What are HIPAA business associates?

Are they held to the same healthcare privacy and security requirements as covered entities?

Any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate, according to HHS. For example, your outside IT contractor that maintains the IS in your medical practice would be a business associate. Even the cloud service provider that runs your medical billing applications would be a business associate. Even the gig economy trunk slammer that your IT contractor sent over to replace your broken IT equipment would be a business associate.  Do you have a written agreement in place for each associate? Do you know what a BAA really is?

This individual or organization may also provide services to a covered entity. Examples include a consultant who does hospital utilization reviews or an attorney who has PHI access as he provides legal services to a healthcare provider.

The HITECH Is A Game changer

The HIPAA Omnibus Rule known as HITECH changed how business associates are expected to maintain PHI security.

“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

Business associates can also now be held liable to similar repercussions as covered entities can under HIPAA regulations should PHI become compromised in a healthcare data breach.

A business associate contract (BAA), or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”

BAA should be on everybody’s checklist

See Our HIPAA Compliance Checklist


  • Marvin Isikuto

    Following your advice immediately. All of my contractors will be signing the form. By the way, do you know where I can get a good BAA template? — Marvin

  • Ed Wofu

    Where can I get a really good BAA Template???

  • oprol evorter

    magnificent points altogether, you simply gained a new reader. What would you recommend about your post that you made some days ago? Any positive?

  • Felisha

    Hi there friends, nice post and good urging commented here, I am actually enjoying by these.

  • Sheri Hills

    Thank you for the good writeup. It if truth be told was a amusement account it.
    Look complex to far delivered agreeable from you! However, how can we communicate?

  • Thomas Graham

    Piece of writing writing is also a fun, if you know after that
    you can write otherwise it is complicated to write.

  • Kristi Bleakley

    Woah! I’m really enjoying the template/theme of this site.
    It’s simple, yet effective. A lot of times it’s difficult to get that “perfect balance” between usability and visual appearance.
    I must say that you’ve done a great job with this. Also,
    the blog loads super quick for me on Internet explorer.
    Exceptional Blog!


Leave a comment