The question of whether business associate agreements expire is not directly answered by HIPAA regulations themselves, but rather by the terms negotiated and agreed upon by the parties involved. According to a journal article from the Journal of the California Dental Association's ‘Regulatory Compliance/HIPAA Business Associate Agreements’, “A covered entity should maintain a log that lists identified business associates, their contact information and dates respective BAAs were signed, will expire or are to be reviewed.”
Typically, a BAA will contain a specific expiration date or duration of validity, which is mutually determined by the covered entity and the business associate at the time the agreement is executed. There is no federally mandated standard length for a BAA's validity, so the expiration can range from a fixed number of years to an indefinite term, depending on the needs and preferences of the parties.
When a BAA reaches its expiration date, or if the underlying business relationship ends, the agreement may terminate unless it contains provisions for automatic renewal. Some BAAs are written to renew automatically unless one party provides notice of termination within a specified period, while others require renegotiation and re-signature to remain in effect. This flexibility allows organizations to periodically reassess the terms of the agreement, update compliance measures, and address any changes in the business relationship or regulatory environment.
Related: Business associate agreement provisions
When does a BAA typically expire?
According to the Public Health Reports study ‘The HIPAA Omnibus Rule: Implications for Public Health Policy and Practice’, “The Omnibus Rule expands the definition of a “business associate” to include all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity,7 making clear that companies that store PHI on behalf of health care providers and health plans are business associates.”
Despite this expansion, a BAA does not have a federally mandated expiration period under HIPAA regulations. Instead, the expiration timing of a BAA is generally determined by the terms negotiated and specified within the agreement itself between the covered entity and the business associate. Some BAAs specify a fixed term after which the agreement must be renewed or renegotiated, while others may remain in effect indefinitely until actively terminated by either party.
The BAA usually includes provisions for termination upon expiration, breach, or mutual agreement, and it often requires the business associate to return or destroy all protected health information (PHI) upon termination of the agreement. Under the HIPAA Omnibus Rule, covered entities were given up to one additional year to amend existing business associate contracts to comply with updated regulations, which implies that BAAs can be subject to renewal or amendment rather than automatic expiration.
In practice, organizations often align the expiration of a BAA with the term of the underlying service contract to ensure continuous compliance. If the business relationship continues beyond the initial term, the parties may renew or extend the BAA to maintain the protections and responsibilities required by HIPAA. Failure to renew or extend a BAA when services involving PHI continue can expose both parties to regulatory risk.
Related: What are the penalties for HIPAA violations?
How is an immediate termination triggered?
- Breach of agreement: If either the covered entity or the business associate breaches the terms and obligations specified in the BAA, it can trigger immediate termination. This breach could include failure to protect PHI, unauthorized use or disclosure of PHI, or non-compliance with HIPAA regulations.
- Failure to cure: In some cases, the BAA may include provisions that allow for termination if a party fails to rectify or cure a breach within a specified timeframe. If the party does not take appropriate corrective action within the stipulated period, termination can be initiated.
- Substantial change in circumstances: Changes in the business relationship, operations, or legal requirements may trigger the termination of a BAA. This could include situations such as mergers, acquisitions, bankruptcy, or a business associate no longer providing services that involve handling PHI.
- Regulatory non-compliance: If either the covered entity or the business associate fails to comply with applicable laws and regulations, including HIPAA, it may result in the termination of the BAA. Non-compliance can pose substantial risks to the privacy and security of PHI and can lead to legal consequences.
Can business associates continue providing services?
Without an active BAA, the business associate lacks the necessary legal framework to comply with HIPAA requirements and adequately safeguard PHI. Operating without a valid BAA can expose both the covered entity and the business associate to legal and regulatory risks, including potential HIPAA violations and penalties. It is necessary for covered entities and business associates to ensure that a current and compliant BAA is in place before engaging in services that involve PHI.
If a BAA is about to expire, the covered entity and the business associate should initiate discussions to promptly renew or renegotiate the agreement. This ensures ongoing compliance with HIPAA regulations and maintains the necessary protections for PHI throughout the business relationship.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a business associate under HIPAA?
A business associate is a person or entity that performs certain functions or activities on behalf of, or provides services to, a HIPAA-covered entity that involve the creation, receipt, maintenance, or transmission of PHI.
What is a BAA?
A BAA is a written contract between a covered entity and a business associate that outlines the permitted uses and disclosures of PHI, requires the business associate to implement safeguards to protect PHI, mandates reporting of breaches, and obligates the return or destruction of PHI upon termination.
Can a business associate use PHI for any purpose?
No. The BAA restricts business associates to use PHI only as permitted by the contract or as required by law. Unauthorized use or further disclosure is prohibited.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Kirsten Peremore
