Business Associate Agreement
Definition
A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA between a covered entity and any third party (business associate) that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity's behalf. The BAA establishes permitted uses and disclosures of PHI, requires appropriate safeguards, mandates breach notification, and defines liability for compliance failures.
Required BAA Provisions
Permitted and required uses and disclosures of PHI by the business associate
Requirement to implement appropriate safeguards to prevent unauthorized use or disclosure
Obligation to report any security incidents or breaches to the covered entity
Requirement that subcontractors agree to the same restrictions through their own BAAs
Availability of PHI to satisfy individual rights of access and amendment
Return or destruction of PHI upon contract termination when feasible
Authorization for the covered entity to terminate the contract if the BA violates the BAA
Common BAA Mistakes
No BAA in place
Sharing PHI with a vendor without a signed BAA is a HIPAA violation regardless of whether a breach occurs. This is one of the most common and easily preventable findings.
Using outdated BAA templates
BAAs must reflect current HIPAA requirements including the 2013 Omnibus Rule changes. Pre-2013 BAAs likely lack required provisions.
Not tracking BAA inventory
Organizations often lose track of which vendors have BAAs. Maintain a centralized register of all business associates with BAA status and review dates.
Not monitoring BA compliance
Signing a BAA is not enough. Covered entities should verify that business associates actually implement required safeguards and report incidents.