Business Associate Agreements:
More Than Just a Template
How to get the best out of your BAAs
Business Associate Agreements (BAAs) are an essential part of any effective HIPAA compliance program. But understanding what a good BAA should and should not include isn’t as intuitive as understanding that you need one in the first place.
Below, we’ve compiled the basic components and definitions of a HIPAA Business Associate Agreement template for you to peruse. Keep in mind that BAAs are legally binding contracts, so it’s best to have a compliance expert, security officer, or lawyer help you before finalizing anything with your organization’s Business Associates (BAs).
Business Associates
But first, let’s define what exactly the HIPAA Rules qualify as a Business Associate (BA). According to guidance from the Department of Health and Human Services (HHS), a BA is:
“[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”
Essentially, if an organization is hired to handle, use, distribute, or access protected health information (PHI), they likely qualify as a BA under HIPAA regulation.
The quick rule to remember with Business Associates: before you share PHI, you must have a compliant BAA in place. A HIPAA Business Associate Agreement is the easiest way to protect your practice or organization in the event of a breach, which we’ll discuss in more detail below.
Compliancy Group’s web-based compliance solution, The Guard, comes equipped with everything you and your organization need to manage your HIPAA Business Associates.