HIPAA business associate agreement (BAA) definition

Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.

Effective Feb. 18, 2010 in accordance with the HITECH Act of 2009, a BA's disclosure, handling and use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates. Under the HITECH Act, any HIPAA business associate that serves a health care provider or institution is now subject to audits by the Office for Civil Rights (OCR) within the Department of Health and Human Services and can be held accountable for a data breach and penalized for noncompliance.

With these new regulations in mind, a HIPAA business associate agreement should explicitly spell out how a BA will report and respond to a data breach, including data breaches that are caused by a business associate's subcontractors. In addition, HIPAA business associate agreements should require a BA to demonstrate how it will respond to an OCR investigation.

This was first published in July 2012

Continue Reading About HIPAA business associate agreement (BAA)

Dig Deeper

PRO+

Content

Find more PRO+ content and other member only offers, here.

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close