Business associate agreement provisions

Featured image

Share this article

Business Associate Agreement Provisions - Paubox

In our last post, we covered the HIPAA Privacy Rule and how it applies to Business Associates. In this post, we’ll cover Business Associate Agreement, which is a written contract between a covered entity and a Business Associate and is required for HIPAA compliance.

Business Associate Agreement for HIPAA Compliance

The Business Associate Agreement (BAA) has 10 provisions that must be covered:

  1. Determine the amount of protected health information (PHI) the Business Associate is allowed to disclose.
  2. Assures the Business Associate will not use or release PHI other than required by the contract or by law.
  3. Require the Business Associate to use appropriate safeguards to prevent unauthorized access to PHI. This is especially important when it comes to electronic protected health information, or ePHI. The Business Associate must make sure high encryption standards are always in place and that hackers don’t penetrate its systems.
  4. Compel the Business Associate to report to the covered entity any data breaches of unsecured protected health information.
  5. Make sure the Business Associate releases protected health information when a patient asks for it.
  6. Define what components of the HIPAA Privacy Rule the Business Associate is responsible for and make sure it complies with those requirements.
  7. Require the Business Associate to make available its internal practices, books, and records to the U.S. Department of Health and Human Services.
  8. At termination of the contract, require the Business Associate to return or delete all protected health information it received from the covered entity.
  9. If a Business Associate uses subcontractors that have access to protected health information, the BA must make sure those subcontractors also sign a Business Associate Agreement.
  10. Allow the covered entity to terminate the agreement if the Business Associate violates a material term of the contract.

Is a Business Associate Agreement required?

Page 3 of the HIPAA Privacy Rule Summary states that, “when a covered entity uses a contractor or other non-workforce member to perform ‘business associate’ services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement.

In other words, if you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law. If you are dealing with a vendor that stores electronic protected health information for you and does not ask for or require a Business Associate Agreement, that’s a recipe for fines and penalties.

Fines for Lack of a Business Associate Agreement

In 2012, Phoenix Cardiac Surgery agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 penalty for violations of the HIPAA Privacy Rule. Upon investigation, it was revealed that, “Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.”

We Understand the Business Associate Agreement

Here at Paubox, each plan comes with a Business Associate Agreement. We understand the HIPAA Privacy Rule. We understand our duties and responsibilities as a Business Associate. And we understand what it takes to execute a Business Associate Agreement.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022