Provisions of a business associate agreement

If your organization handles protected health information (PHI) on behalf of a covered entity, you're required by federal law to have a business associate agreement (BAA) in place. Under the Health Insurance Portability and Accountability Act (HIPAA), a BAA is a legally binding contract that defines how a business associate may use and disclose PHI, and what obligations they must fulfill to keep that information safe.

A poorly drafted agreement can leave both parties exposed to liability, regulatory penalties, and reputational damage. Here are some essential provisions every agreement should include.

Learn more: What is the purpose of a business associate agreement?

1. Clear definition of "Protected Health Information"

The agreement should define what constitutes PHI in the context of the business relationship. Generally, the definition should include individually identifiable health information, whether electronic, paper, or oral, that relates to an individual's past, present, or future physical or mental health condition, healthcare services received, or payment for those services. Both parties need to know what data is subject to the agreement's protections so there's no confusion about scope.

2. Permitted uses and disclosures

According to 45 CFR §164.502(e)(3), "A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law." The agreement should specify:

• The specific services the business associate is performing
• Whether PHI may be used for the associate's own management or operations
• Whether PHI may be disclosed to subcontractors or agents
• Whether PHI may be used for data aggregation services

Per 45 CFR §164.504(e)(2)(i), the contract must "establish the permitted and required uses and disclosures of protected health information by the business associate." A business associate should only be authorized to use PHI in ways that are necessary to perform the contracted services.

3. Prohibited uses and disclosures

45 CFR §164.502(e)(3) also states that a business associate "may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity." It's worth noting that a business associate is also prohibited from receiving direct or indirect payment in exchange for PHI without the individual's written authorization, except in narrowly defined circumstances such as public health activities, research, or treatment. The remuneration restriction is addressed in the AHIMA Practice Brief on Business Associate Agreements.

4. Appropriate safeguards

The agreement must require the business associate to implement reasonable and appropriate administrative, physical, and technical safeguards to protect PHI. As per 45 CFR §164.504(e)(2)(ii)(B), the contract must require the business associate to "use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract." Subpart C is the HIPAA Security Rule, which includes conducting risk assessments, implementing access controls, using encryption where appropriate, and maintaining audit logs.

The AHIMA Practice Brief recommends that business associates maintain a written information privacy and security program, with documented policies and procedures that are reviewed and updated as laws and operational environments change.

5. Subcontractor requirements

If a business associate intends to share PHI with subcontractors or agents, the BAA must address this. Under 45 CFR §164.502(e)(1)(ii), "A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances... that the subcontractor will appropriately safeguard the information." Furthermore, 45 CFR §164.504(e)(5) makes clear that the full requirements of §164.504(e)(2) through (e)(4) apply to subcontractor arrangements "in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate." This is known as the "chain of trust" requirement under HIPAA.

Your agreement should specify that the business associate is responsible for ensuring subcontractor compliance and that it cannot outsource PHI-related work without first having appropriate agreements in place. The AHIMA Practice Brief further clarifies that business associates bear direct responsibility and liability to the covered entity for the actions of their subcontractors, meaning a breach at the subcontractor level flows back to the business associate.

6. Breach notification obligations

Under the HITECH Act and codified at 45 CFR §164.410, business associates carry a direct legal obligation to report breaches. Specifically, 45 CFR §164.410(a)(1) provides that "a business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach." On timing, 45 CFR §164.410(b) requires that notice be provided "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." Your BAA should incorporate these requirements and go further by specifying:

• What information must be included in the breach notification
• The business associate's obligations to investigate and mitigate the breach
• Cooperation requirements during any regulatory investigation

According to 45 CFR §164.410(c)(1), the notification must include "to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach."

The BAA should also address how a breach will be determined in the first place. The AHIMA Practice Brief describes a four-step risk assessment framework for breach determination:

• Evaluating the nature and extent of the PHI involved,
• Identifying the unauthorized person who accessed or received it,
• Determining whether the PHI was actually acquired or viewed, and
• Assessing the extent to which risk has been mitigated.

7. Individual rights and access

Covered entities have obligations under HIPAA to honor individuals' rights regarding their PHI. Under 45 CFR §164.504(e)(2)(ii)(E)-(G), the BAA must require the business associate to "make available protected health information in accordance with §164.524". The contract must also require the business associate to "make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526," and to "make available the information required to provide an accounting of disclosures in accordance with §164.528".

The AHIMA Practice Brief provides useful practical guidance, recommending that the BAA specify response timeframes, for example, requiring the business associate to make PHI available for inspection and copying within five business days of a covered entity's request.

8. Availability of books and records

The BAA should require the business associate to make its internal practices, books, and records relating to the use and disclosure of PHI available to the U.S. Department of Health and Human Services (HHS) upon request. According to 45 CFR §164.504(e)(2)(ii)(H), to the extent the business associate carries out a covered entity's obligations under the Privacy Rule, it "must comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation." This is a standard HIPAA requirement but must be explicitly included in the agreement to be enforceable.

9. Term and termination

A BAA should define its duration and the conditions under which either party may terminate the agreement. Include:

• The start and end date of the agreement
• Circumstances under which the covered entity may terminate (such as a material breach by the business associate)
• A cure period allowing the business associate to remedy a breach before termination
• What happens to PHI upon termination, specifically, the obligation to return or destroy all PHI

Under 45 CFR §164.504(e)(2)(ii)(J), the BAA must require the business associate to, upon termination of the contract, "Return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity" and "retain no copies of such information." If return or destruction is not feasible, the BAA must extend the protections of the agreement to that PHI for as long as it is retained.

The AHIMA Practice Brief also recommends that BAAs and all related HIPAA compliance documentation be retained for a minimum of six years from the date of creation or the date the agreement was last in effect.

10. Governing law and dispute resolution

Like any commercial contract, a BAA should identify the governing law and specify how disputes will be resolved. Whether through arbitration, mediation, or litigation.

11. Amendment provisions

The Department of Health and Human Services periodically issues new guidance, and Congress has amended HIPAA more than once, most significantly through the HITECH Act, which expanded business associate liability and added direct breach notification obligations. A BAA should include a provision requiring both parties to amend the agreement as necessary to comply with any future changes in applicable law.

The AHIMA Practice Brief echoes this point, noting that state and federal data security and privacy laws continue to change, and that parties to a BAA should specifically commit to taking action as needed to implement new standards and requirements as they emerge.

12. Workforce training

The AHIMA Practice Brief recommends that BAAs include a commitment from the business associate to implement a training program covering HIPAA privacy, security, and breach notification requirements for all workforce members, agents, and subcontractors who handle PHI. In some arrangements, the covered entity may require the business associate’s workforce to complete the covered entity's own training curriculum.

Related: HHS: SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS

FAQs

Do all vendors who work with a healthcare organization need a BAA?

Only vendors who actually create, receive, maintain, or transmit PHI on behalf of a covered entity require a BAA.

Can a BAA be verbal rather than written?

No, HIPAA requires the covered entity to obtain a business associate agreement in writing, meaning a verbal agreement has no legal standing under the rule.

What happens if a covered entity discovers it has been operating without a BAA?

The covered entity should execute a BAA immediately, as operating without one is a direct HIPAA violation that can trigger civil monetary penalties from HHS regardless of whether a breach occurred.

Is a standard HHS model BAA template sufficient for most organizations?

While HHS provides a model agreement as a starting point, most organizations will need to customize it to reflect their specific services, data flows, subcontractor relationships, and risk profile.