Do business associate agreements expire?

A business associates agreement regulates the relationship between business associates and covered entities. The agreement needs to remain current to ensure that the requirements set in place by the agreement are legally effective.

What is a business associate agreement (BAA)?

A business associate agreement (BAA) is a legal contract establishing the responsibilities and obligations between a covered entity and a business associate under HIPAA. The BAA ensures that the business associate agrees to handle and protect PHI per HIPAA's privacy and security rules. It outlines the permitted uses and disclosures of protected health information (PHI), establishes safeguards for the security of PHI, and outlines the business associate's responsibilities in the event of a breach or violation of HIPAA regulations.

Related: Business associate agreement provisions

When does a BAA typically expire?

A BAA typically expires based on the agreed-upon terms between the covered entity and the business associate. There is no standard timeframe for its validity set by HIPAA regulations. The expiration date is usually specified within the agreement. It can vary depending on the negotiated agreement between the parties involved.

Consequences for covered entities and associates

An expired BAA can result in non-compliance with HIPAA regulations. Both the covered entity and the business associate have obligations to protect the privacy and security of PHI under HIPAA. A BAA outlines the responsibilities and safeguards for handling PHI. 

Without an active agreement, there may be uncertainties or gaps in the security measures implemented by the business associate. For this reason, business associates need to proactively monitor the expiration dates of their BAAs, renew or renegotiate agreements as necessary.

Related: What are the penalties for HIPAA violations?

Is a BAA renewed automatically? 

Some BAAs may include provisions for automatic renewal. In such cases, the agreement will specify the conditions under which the BAA will be automatically renewed for a certain period. These conditions could include a notice period or mutual agreement between the covered entity and the business associate. With automatic renewal, the parties do not need to renegotiate or sign a new agreement unless there are substantial changes or termination of the BAA is desired.

Other BAAs may require renegotiation and signing of a new agreement upon expiration. This approach allows both parties to reassess and update the terms, conditions, and changes in their business relationship, security practices, or legal requirements. Renegotiating and signing a new agreement provides an opportunity to ensure that the BAA reflects the current needs, compliance standards, and expectations of the covered entity and the business associate.

How is an immediate termination triggered?

1. Breach of agreement: If the covered entity or the business associate breaches the terms and obligations specified in the BAA, it can trigger immediate termination. This breach could include failure to protect PHI, unauthorized use or disclosure of PHI, or non-compliance with HIPAA regulations.
2. Failure to cure: In some cases, the BAA may include provisions that allow for termination if a party fails to rectify or cure a breach within a specified timeframe. Termination can be initiated if the party does not take appropriate corrective action within the stipulated period.
3. Substantial change in circumstances: Significant changes in the business relationship, operations, or legal requirements may trigger the termination of a BAA. This could include mergers, acquisitions, bankruptcy, or a business associate no longer providing services that involve handling PHI.
4. Regulatory non-compliance: If the covered entity or the business associate fails to comply with applicable laws and regulations, including HIPAA, it may result in the termination of the BAA. Non-compliance can pose substantial risks to the privacy and security of PHI and can lead to legal consequences.

Can business associates continue providing services?

Without an active BAA, the business associate lacks the necessary legal framework to comply with HIPAA requirements and adequately safeguard PHI. Operating without a valid BAA can expose both the covered entity and the business associate to legal and regulatory risks, including potential HIPAA violations and penalties. Covered entities and business associates must ensure that a current and compliant BAA is in place before engaging in services that involve PHI.

If a BAA is about to expire, the covered entity and the business associate should initiate discussions to promptly renew or renegotiate the agreement. This ensures ongoing compliance with HIPAA regulations and maintains the necessary protections for PHI throughout the business relationship.

Related: HIPAA Compliant Email: The Definitive Guide