HIPAA AgentHIPAA Agent
Deploy Your Agent
← Back to Guides
📋
Intermediate15 min read

Business Associate Agreements

Everything you need to know about BAAs: when you need them, what they contain, and how to manage them.

BAA RequirementsKey ProvisionsVendor AssessmentManagement Best PracticesTemplates

What is a Business Associate?

A Business Associate (BA) is a person or organization that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information.

When is a BAA Required?

You need a BAA when a third party:

Creates, receives, maintains, or transmits PHI on your behalf:

  • Billing companies
  • EHR/EMR vendors
  • Cloud storage providers
  • IT support companies
  • Medical transcription services
  • Shredding/disposal companies
  • Answering services
  • Appointment reminder services
  • Email service providers (if PHI is transmitted)

Provides services involving PHI:

  • Legal services
  • Accounting services
  • Consulting services
  • Quality assurance

When is a BAA NOT Required?

Conduits (mere transmission):

  • Postal services
  • Internet service providers (for transmission only)
  • Telephone companies

Treatment relationships:

  • Referring physicians
  • Labs performing tests
  • Other treating providers

Patients' personal representatives:

  • Family members authorized by patient

Required BAA Elements

HIPAA specifies required provisions for Business Associate Agreements:

1. Permitted Uses and Disclosures

The BAA must specify:

  • What the BA is allowed to do with PHI
  • Permitted uses for BA's own management/administration
  • Any data aggregation services

2. Safeguards Requirement

The BA must agree to:

  • Use appropriate safeguards to prevent unauthorized use/disclosure
  • Comply with Security Rule requirements
  • Report security incidents

3. Subcontractor Requirements

The BA must:

  • Ensure subcontractors agree to same restrictions
  • Obtain BAAs from their own subcontractors

4. Access Rights

The BA must:

  • Make PHI available to individuals who request it
  • Support covered entity's obligations to provide access

5. Amendment Rights

The BA must:

  • Make PHI available for amendment
  • Incorporate amendments as directed

6. Accounting of Disclosures

The BA must:

  • Track disclosures for accounting purposes
  • Provide information to support accounting requests

7. HHS Access

The BA must:

  • Make internal practices available to HHS
  • Provide books and records for compliance review

8. Return or Destruction

At termination, the BA must:

  • Return or destroy all PHI
  • If not feasible, extend protections and limit further use

9. Breach Notification

The BA must:

  • Report breaches to the covered entity
  • Provide information needed for notification

Sample BAA Provisions

Preamble

This Business Associate Agreement ("Agreement") is entered into
between [Covered Entity Name] ("Covered Entity") and [Business
Associate Name] ("Business Associate") as of [Date].

WHEREAS, Covered Entity and Business Associate have entered into
an arrangement whereby Business Associate will provide [services]
to Covered Entity;

WHEREAS, Covered Entity is a "covered entity" as defined under HIPAA;

WHEREAS, Business Associate will have access to Protected Health
Information in performing services for Covered Entity;

NOW, THEREFORE, the parties agree as follows:

Obligations of Business Associate

Business Associate agrees to:

a) Use and disclose PHI only as permitted by this Agreement or
   as required by law;

b) Implement appropriate administrative, physical, and technical
   safeguards to protect PHI;

c) Report to Covered Entity any use or disclosure of PHI not
   provided for in this Agreement, including any Security Incident
   or Breach, within [timeframe];

d) Ensure that any subcontractors agree to the same restrictions
   and conditions;

e) Make PHI available to individuals as required under 45 CFR
   § 164.524;

f) Make PHI available for amendment as required under 45 CFR
   § 164.526;

g) Maintain and make available information required for accounting
   of disclosures under 45 CFR § 164.528;

h) Make internal practices and records available to HHS for
   compliance determination;

i) Return or destroy all PHI upon termination of this Agreement.

Termination Provisions

Term and Termination:

a) This Agreement shall remain in effect for the duration of the
   underlying service agreement.

b) Covered Entity may terminate this Agreement immediately upon
   written notice if Business Associate breaches any material term.

c) Upon termination, Business Associate shall return or destroy
   all PHI received from Covered Entity. If return or destruction
   is not feasible, Business Associate shall extend the protections
   of this Agreement and limit further uses and disclosures.

Vendor Assessment Checklist

Before signing a BAA, assess your vendor:

Security Posture

  • Do they have documented security policies?
  • Do they conduct regular risk assessments?
  • Do they have security certifications (SOC 2, HITRUST)?
  • Do they encrypt data at rest and in transit?
  • Do they have incident response procedures?

Compliance History

  • Any history of breaches or violations?
  • References from other healthcare clients?
  • Willing to provide compliance documentation?

Operational Capabilities

  • Backup and disaster recovery procedures?
  • Business continuity planning?
  • Employee training programs?
  • Access control procedures?

Contractual Willingness

  • Willing to sign your BAA (or acceptable version)?
  • Willing to accept breach notification requirements?
  • Adequate insurance coverage?

BAA Management Best Practices

Inventory Management

  • Maintain list of all business associates
  • Track BAA effective dates and terms
  • Monitor for renewal requirements
  • Document services provided by each BA

Regular Reviews

  • Review BAAs annually
  • Assess BA compliance
  • Update agreements for regulatory changes
  • Verify BA still meets requirements

Ongoing Monitoring

  • Request periodic compliance attestations
  • Review BA's security practices
  • Monitor for breaches or incidents
  • Address any compliance concerns promptly

Documentation

  • Keep signed copies of all BAAs
  • Document vendor assessments
  • Maintain communication records
  • Track any BAA amendments

Common BAA Mistakes

  1. Not having a BAA at all - Every BA relationship needs one

  2. Using the vendor's BAA without review - Ensure it meets requirements

  3. Not customizing the agreement - Generic templates may not fit

  4. Forgetting about subcontractors - Your BA's BAs need agreements too

  5. Not tracking expiration - BAAs may need renewal

  6. Failing to verify compliance - Trust but verify

Cloud Service Providers

Special considerations for cloud services:

AWS, Google Cloud, Azure:

  • Will sign BAAs for compliant services
  • Not all services are HIPAA-eligible
  • You're still responsible for configuration

SaaS Applications:

  • Review their HIPAA compliance claims
  • Verify they'll sign a BAA
  • Understand shared responsibility model

HIPAA Agent helps you track all your Business Associate relationships, manage BAA renewals, and generate compliant agreement templates customized to your needs.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Deploy Your Agent

Related Guides

📋
Complete HIPAA Compliance Checklist
Beginner · 15 min read
🔍
Security Risk Assessment Guide
Intermediate · 25 min read
📄
HIPAA Policy Templates Guide
Intermediate · 20 min read