Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is a business associate agreement?

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.


Who is considered a business associate?

HIPAA defines business associates as individuals or entities that perform or assist in performing activities involving using or disclosing PHI. This includes claims processing, data analysis, quality assurance reviews, and more.

Employees of covered entities, internet service providers, and courier service partners are not considered business associates. However, a covered entity can be a business associate of another covered entity.

Read more: What does it mean to be a business associate? 


Why are business associate agreements necessary?

Business associate agreements are necessary because they maintain HIPAA compliance for covered entities. These agreements outline the permissible and impermissible uses of PHI, establish each party's liabilities, and specify the consequences of non-compliance. 

According to HIPAA regulations, only certain entities are considered covered entities and are required to establish business associate agreements. These include health plans, healthcare clearinghouses, healthcare providers, hybrid entities, and other entities involved in healthcare services, care, or supplies.

Read also: How to know if you’re a covered entity 


Creating a business associate agreement

When creating a business associate agreement, it is important to include certain key elements to ensure its effectiveness and compliance with HIPAA regulations.

Basic information

  • Date: Include the date at the top and bottom of the agreement to indicate when it was created and signed.
  • Names of the parties: Clearly state the full legal names of the covered entity and the business associate.
  • Acceptance: Determine how the parties will indicate their acceptance of the terms, such as traditional eSignatures.

Business associate agreement-specific requirements

After including the basic information, the agreement should address specific requirements related to HIPAA compliance.

  • Acknowledgment: Clearly explain the relevance of HIPAA to the business relationship and the liability of both parties.
  • Nature of PHI involved: Outline the specific types of PHI that the business associate and its subcontractors may access.
  • Permissible vs. impermissible: Define what constitutes permissible and impermissible uses of PHI based on relevant case law, rules, and legislation.
  • Liability and consequences: Clearly state the responsibilities and potential consequences for both parties in the event of a breach of PHI.
  • Safeguards and compliance: Require the business associate to implement appropriate technical, physical, and administrative safeguards to protect the integrity, confidentiality, and availability of PHI.
  • Employee HIPAA training: Establish a protocol for employee HIPAA training to ensure that both parties' employees and subcontractors understand their obligations in safeguarding PHI.
  • Data breach procedures: Outline the procedures to be followed in the event of a data breach, including steps to mitigate harm and prevent further unauthorized access to PHI.
  • PHI return and destruction: Describe the process for returning or destroying PHI when requested.

Related: Business associate agreement provisions 

See also: HIPAA Compliant Email: The Definitive Guide 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.