Below, we’ve compiled the basic components and definitions of a HIPAA Business Associate Agreement template for you to peruse.  Keep in mind that BAAs are legally binding contracts, so it’s best to have a compliance expert, security officer, or lawyer help you before finalizing anything with your organization’s Business Associates (BAs).

Business Associates

But first, let’s define what exactly the HIPAA Rules qualify as a Business Associate (BA). According to guidance from the Department of Health and Human Services (HHS), a BA is:

“[A] person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”

Essentially, if an organization is hired to handle, use, distribute, or access protected health information (PHI), they likely qualify as a BA under HIPAA regulation.

The quick rule to remember with Business Associates: before you share PHI, you must have a BAA in place. A HIPAA Business Associate Agreement is the easiest way to protect your practice or organization in the event of a breach, which we’ll discuss in more detail below.

Compliancy Group’s web-based compliance solution, The Guard, comes equipped with everything you and your organization need to manage your HIPAA Business Associates.

Business Associate Agreements

BAAs are mandated by the HIPAA Security Rule. Business Associate Agreements consist of information regarding the permissible and impermissible uses of PHI between two HIPAA-beholden organizations. That can include relationships between a CE and a BA, as well as relationships between two BAs.

Business Associate Agreements should be heavily vetted against the HIPAA rules to ensure that they cover everything they’re meant to. In most cases, it’s best to use BAAs supplied by your HIPAA compliance solution–if you have a consultant or security-based solution for your compliance though, they probably won’t supply you with a BAA without additional charges.

In our case, the BAAs we give to our clients are fully vetted against the HIPAA rules, and included as a part of our total compliance solution. Our team of expert compliance coaches guide users through the entire Business Associate management portion of their compliance plan.

Who Needs a Business Associate Agreement?

Any Business Associate you share PHI or ePHI with over the course of the work they’ve been hired to do is who needs a Business Associate Agreement.

Here is a short list of some of the most common examples of Business Associates we see in the market. For the full list, visit our examples of Business Associates.

• Medical billing services
• IT service providers
• Practice management
• Cloud storage providers
• Physical storage providers
• EHR providers
• Accountants
• Attorneys
• Shredding services
• And many more

“We’re both beholden to federal HIPAA regulation.”

The first thing that a good BAA must include is an acknowledgement that the organization issuing it is beholden to HIPAA regulation. And the second thing it must include is an acknowledgement that the organization signing the BAA is beholden to HIPAA regulation.

This is a fairly intuitive idea: essentially, if both organizations agree that they fall under HIPAA, they can’t excuse themselves from liability by claiming they shouldn’t have to follow HIPAA regulation.