When it comes to protecting patient information, compliance with the Health Insurance Portability and Accountability Act (HIPAA) goes far beyond medical offices, hospitals, and trendy medspas. HIPAA applies to both covered entities (e.g. healthcare providers) and the business associates of a covered entity. A business associate is generally a person, entity, or business that directly or indirectly handles protected health information (PHI) in the course of performing services for the covered entity. Whether you are a healthcare provider that is a covered entity or an individual or entity that may be a business associate, you may need a Business Associate Agreement to ensure that you are in compliance with HIPAA.
What is a Business Associate Agreement (BAA)?
HIPAA generally requires covered entities to execute written agreements known as a Business Associate Agreement (BAA) with business associates before allowing the business associate to render services for the covered entity that directly or indirectly involve PHI. A BAA is a legally binding contract that sets forth the obligations of a business associate with regard to HIPAA compliance. For example, a healthcare practice that is partnering with a vendor in some capacity may be providing those vendors with direct access to patient PHI. As such, HIPAA requires that the healthcare practice and the vendor enter into a BAA.
Examples of business associates include:
- Billing or claims processing companies
- IT vendors handling patient databases or cloud storage
- Legal, accounting, and consulting firms with access to PHI
- Third-party administrators and marketing firms serving healthcare clients
What should be included in a Business Associate Agreement?
While no two Business Associate Agreements are identical, a BAA must contain certain essential elements to ensure compliance including:
- Permitted Uses and Disclosures: Define exactly how PHI may be used and under what conditions it may be share;
- Safeguards and Security Requirements: Require administrative, physical, and technical safeguards aligned with HIPAA Security Rule standard;
- Breach Reporting Obligations: Specify timelines and procedures for notifying the covered entity of a potential or confirmed breach;
- Subcontractor Compliance: Ensure any downstream vendors who access PHI also sign BAAs and follow HIPAA standards; and
- Termination Clauses: Outline what happens to PHI when the agreement ends (e.g., data destruction or return).
While the goal of a BAA is to protect patient privacy, these documents also assign legal responsibility, reduce liability, and demonstrate due diligence. Failing to have a proper BAA in place can lead to serious legal and financial consequences. The U.S. Department of Health and Human Services (HHS) has issued multi-million-dollar fines, up to $1.5M annually, to organizations that neglected this step, regardless of whether a breach even occurred.
Additionally, organizations should not “set and forget” their BAAs or look to AI or online templates to create these legally binding documents. Working with a healthcare attorney familiar with HIPAA compliance is recommended. Regularly review and update your BAAs, especially when services, vendors, or technology change. Outdated agreements can leave compliance gaps and leave your practice or business vulnerable.
Legal support for Healthcare Agreements
In today’s data-driven healthcare environment, HIPAA compliance is everyone’s responsibility. A comprehensive Business Associate Agreement not only satisfies regulatory requirements but also protects your organization’s reputation and your clients’ trust.
If your business works with healthcare data (or supports organizations that do), now is the time to review your BAAs. The cost of noncompliance is far higher than the effort to get it right.
Our Healthcare & Life Sciences attorneys are actively and thoughtfully engaged on the issues that matter to our clients. We remain up-to-date regarding emerging trends and new regulatory requirements like those of BAAs and HIPAA matters. Connect with us to discuss your challenges today.
