Last week I introduced the essentials of the Business Associate Agreement (BAA) and why it is important. The BAA delineates the responsibilities of the parties signing the document ensuring each party knows their responsibilities and roles in protecting the electronic health records. The HIPAA rules require that covered entities (health care providers) and business associates enter into contracts to ensure that the business associates properly safeguard protected health information.

First what or who is a Business Associate? A “business associate” is a person or an organization, other than an employee of a covered entity, who engages in activities on behalf of, or provides services to a covered entity that involves access by the business associate to protected health information.  A “business associate” can also be a subcontractor that originates or transmits and processes protected health information on behalf of another business associate.  

Like any good agreement the BAA starts with a glossary of the terms to ensure both parties understand the terminology. Key terms should be included and can simply reference the definitions that are included in the HHS.gov site.

  1. Data Aggregation
  2. Designated Record Set
  3. Electronic Health Record
  4. Health Care Operations
  5. HITECH Act
  6. Privacy Rule
  7. Protected Health Information
  8. Required By Law
  9. Secretary
  10. Security Rule
  11. Subject Matter
  12. Unsecured Protected Health Information

The next section will outline the obligations of the business associates or partners in the endeavor.

  • -Mutual responsibilities include each business associate notifying the other if they notice any suspicious activity or a breach in security
  • – Who is responsible for encrypting the PHI data
  • – What access rights to the PHI does each party have
  • – What PHI data can be disclosed by each party to others
  • – Disposition of the PHI after the term is completed

As all good agreements do, the BAA should include the term or duration. Without a clearly defined term, then it is hard to determine when the agreement ends. And finally defining what the jurisdiction and which locale will handle disagreements or disputes between the business associates.

The business associate agreement doesn’t need to be daunting. You can talk to your attorney who will charge you a hefty rate for producing a HIPAA agreement, so you should consider buying a boilerplate template from a lawyer who specializes in HIPAA and sells a ready made HIPAA agreements at a far lower price since they sell in volume online. You can always have your attorney review the boilerplate template to ensure it is tailored to meet your particular needs.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.