where(.wp-block-group.has-background){padding:1.25em 2.375em;}.wp-block-separator.has-css-opacity{opacity:.4;}.wp-block-separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto;}.wp-block-separator.has-alpha-channel-opacity{opacity:1;}.wp-block-separator:not(.is-style-wide):not(.is-style-dots){width:100px;}.wp-block-separator.has-background:not(.is-style-dots){border-bottom:none;height:1px;}.wp-block-separator.has-background:not(.is-style-wide):not(.is-style-dots){height:2px;}.wp-block-table{margin:0 0 1em;}.wp-block-table td,.wp-block-table th{word-break:normal;}.wp-block-table :where(figcaption){color:#555;font-size:13px;text-align:center;}.is-dark-theme .wp-block-table :where(figcaption){color:rgba(255,255,255,.65);}.wp-block-video :where(figcaption){color:#555;font-size:13px;text-align:center;}.is-dark-theme .wp-block-video :where(figcaption){color:rgba(255,255,255,.65);}.wp-block-video{margin:0 0 1em;}:root :where(.wp-block-template-part.has-background){margin-bottom:0;margin-top:0;padding:1.25em 2.375em;}.jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0;}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px;}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px;}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px;}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px;}@media print{.jetpack-sharing-buttons__services-list{display:none !important;}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0;}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em;}:root{--wp--preset--aspect-ratio--square:1;--wp--preset--aspect-ratio--4-3:4/3;--wp--preset--aspect-ratio--3-4:3/4;--wp--preset--aspect-ratio--3-2:3/2;--wp--preset--aspect-ratio--2-3:2/3;--wp--preset--aspect-ratio--16-9:16/9;--wp--preset--aspect-ratio--9-16:9/16;--wp--preset--color--black:#000;--wp--preset--color--cyan-bluish-gray:#abb8c3;--wp--preset--color--white:#fff;--wp--preset--color--pale-pink:#f78da7;--wp--preset--color--vivid-red:#cf2e2e;--wp--preset--color--luminous-vivid-orange:#ff6900;--wp--preset--color--luminous-vivid-amber:#fcb900;--wp--preset--color--light-green-cyan:#7bdcb5;--wp--preset--color--vivid-green-cyan:#00d084;--wp--preset--color--pale-cyan-blue:#8ed1fc;--wp--preset--color--vivid-cyan-blue:#0693e3;--wp--preset--color--vivid-purple:#9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple:linear-gradient(135deg,rgba(6,147,227,1) 0%,#9b51e0 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan:linear-gradient(135deg,#7adcb4 0%,#00d082 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange:linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red:linear-gradient(135deg,rgba(255,105,0,1) 0%,#cf2e2e 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray:linear-gradient(135deg,#eee 0%,#a9b8c3 100%);--wp--preset--gradient--cool-to-warm-spectrum:linear-gradient(135deg,#4aeadc 0%,#9778d1 20%,#cf2aba 40%,#ee2c82 60%,#fb6962 80%,#fef84c 100%);--wp--preset--gradient--blush-light-purple:linear-gradient(135deg,#ffceec 0%,#9896f0 100%);--wp--preset--gradient--blush-bordeaux:linear-gradient(135deg,#fecda5 0%,#fe2d2d 50%,#6b003e 100%);--wp--preset--gradient--luminous-dusk:linear-gradient(135deg,#ffcb70 0%,#c751c0 50%,#4158d0 100%);--wp--preset--gradient--pale-ocean:linear-gradient(135deg,#fff5cb 0%,#b6e3d4 50%,#33a7b5 100%);--wp--preset--gradient--electric-grass:linear-gradient(135deg,#caf880 0%,#71ce7e 100%);--wp--preset--gradient--midnight:linear-gradient(135deg,#020381 0%,#2874fc 100%);--wp--preset--font-size--small:13px;--wp--preset--font-size--medium:20px;--wp--preset--font-size--large:36px;--wp--preset--font-size--x-large:42px;--wp--preset--font-family--inter:"Inter",sans-serif;--wp--preset--font-family--cardo:Cardo;--wp--preset--spacing--20:.44rem;--wp--preset--spacing--30:.67rem;--wp--preset--spacing--40:1rem;--wp--preset--spacing--50:1.5rem;--wp--preset--spacing--60:2.25rem;--wp--preset--spacing--70:3.38rem;--wp--preset--spacing--80:5.06rem;--wp--preset--shadow--natural:6px 6px 9px rgba(0,0,0,.2);--wp--preset--shadow--deep:12px 12px 50px rgba(0,0,0,.4);--wp--preset--shadow--sharp:6px 6px 0px rgba(0,0,0,.2);--wp--preset--shadow--outlined:6px 6px 0px -3px rgba(255,255,255,1),6px 6px rgba(0,0,0,1);--wp--preset--shadow--crisp:6px 6px 0px rgba(0,0,0,1);}:root{--wp--style--global--content-size:823px;--wp--style--global--wide-size:1080px;}:where(body){margin:0;}.wp-site-blocks > .alignleft{float:left;margin-right:2em;}.wp-site-blocks > .alignright{float:right;margin-left:2em;}.wp-site-blocks > .aligncenter{justify-content:center;margin-left:auto;margin-right:auto;}:where(.is-layout-flex){gap:.5em;}:where(.is-layout-grid){gap:.5em;}.is-layout-flow > .alignleft{float:left;margin-inline-start:0;margin-inline-end:2em;}.is-layout-flow > .alignright{float:right;margin-inline-start:2em;margin-inline-end:0;}.is-layout-flow > .aligncenter{margin-left:auto !important;margin-right:auto !important;}.is-layout-constrained > .alignleft{float:left;margin-inline-start:0;margin-inline-end:2em;}.is-layout-constrained > .alignright{float:right;margin-inline-start:2em;margin-inline-end:0;}.is-layout-constrained > .aligncenter{margin-left:auto !important;margin-right:auto !important;}.is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width:var(--wp--style--global--content-size);margin-left:auto !important;margin-right:auto !important;}.is-layout-constrained > .alignwide{max-width:var(--wp--style--global--wide-size);}body .is-layout-flex{display:flex;}.is-layout-flex{flex-wrap:wrap;align-items:center;}.is-layout-flex > :is(*,div){margin:0;}body .is-layout-grid{display:grid;}.is-layout-grid > :is(*,div){margin:0;}body{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}:root :where(.wp-element-button,.wp-block-button__link){background-color:#32373c;border-width:0;color:#fff;font-family:inherit;font-size:inherit;line-height:inherit;padding:calc(.667em + 2px) calc(1.333em + 2px);text-decoration:none;}.has-black-color{color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color:var(--wp--preset--color--white) !important;}.has-pale-pink-color{color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color:var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color:var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color:var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color:var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color:var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background:var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background:var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background:var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background:var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background:var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background:var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background:var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background:var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background:var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background:var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size:var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size:var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size:var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size:var(--wp--preset--font-size--x-large) !important;}.has-inter-font-family{font-family:var(--wp--preset--font-family--inter) !important;}.has-cardo-font-family{font-family:var(--wp--preset--font-family--cardo) !important;}:where(.wp-block-post-template.is-layout-flex){gap:1.25em;}:where(.wp-block-post-template.is-layout-grid){gap:1.25em;}:where(.wp-block-columns.is-layout-flex){gap:2em;}:where(.wp-block-columns.is-layout-grid){gap:2em;}:root :where(.wp-block-pullquote){font-size:1.5em;line-height:1.6;}@media screen and ( max-width : 720px ){.dpsp-content-wrapper.dpsp-hide-on-mobile,.dpsp-share-text.dpsp-hide-on-mobile{display:none;}.dpsp-has-spacing .dpsp-networks-btns-wrapper li{margin:0 2% 10px 0;}.dpsp-network-btn.dpsp-has-label:not(.dpsp-has-count){max-height:40px;padding:0;justify-content:center;}.dpsp-content-wrapper.dpsp-size-small .dpsp-network-btn.dpsp-has-label:not(.dpsp-has-count){max-height:32px;}.dpsp-content-wrapper.dpsp-size-large .dpsp-network-btn.dpsp-has-label:not(.dpsp-has-count){max-height:46px;}}@media screen and ( max-width : 720px ){aside#dpsp-floating-sidebar.dpsp-hide-on-mobile.opened{display:none;}}.infinite-scroll .woocommerce-pagination{display:none;}.woocommerce form .form-row .required{visibility:visible;}.et_pb_section.popup{display:none;}img#wpstats{display:none;}div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label{font-size:0px !important;color:rgba(0,0,0,0);}div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after{font-size:11px !important;position:absolute;top:0;left:0;z-index:1;}.asl_w_container{width:100%;margin:0px 0px 0px 0px;min-width:200px;}div[id*='ajaxsearchlite'].asl_m{width:100%;}div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted{font-weight:bold;color:rgba(217,49,43,1);background-color:rgba(238,238,238,1);}div[id*='ajaxsearchliteres'].wpdreams_asl_results .results img.asl_image{width:70px;height:70px;object-fit:cover;}div.asl_r .results{max-height:none;}div.asl_r.asl_w.vertical .results .item::after{display:block;position:absolute;bottom:0;content:"";height:1px;width:100%;background:#d8d8d8;}div.asl_r.asl_w.vertical .results .item.asl_last_item::after{display:none;}#desktop-nav{text-align:right;}#desktop-nav a{color:#2e2e2e;}#desktop-nav ul{list-style:none;}#desktop-nav ul.top-level{padding-bottom:0;}#desktop-nav ul.top-level > li{display:inline-block;margin-left:30px;position:relative;font-size:18px;font-weight:500;padding-bottom:20px;padding-top:20px;cursor:pointer;}#desktop-nav ul.top-level > li:hover .submenu{display:block;}#desktop-nav .submenu{display:none;position:absolute;background-color:#f3f3f3;text-align:left;padding:16px 12px;margin:30px 0 0 0;border-radius:4px;box-shadow:0px 9px 12px -6px rgba(0,0,0,.2);line-height:1.2em;min-width:220px;left:-30px;top:32px;}#desktop-nav .submenu:after{bottom:100%;left:66px;content:" ";height:0;width:0;position:absolute;pointer-events:none;border:12px solid hsla(0,0%,98.8%,0);border-bottom-color:#f3f3f3;border-radius:2px;margin-left:-15px;}#desktop-nav .submenu li{padding:4px 4px 4px 12px;border-radius:2px;margin-bottom:8px;min-height:40px;line-height:32px;position:relative;}#desktop-nav .submenu li a{display:inline-block;vertical-align:middle;line-height:normal;}#desktop-nav .submenu li:hover{background-color:#d9e9f4;}#desktop-nav .submenu .top-line{font-size:16px;font-weight:500;margin-bottom:4px;}#desktop-nav .submenu .sub-line{font-size:11px;line-height:1.2em;font-weight:300;}#desktop-nav .nav-services .submenu{}#desktop-nav .nav-services .submenu:after{}#desktop-nav .nav-customers .submenu li{padding-left:14px;}#desktop-nav .nav-customers .submenu li:before{content:"";width:30px;height:30px;position:absolute;background-repeat:no-repeat;background-size:contain;display:block;left:5px;top:6px;}#desktop-nav .nav-customers .submenu li.subnav-agents:before{background-image:url("https://totalhipaa.wpengine.com/wp-content/uploads/2020/09/TH_AgentsBrokers_Icon_new.png");}#desktop-nav .nav-customers .submenu li.subnav-employers:before{background-image:url("https://totalhipaa.wpengine.com/wp-content/uploads/2020/09/TH_Employers_Icon.png");}#desktop-nav .nav-customers .submenu li.subnav-associates:before{background-image:url("https://totalhipaa.wpengine.com/wp-content/uploads/2020/09/TH_BusinessAssociates_Icon.png");}#desktop-nav .nav-customers .submenu li.subnav-medical:before{background-image:url("https://totalhipaa.wpengine.com/wp-content/uploads/2020/09/TH_MedicalProviders_Icon.png");}#desktop-nav .nav-customers .submenu li.subnav-dental:before{background-image:url("https://totalhipaa.wpengine.com/wp-content/uploads/2020/09/TH_DentalProviders_Icon.png");}#desktop-nav .nav-login a{background-color:#fff;border:2px solid #43cc8f;border-radius:4px;padding:10px 20px;color:#43cc8f;}#desktop-nav .nav-get-started a{background-color:#0081a0;border-radius:4px;padding:6px 16px;color:#fff;}.top-level > li{position:relative;}.top-level > li:not(.no-underline):after{content:"";position:absolute;width:0;height:3px;display:block;margin-top:5px;right:0;background:#43cc8f;transition:width .2s ease;-webkit-transition:width .2s ease;}.top-level > li:hover:after{width:100%;left:0;background:#43cc8f;}.header-search-container{display:inline-block;position:relative;}.expandable-search{position:absolute;top:30px;right:0;width:360px;background-color:#f4f5f8;padding:8px;}.header-search-container .expandable-search{display:none;}.header-search-container.expanded .expandable-search{display:block;}.header-search-container.expanded .et_pb_menu__search-button:after{content:"\\4d";}#gform_wrapper_213[data-form-index="0"].gform-theme,[data-parent-form="213_0"]{--gf-color-primary:#204ce5;--gf-color-primary-rgb:32,76,229;--gf-color-primary-contrast:#fff;--gf-color-primary-contrast-rgb:255,255,255;--gf-color-primary-darker:#001ab3;--gf-color-primary-lighter:#527eff;--gf-color-secondary:#fff;--gf-color-secondary-rgb:255,255,255;--gf-color-secondary-contrast:#112337;--gf-color-secondary-contrast-rgb:17,35,55;--gf-color-secondary-darker:#f5f5f5;--gf-color-secondary-lighter:#fff;--gf-color-out-ctrl-light:rgba(17,35,55,.1);--gf-color-out-ctrl-light-rgb:17,35,55;--gf-color-out-ctrl-light-darker:rgba(104,110,119,.35);--gf-color-out-ctrl-light-lighter:#f5f5f5;--gf-color-out-ctrl-dark:#585e6a;--gf-color-out-ctrl-dark-rgb:88,94,106;--gf-color-out-ctrl-dark-darker:#112337;--gf-color-out-ctrl-dark-lighter:rgba(17,35,55,.65);--gf-color-in-ctrl:#fff;--gf-color-in-ctrl-rgb:255,255,255;--gf-color-in-ctrl-contrast:#112337;--gf-color-in-ctrl-contrast-rgb:17,35,55;--gf-color-in-ctrl-darker:#f5f5f5;--gf-color-in-ctrl-lighter:#fff;--gf-color-in-ctrl-primary:#204ce5;--gf-color-in-ctrl-primary-rgb:32,76,229;--gf-color-in-ctrl-primary-contrast:#fff;--gf-color-in-ctrl-primary-contrast-rgb:255,255,255;--gf-color-in-ctrl-primary-darker:#001ab3;--gf-color-in-ctrl-primary-lighter:#527eff;--gf-color-in-ctrl-light:rgba(17,35,55,.1);--gf-color-in-ctrl-light-rgb:17,35,55;--gf-color-in-ctrl-light-darker:rgba(104,110,119,.35);--gf-color-in-ctrl-light-lighter:#f5f5f5;--gf-color-in-ctrl-dark:#585e6a;--gf-color-in-ctrl-dark-rgb:88,94,106;--gf-color-in-ctrl-dark-darker:#112337;--gf-color-in-ctrl-dark-lighter:rgba(17,35,55,.65);--gf-radius:3px;--gf-font-size-secondary:14px;--gf-font-size-tertiary:13px;--gf-icon-ctrl-number:url("data:image/svg+xml,%3Csvg width=\'8\' height=\'14\' viewBox=\'0 0 8 14\' fill=\'none\' xmlns=\'http://www.w3.org/2000/svg\'%3E%3Cpath fill-rule=\'evenodd\' clip-rule=\'evenodd\' d=\'M4 0C4.26522 5.96046e-08 4.51957 0.105357 4.70711 0.292893L7.70711 3.29289C8.09763 3.68342 8.09763 4.31658 7.70711 4.70711C7.31658 5.09763 6.68342 5.09763 6.29289 4.70711L4 2.41421L1.70711 4.70711C1.31658 5.09763 0.683417 5.09763 0.292893 4.70711C-0.0976311 4.31658 -0.097631 3.68342 0.292893 3.29289L3.29289 0.292893C3.48043 0.105357 3.73478 0 4 0ZM0.292893 9.29289C0.683417 8.90237 1.31658 8.90237 1.70711 9.29289L4 11.5858L6.29289 9.29289C6.68342 8.90237 7.31658 8.90237 7.70711 9.29289C8.09763 9.68342 8.09763 10.3166 7.70711 10.7071L4.70711 13.7071C4.31658 14.0976 3.68342 14.0976 3.29289 13.7071L0.292893 10.7071C-0.0976311 10.3166 -0.0976311 9.68342 0.292893 9.29289Z\' fill=\'rgba(17, 35, 55, 0.65)\'/%3E%3C/svg%3E");--gf-icon-ctrl-select:url("data:image/svg+xml,%3Csvg width=\'10\' height=\'6\' viewBox=\'0 0 10 6\' fill=\'none\' xmlns=\'http://www.w3.org/2000/svg\'%3E%3Cpath fill-rule=\'evenodd\' clip-rule=\'evenodd\' d=\'M0.292893 0.292893C0.683417 -0.097631 1.31658 -0.097631 1.70711 0.292893L5 3.58579L8.29289 0.292893C8.68342 -0.0976311 9.31658 -0.0976311 9.70711 0.292893C10.0976 0.683417 10.0976 1.31658 9.70711 1.70711L5.70711 5.70711C5.31658 6.09763 4.68342 6.09763 4.29289 5.70711L0.292893 1.70711C-0.0976311 1.31658 -0.0976311 0.683418 0.292893 0.292893Z\' fill=\'rgba(17, 35, 55, 0.65)\'/%3E%3C/svg%3E");--gf-icon-ctrl-search:url("data:image/svg+xml,%3Csvg version=\'1.1\' xmlns=\'http://www.w3.org/2000/svg\' width=\'640\' height=\'640\'%3E%3Cpath d=\'M256 128c-70.692 0-128 57.308-128 128 0 70.691 57.308 128 128 128 70.691 0 128-57.309 128-128 0-70.692-57.309-128-128-128zM64 256c0-106.039 85.961-192 192-192s192 85.961 192 192c0 41.466-13.146 79.863-35.498 111.248l154.125 154.125c12.496 12.496 12.496 32.758 0 45.254s-32.758 12.496-45.254 0L367.248 412.502C335.862 434.854 297.467 448 256 448c-106.039 0-192-85.962-192-192z\' fill=\'rgba(17, 35, 55, 0.65)\'/%3E%3C/svg%3E");--gf-label-space-y-secondary:var(--gf-label-space-y-md-secondary);--gf-ctrl-border-color:#686e77;--gf-ctrl-size:var(--gf-ctrl-size-md);--gf-ctrl-label-color-primary:#112337;--gf-ctrl-label-color-secondary:#112337;--gf-ctrl-choice-size:var(--gf-ctrl-choice-size-md);--gf-ctrl-checkbox-check-size:var(--gf-ctrl-checkbox-check-size-md);--gf-ctrl-radio-check-size:var(--gf-ctrl-radio-check-size-md);--gf-ctrl-btn-font-size:var(--gf-ctrl-btn-font-size-md);--gf-ctrl-btn-padding-x:var(--gf-ctrl-btn-padding-x-md);--gf-ctrl-btn-size:var(--gf-ctrl-btn-size-md);--gf-ctrl-btn-border-color-secondary:#686e77;--gf-ctrl-file-btn-bg-color-hover:#ebebeb;--gf-field-img-choice-size:var(--gf-field-img-choice-size-md);--gf-field-img-choice-card-space:var(--gf-field-img-choice-card-space-md);--gf-field-img-choice-check-ind-size:var(--gf-field-img-choice-check-ind-size-md);--gf-field-img-choice-check-ind-icon-size:var(--gf-field-img-choice-check-ind-icon-size-md);--gf-field-pg-steps-number-color:rgba(17,35,55,.8);}#global-footer a{color:#2e2e2e;}.et_pb_contact_form{margin-left:0;}.et_pb_contact p{padding-left:0;margin-bottom:20px;}.et_pb_contact input{border-radius:4px;}.et_contact_bottom_container{display:block;width:100%;}.et_contact_bottom_container button{display:block;width:100%;margin:0;}

Understanding Business Associate Agreements (BAAs) for HIPAA Compliance

Cloud storage providers: Companies that store PHI on remote servers.

Billing companies: Businesses that handle medical billing and insurance claims.

IT service providers: Companies that provide IT support for healthcare organizations.

Law firms: Attorneys who handle legal matters involving healthcare organizations.

Shredding companies: Businesses that securely destroy PHI.

Medical equipment service companies: Companies that repair or maintain medical equipment that may contain PHI.

Accounting firms: Accountants who handle financial information related to healthcare organizations.

Consulting firms: Consultants who provide advice or assistance to healthcare organizations.

Medical transcription services: Companies that transcribe medical records.Translation services: Companies that translate medical records into different languages.

Safeguards: Outline the security measures the BA will implement to protect PHI. These measures should include administrative, physical, and technical safeguards to protect PHI’s confidentiality, integrity, and availability.

Disclosures: Specify how the BA can disclose PHI to other parties. For example, the BAA may allow the BA to disclose PHI to a subcontractor or law enforcement agency as required.Term and Termination: Specify the duration of the agreement and the conditions under which either party can terminate it.

Data Ownership: Clarify who owns the PHI and who has the right to access it.

Audit Rights: Grants the Covered Entity the right to audit the BA’s compliance with HIPAA.

Notification of Breaches: Specify how the BA will notify the Covered Entity of any data breaches.

Subcontractor Agreements: If the BA uses subcontractors, the BAA should require the BA to have BAA agreements with its subcontractors.

Liability: Address the liability of the BA for any HIPAA violations.

Indemnification Clause: Address how your organization will be made whole if an action causes a data breach. While not explicitly required under HIPAA, this is a best business practice and will help facilitate quicker resolution if an issue arises.

Governing Law: Specify the governing law that will apply to the agreement.

Dispute Resolution: Specify the method for resolving any disputes between the parties.

Consequences of Non-Compliance

Both Covered Entities and BAs can face significant civil and even criminal penalties for failing to comply with HIPAA regulations. These penalties can include fines, corrective actions, and even imprisonment for individuals.

Conclusion:
Having a BAA in place is essential for any organization working with PHI. By understanding BA requirements and ensuring your agreements are up-to-date, you can help maintain HIPAA compliance and protect sensitive patient data.

Where Can I Get a Business Associate Agreement? We’ve got you covered!

Sources

Looking for a Business Associate Agreement?

Want to stay informed?

State of HIPAA Compliance in 2024

Related Posts

Virtru: A Comprehensive Review of HIPAA Compliant Email Encryption

RMail: A Comprehensive Review of HIPAA Compliant Email Encryption

ProtonMail: A Comprehensive Review of HIPAA Compliant Email Encryption

Contact Us

Information

Support

Subscribe to stay in touch

BAA Download

Understanding Business Associate Agreements (BAAs) for HIPAA Compliance

Cloud storage providers: Companies that store PHI on remote servers.

Billing companies: Businesses that handle medical billing and insurance claims.

IT service providers: Companies that provide IT support for healthcare organizations.

Law firms: Attorneys who handle legal matters involving healthcare organizations.

Shredding companies: Businesses that securely destroy PHI.

Medical equipment service companies: Companies that repair or maintain medical equipment that may contain PHI.

Accounting firms: Accountants who handle financial information related to healthcare organizations.

Consulting firms: Consultants who provide advice or assistance to healthcare organizations.

Medical transcription services: Companies that transcribe medical records.Translation services: Companies that translate medical records into different languages.

Safeguards: Outline the security measures the BA will implement to protect PHI. These measures should include administrative, physical, and technical safeguards to protect PHI’s confidentiality, integrity, and availability.

Disclosures: Specify how the BA can disclose PHI to other parties. For example, the BAA may allow the BA to disclose PHI to a subcontractor or law enforcement agency as required.Term and Termination: Specify the duration of the agreement and the conditions under which either party can terminate it.

Data Ownership: Clarify who owns the PHI and who has the right to access it.

Audit Rights: Grants the Covered Entity the right to audit the BA’s compliance with HIPAA.

Notification of Breaches: Specify how the BA will notify the Covered Entity of any data breaches.

Subcontractor Agreements: If the BA uses subcontractors, the BAA should require the BA to have BAA agreements with its subcontractors.

Liability: Address the liability of the BA for any HIPAA violations.

Indemnification Clause: Address how your organization will be made whole if an action causes a data breach. While not explicitly required under HIPAA, this is a best business practice and will help facilitate quicker resolution if an issue arises.

Governing Law: Specify the governing law that will apply to the agreement.

Dispute Resolution: Specify the method for resolving any disputes between the parties.

Consequences of Non-Compliance

Both Covered Entities and BAs can face significant civil and even criminal penalties for failing to comply with HIPAA regulations. These penalties can include fines, corrective actions, and even imprisonment for individuals.

Conclusion:Having a BAA in place is essential for any organization working with PHI. By understanding BA requirements and ensuring your agreements are up-to-date, you can help maintain HIPAA compliance and protect sensitive patient data.

Where Can I Get a Business Associate Agreement? We’ve got you covered!

Sources

Looking for a Business Associate Agreement?

Want to stay informed?

State of HIPAA Compliance in 2024

Related Posts

Virtru: A Comprehensive Review of HIPAA Compliant Email Encryption

RMail: A Comprehensive Review of HIPAA Compliant Email Encryption

ProtonMail: A Comprehensive Review of HIPAA Compliant Email Encryption

Conclusion:
Having a BAA in place is essential for any organization working with PHI. By understanding BA requirements and ensuring your agreements are up-to-date, you can help maintain HIPAA compliance and protect sensitive patient data.