Business Associate Agreement (BAA) Requirements¶
Overview¶
Business Associate Agreements are contracts required by HIPAA whenever you share Protected Health Information (PHI) with vendors and service providers. Understanding when you need a BAA—and what it must contain—protects your practice from compliance violations.
[!CAUTION] Review BAAs with Legal Counsel: While this guide explains BAA requirements, these are legal contracts with significant implications. Have a healthcare attorney review any BAA before signing, especially if a vendor provides their own template. Ensure the terms adequately protect your practice and meet current HIPAA requirements.
Prerequisites¶
- Understanding of HIPAA basics (see HIPAA Compliance Basics)
- List of vendors you use or plan to use
- Basic understanding of your data flows
What Is a Business Associate?¶
Definition¶
A Business Associate (BA) is any person or entity that: - Performs functions on your behalf involving PHI, OR - Provides services that require access to PHI
You Are the Covered Entity¶
As a healthcare provider, you're a "Covered Entity" under HIPAA. When you share PHI with Business Associates, you must have a BAA in place.
When You Need a BAA¶
Common Business Associates in DPC¶
| Vendor Type | Example Services | BAA Required? |
|---|---|---|
| EMR/EHR provider | Elation, Atlas, Practice Fusion | Yes |
| Billing service | If outsourcing billing | Yes |
| Cloud storage | Google Workspace, Dropbox | Yes (if storing PHI) |
| Email service | Gmail, Outlook | Yes (if sending PHI) |
| Scheduling software | If contains patient info | Yes |
| Telehealth platform | Doxy.me, Zoom for Healthcare | Yes |
| Answering service | If takes patient messages | Yes |
| IT support | If accessing systems with PHI | Yes |
| Shredding company | Document destruction | Yes |
| Lab company | Quest, Labcorp | Yes |
| Consultant | If accessing PHI | Yes |
| Attorney | If accessing PHI | Yes |
| Accountant | Generally no (unless accessing PHI) | Usually no |
When You DON'T Need a BAA¶
Treatment relationships: - Specialists you refer to (they're covered entities themselves) - Hospitals, pharmacies (covered entities)
Non-PHI services: - Janitorial services (unless accessing PHI) - General IT that doesn't access patient data - Office supplies - Utilities
Patient-directed disclosures: - When patient requests you send records somewhere
Starting Lean: BAA by Stage¶
Stage 1: Just Starting (0-25 Patients)¶
Priority BAAs: - EMR/EHR (if using one) - Email provider (if sending PHI) - Cloud storage (if storing PHI) - Telehealth platform (if using)
Reality: Many DPC-focused and HIPAA-compliant services have BAAs ready to sign. Don't overcomplicate.
Stage 2: Growing (25-75 Patients)¶
Add: - Lab services - Any new technology vendors - Answering service (if applicable) - IT support (if applicable)
Stage 3: Established (75+ Patients)¶
Systematize: - BAA tracking system - Annual vendor review - Renewal management - Compliance verification
Required BAA Elements¶
What Must Be in a BAA¶
HIPAA requires specific provisions:
1. Permitted Uses and Disclosures - What the BA can do with PHI - Must specify purposes
2. Prohibited Uses - BA cannot use PHI except as permitted - Cannot disclose except as permitted
3. Safeguards - BA must implement appropriate safeguards - Prevent unauthorized use or disclosure
4. Reporting Requirements - BA must report breaches to you - Report unauthorized uses/disclosures - Report security incidents
5. Subcontractor Requirements - BA must get BAAs with their subcontractors - Ensure same protections flow down
6. Access to Information - BA must make PHI available to you - Support patient access rights
7. Amendment Support - BA must support amendments to PHI - Incorporate changes when required
8. Accounting of Disclosures - BA must provide disclosure information - Support your accounting obligations
9. HHS Access - BA must make practices available to HHS - Allow compliance audits
10. Return or Destruction - When relationship ends: return or destroy PHI - If not feasible: continue protections
11. Breach Notification - Specific notification requirements - Timelines for reporting
Getting BAAs¶
From Major Vendors¶
Most established vendors have BAAs ready: - Usually found on website - May be part of service agreement - May need to request specifically - Sometimes in account settings
Where to look: - "Legal" or "Terms" section of website - "HIPAA" or "Compliance" page - Account settings or admin panel - Customer support
Common Vendor BAA Availability¶
| Vendor | BAA Availability |
|---|---|
| Google Workspace | Available (must enable and accept) |
| Microsoft 365 | Available (part of terms) |
| Zoom for Healthcare | Available (healthcare-specific plan) |
| Doxy.me | Automatic with account |
| Elation Health | Part of service agreement |
| Atlas.md | Part of service agreement |
| Practice Fusion | Part of service agreement |
| Hint Health | Part of service agreement |
If No BAA Available¶
Options: 1. Request they provide one 2. Provide your own BAA for them to sign 3. Choose a different vendor 4. Don't use for PHI
Red flag: If a vendor won't sign a BAA and you need to share PHI with them, don't use them.
Sample BAA Provisions¶
Key Sections¶
Permitted Uses:
Business Associate may use or disclose Protected Health Information only as necessary to perform the services described in [Service Agreement], or as Required by Law.
Security Requirements:
Business Associate shall implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of Protected Health Information.
Breach Notification:
Business Associate shall notify Covered Entity of any Breach of Unsecured Protected Health Information without unreasonable delay, and in no case later than 30 days after discovery of the Breach.
Termination:
Upon termination of this Agreement, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity.
Managing BAAs¶
Tracking System¶
Simple tracking (spreadsheet): - Vendor name - Service provided - BAA signed date - BAA expiration (if applicable) - Location of signed BAA - Review date
What to Track¶
| Field | Purpose |
|---|---|
| Vendor Name | Identification |
| Service | What they do |
| PHI Access | What PHI they access |
| BAA Date | When signed |
| Expires | When to renew |
| File Location | Where to find signed copy |
| Contact | Who to contact |
| Last Reviewed | Ongoing monitoring |
Annual Review¶
Annually: - Confirm all current vendors have BAAs - Check for any BAA expirations - Review if vendors still need PHI access - Update tracking system - Terminate unused vendors properly
When Vendors Change¶
New Vendor Onboarding¶
- Determine if PHI will be shared
- If yes, obtain BAA before sharing any PHI
- Sign BAA
- Add to tracking system
- Then begin service
Vendor Termination¶
- Notify vendor of termination
- Request return or destruction of PHI
- Get confirmation
- Update tracking system
- Keep BAA on file (6 years)
Common BAA Mistakes¶
Mistake 1: Assuming You Have One¶
Problem: Using service without checking for BAA. Solution: Verify BAA is in place before sharing PHI.
Mistake 2: Using Consumer Versions¶
Problem: Using consumer Gmail, Dropbox, etc. instead of business versions with BAA. Solution: Use business/enterprise versions that offer BAAs.
Mistake 3: Not Reading the BAA¶
Problem: Signing without understanding terms. Solution: Review key provisions, especially breach notification timelines.
Mistake 4: Forgetting Subcontractors¶
Problem: BA uses subcontractors without your knowledge. Solution: BAA should require BA to get BAAs with subcontractors.
Mistake 5: No Tracking System¶
Problem: Losing track of which vendors have BAAs. Solution: Maintain simple tracking spreadsheet.
Your Responsibilities¶
Before Sharing PHI¶
- Confirm BAA is in place
- Verify vendor's security practices (at least generally)
- Share only minimum necessary PHI
Ongoing¶
- Monitor for vendor security issues
- Address any reported incidents
- Annual vendor review
- Update as relationships change
If Vendor Reports Breach¶
- Respond promptly
- Investigate
- Determine if breach notification required
- Document everything
Checklist: BAA Management¶
Initial Setup¶
- List all vendors with PHI access
- Verify BAA status for each
- Obtain missing BAAs
- Create tracking system
- Store signed BAAs securely
For Each New Vendor¶
- Determine if PHI access needed
- Request BAA before sharing any PHI
- Review BAA provisions
- Sign BAA
- Add to tracking system
- Begin service
Ongoing¶
- Annual vendor review
- Check BAA expirations
- Monitor for new vendors
- Respond to any vendor incidents
- Update tracking as needed
Vendor Termination¶
- Request PHI return/destruction
- Get confirmation
- Update tracking
- Retain BAA for 6 years
Resources¶
- HIPAA Compliance Basics - Foundation
- Privacy Practices Guide - Overall privacy
- HHS Model BAA - Template language
- Your attorney - Custom BAA review
Next Steps¶
After establishing BAA processes: - Incident Response Plan - Handling breaches - Required Documentation - Documentation requirements