HIPAA Business Associate Agreement: What Is It and Do I Need One?
Moira Wertheimer, Esq., RN, CPHRM
Assistant Vice President, Psychiatric and Healthcare Risk Management Group

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to Covered Entities (CEs), which include healthcare providers who transmit any protected health information (PHI) in an electronic form. HIPAA permits CEs to employ a Business Associate (BA) to help carry out their health care activities and functions. Specifically, a BA is a person/entity that is engaged to do work involving the use/disclosure of PHI on behalf of a CE. In a physician practice, BA activities often include: billing, claims processing, legal services, accounting services, e-prescribing, medical transcription services, etc. The CE’s staff members are not considered BAs under HIPAA; they are considered part of the workforce.1

hippa_insession_wint17_smallWhen employing a BA, HIPAA requires the CE to obtain satisfactory assurances in writing that the BA will safeguard the PHI it creates or receives on behalf of the CE. These written assurances given by the BA to the CE are referred to as Business Associate Agreements (BAAs). HIPAA specifically identifies the elements needing to be included in the BAA.2 Among other things, the BAA must:

  • Describe the permitted uses/disclosure of PHI by the BA;
  • State that the BA will not use/further disclose the PHI for any purposes other than those specified in the BAA;
  • Require the BA to safeguard the PHI from unauthorized uses/disclosures;
  • Require the BA to report to the CE any unauthorized use/disclosure of PHI, including incidents that constitute breaches of unsecured protected health information;
  • Require the BA to disclose PHI as specified in its contract to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI;
  • Require the BA to comply with the HIPAA requirements applicable to carrying out their contractual obligation on behalf of the CE;
  • Require the BA to make available to U.S. Department of Health and Human Services (HHS) its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of the CE, for purposes of HHS determining the CE’s compliance with the HIPAA Privacy Rule;
  • Require the BA, at termination of the contract, to return or destroy all PHI received from, or created or received by the BA on behalf of the CE;
  • Require the BA to ensure that any subcontractors it may employ on a CE’s behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA;
  • Authorize termination of the contract by the CE if the BA violates a material term of the contract.

Note that contracts between BAs and their subcontractors are also subject to these same requirements. A sample BAA can be found at the HHS website: http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. As always, it is prudent to consult with your attorney prior to entering into any contracts to ensure compliance with applicable federal/state laws.

  1. 45 CFR 160.103 (Definition of Business Associate)
  2. 45 CFR 164.504(e)