What exactly is a Business Associate and why do we need an agreement?

HIPAA Compliant Certification vs Compliance from Google WorkspaceThink about any entity, or individual, you allow access to your patient information (or Protected Health Information – PHI) in order to facilitate their job. This could be anyone from an IT company, your practice management system, even your collections agency. Wouldn’t it be nice to know these companies are taking precautions to safeguard your patient PHI? This is exactly what a Business Associate Agreement (BAA) is!

We’re going to delve into the ins and outs of BAAs and who exactly you need them with. There are several standards in the Federal Register to address what these are and why they’re needed.Administrative Safeguards – § 164.308(b)(1) Business Associate Contracts and other Arrangements – A covered entity, in accordance with §164.308 may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.

Implementation Specifications – § 164.314 (a)(2)(i) Business Associates Contracts – The contract between a covered entity and a business associate must provide that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.With the HIPAA Omnibus rule, Business Associates are more responsible and accountable than ever before to protect your data. It’s integral to have a contract in place to ensure your Business Associate is responsible in obtaining, maintaining and protecting your patient’s electronic protected health information (ePHI). Below is a great start* on who you should have a BAA with:

Absolutely Not Necessary
IT Service Provider Another Covered Entity
(Doctor or Specialist you’re referring to)
Vendor Support (i.e. Schein, Patterson, Etc.) Cleaning Crew
Appointment Reminder Company Consultants not interacting with PHI
Document Shredding Company Cleaning Crew
Email Provider Insurance Companies
Collections Agency Dental Labs

*Not to be considered a complete list

Some larger companies may provide their own to you. This is normal but beware of loopholes! You will want to ensure a couple of things:

  • The BAA is updated with the latest amendments (including the Final Omnibus Rule in 2013)
  • Subcontractor Clause: Best to confirm your BAAs are taking responsibility to execute a BAA with their own subcontracts.
  • Liability/assumption of financial responsibility in the event they cause a breach due to their mishandling of PHI.

Covered entities and business associates may be in violation of HIPAA if there is no required BAA in place! For more info, and sample BAA templates, check out www.hhs.gov/hipaa.

Laura Miller Aspida


Laura Miller is Compliance Manager of Aspida, which has quickly established itself as an industry leader in providing compliance security products and services for healthcare providers. Their first product to market, Aspida Mail, offers medical practices affordable Encrypted Email without compromising security. Miller has over 8 years of experience in the healthcare industry including 3 years with a primary focus on HIPAA Compliance procedures. 

Laura Miller Aspida