What is a BAA?
This document explains the purpose of a Business Associate Agreement (BAA).
What is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a formal, written contract required under HIPAA when a Covered Entity (such as a medical practice, clinic, or health plan) or Business Associate shares Protected Health Information (PHI) with a third-party vendor.
BAA Breakdown
- Contractual Requirement: BAAs are essential legal documents that ensure vendors who access, transmit, or store PHI uphold the same security and privacy standards required of the Covered Entity/Business Associate.
- Mitigating Risk: The BAA serves to manage the risk associated with third-party vendors also interacting with PHI.
- Content: The BAA outlines the permissible uses and disclosures of PHI by the Business Associate and details the security practices they must implement.
When a BAA is Necessary
A BAA is generally required for any third-party service that is touching or sharing sensitive data.
- If an organization (the Covered Entity or Business Associate) shares PHI with a partner, they must have a BAA in place with that partner.
- Example: clients using tools like Google Suite or HubSpot for communication or as a CRM must sign a BAA with those platforms, if PHI is involved.
If one of your BAs is not HIPAA compliant, which you can learn through Risk Questionnaires, you should consider doing business with a different 3rd party, or ensure no PHI is handled by that service.
If one of your BAs has a breach that effects your company's PHI, you could also be liable.
When a BAA May Not Be Required
Not all third parties require a BAA. For example, some organizations clarify that the BAA does not necessarily apply to all contractors, such as a cleaning person, unless they handle PHI.
Updated about 1 month ago