If your organization is considered a "covered entity" under the Health Insurance Portability and Accountability Act (HIPAA), you must sign Business Associate Agreements (BAAs) with subcontractors or vendors to ensure the proper protection of patients’ data.

Vendors who create, receive, maintain, or transmit protected health information (PHI) while providing a service to or on behalf of a covered entity are considered business associates. Examples include companies specializing in hosting, software development, data destruction, transcription, or billing.

HIPAA mandates Business Associate Agreements (BAAs) to outline acceptable and unacceptable uses of PHI between involved parties. They also delineate responsibilities and consequences for non-compliance with established requirements.

If you want to know what a BAA is, to understand who needs such agreements, and to learn some examples, keep reading. We also provide all HIPAA guidelines and a toolkit with everything you need to know about US regulations, such as who must comply with HIPAA, who enforces HIPAA, and how to choose a HIPAA-compliant service provider.

In this article:

What is a HIPAA Business Associate Agreement?

What is the purpose of a Business Associate Agreement (BAA)?

Who needs HIPAA business associate agreements?

What information does a BAA contain?

What is the difference between a BAA and an NDA?

What happens if you don't have a BAA?

What is an example of a business associate of a HIPAA-covered entity?

A Business Associate Agreement is a mandatory requirement of HIPAA that aims to safeguard protected health information (PHI) when outsourcing tasks. It establishes a legally binding relationship between:

This creates a chain of responsibilities that ensures all parties are committed to data protection.

What is the structure of a BAA? Here are the three sections that these contracts must contain:

The purpose of signing a Business Associate Agreement (BAA) is to establish criteria for the use, storage, and distribution of PHI between covered entities and their vendors to prevent information leaks.

BAAs outline service characteristics, response times to incidents, and expectations for recovery in case of such contingencies. Additionally, they describe the correct and incorrect uses of PHI and specify consequences for violations for all involved parties.

HIPAA stipulates that only the following covered entities need a BAA:

On the other hand, not all business associates working for a covered entity must sign a BAA, only those who:

It's important to note that employees, internet service providers, and messaging service providers of a covered entity are not considered business associates. Also, a covered entity can be a business associate of another covered entity.

The document signed under a BAA agreement must contain key data to comply with HIPAA guidelines. These include:

Who typically signs a BAA? In general, the authorities of the involved entities are responsible for signing these documents and ensuring compliance within their institutions. In the case of agreements between individuals, they themselves are responsible for their commitment.

A BAA and an NDA differ in their scope. The BAA is specifically designed to comply with HIPAA regulations, focusing on protecting health information. On the other hand, an NDA can be used in various fields such as business, technology, entertainment, human resources, and more.

An NDA, or non-disclosure agreement, is a legal contract that establishes a confidential relationship between a person with sensitive information they do not want disclosed and a subject or institution that will have access to that data. For instance, a company might require its financial employees to sign an NDA to safeguard billing and revenue data.

If you do not have the resources or know-how to sign a BAA, it is likely that you may miss out on some business opportunities. That is, companies working in the healthcare or health tech industry may end up choosing another provider who can establish a BAA.

The risks of working with companies that do not comply with HIPAA regulations are significant. The US Department of Health and Human Services (HHS) conducts audits, and violations can lead to hefty penalties. The Office for Civil Rights (OCR) determines fines, which can be up to $1,500,000 per year, and severe cases may involve non-monetary measures.

An example of a business associate of a HIPAA-covered entity is a technology company (fictional name Sky) providing cloud data storage services to a clinic. The organization is responsible for protecting the privacy and security of all patient medical information.

To enhance data protection measures, efficiency, and accessibility, the clinic outsources its storage to Sky, which means Sky will have access to patient medical information.

In this situation, both parties must sign a business associate agreement outlining the terms of access, data protection measures, permissible uses, and penalties for non-compliance.

At XOOR, we comply with HIPAA regulations. All our teams have been trained, passed a knowledge validation exam, and are approved to work on projects involving PHI. We are accredited providers authorized to sign business associate agreements and are highly committed to data security and prevention of information breaches. Schedule a meeting and let's start working together!