HIPAA business associate agreement (BAA)

Contributor(s): Kristen Lee

Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a contract between a HIPAA-covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.

Effective Feb. 18, 2010, in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, a BA's disclosure, handling and use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates. Under the HITECH Act, any HIPAA business associate that serves a healthcare provider or institution is now subject to audits by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) and can be held accountable for a data breach and penalized for noncompliance.

Examples of HIPAA business associates

According to the HHS, examples of HIPAA business associates include:

  • When a health plan uses a third-party administrator to help with claims processing.
  • If a CPA firm provides accounting services to a healthcare provider and they have access to protected health information.
  • When a hospital has a consultant perform utilization reviews.
  • When a healthcare clearinghouse translates a claim from a nonstandard format to a standard format for a healthcare provider then sends the process transaction to a payer.
  • When a physician uses an independent medical transcriptionist's services.
  • When a pharmacy benefits manager managed a health plan's pharmacist network.

HIPAA business associates
and agreements 101.

Mobile application developers could also be considered HIPAA business associates because many healthcare mobile applications handle PHI.

HHS gave a scenario where an app developer would be considered a HIPAA business associate: A patient is told by her provider to download a health app to her smartphone. The app developer and the provider have a contract for patient management services which include remote patient health counseling, patient messaging, monitoring the patients' food and exercise, and electronic health record (EHR) integration and application program interfaces. Furthermore, the information the patient inputs into the application is automatically incorporated in the EHR.

HIPAA business associate contract requirements

According to HHS, HIPAA business associate contracts or other written arrangements should contain the following:

  • Describe how the business associate is permitted and required to use PHI.
  • Require that the business associate not use or disclose PHI other than as specified in the contract or as required by law.
  • Require the business associate to use appropriate safeguards to ensure the PHI is used as detailed in the contract.
  • The covered entity is required to take reasonable steps to cure any breach by the HIPAA business associate if and when they know of one. If this is unsuccessful, the covered entity is required to terminate the contract with the business associate.
  • If contract termination is impossible, the HIPAA covered entity must report the event to the OCR.
  • A covered entity is required to report to the HHS OCR if there is a problem in terminating the contract with the business associate.

With these new regulations in mind, a HIPAA business associate agreement should explicitly spell out how a BA will report and respond to a data breach, including data breaches that are caused by a business associate's subcontractors. In addition, HIPAA business associate agreements should require a BA to demonstrate how it will respond to an OCR investigation.

This was last updated in November 2016

Continue Reading About HIPAA business associate agreement (BAA)

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think should absolutely be included in a HIPAA business associate agreement?
I just have a question, hoping somebody can give me an answer. If an employee signs a HIPAA agreement with their employer, does that agreement ever expire? What if the employer (or company's) name changes should the HIPAA agreement be updated with the new employer or company's name on the agreement?
There is an Annual HIPPA training mandated by the Ethics and Compliance department at the end of which every employee Agrees to follow HIPPA Security and Privacy Rules. that tells me it might be valid for a year. just a guess.  
Question: As a hospital and outpatient clinic, if we refer our clients to another entity to provide services but we do not have a contract with that other entity, are we required to have a BAA?


File Extensions and File Formats

Powered by: