A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
HIPAA defines business associates as individuals or entities that perform or assist in performing activities involving using or disclosing PHI. This includes claims processing, data analysis, quality assurance reviews, and more.
Employees of covered entities, internet service providers, and courier service partners are not considered business associates. However, a covered entity can be a business associate of another covered entity.
Read more: What does it mean to be a business associate?
Business associate agreements are necessary because they maintain HIPAA compliance for covered entities. These agreements outline the permissible and impermissible uses of PHI, establish each party's liabilities, and specify the consequences of non-compliance.
According to HIPAA regulations, only certain entities are considered covered entities and are required to establish business associate agreements. These include health plans, healthcare clearinghouses, healthcare providers, hybrid entities, and other entities involved in healthcare services, care, or supplies.
Read also: How to know if you’re a covered entity
When creating a business associate agreement, it is important to include certain key elements to ensure its effectiveness and compliance with HIPAA regulations.
After including the basic information, the agreement should address specific requirements related to HIPAA compliance.
Related: Business associate agreement provisions
See also: HIPAA Compliant Email: The Definitive Guide