Image credit: Spectral / 123RF Stock Photo
Image credit: Spectral / 123RF Stock Photo


So, by this time business associates should have signed the updated BAA [business associate agreements]. The deadline to sign the new business associate agreement was September 23rd. Did you read the agreement? Do you know what it says? It is an agreement; so what is everyone agreeing to? Have business associates asked you what the agreement means?


Here is a general overview of the required provisions of business associate agreements. What provisions are included in the business associate agreement is governed by the HIPAA Rule. HIPAA says that covered medical providers, health plans, and clearinghouses must enter into business associate agreements with the service providers that use protected health information to perform services on their behalf. So, for example, if you hire someone or some entity to handle your billing, you’re a covered entity, and persons you hired are privy to protected health information as part of performing the billing services, a business associate agreement must be signed.

The HIPAA doesn’t just say sign any agreement. It says sign an agreement with these obligations. The Department of Health and Human Services has published sample provisions that must be included in the business associate agreement. The sample language can be integrated in your business associate agreement or you can draft your own language, but set obligations must be included. And, if you want, you can add your own provisions in addition to the required provisions. That is fine too.

What are the required provisions? The provisions cover 3 major obligations.


1. Facilitation of Patient Rights: Business Associates must cooperate with facilitating patient’s HIPAA privacy rights including:

• Receiving an accounting of protected health information disclosures

• Amending protected health information

• Authorizing and retracting authorization of protected health information disclosures


2. Completing and Implementing a Risk Analysis, Policies, and Procedures: Business Associates must implement the safeguards, policies, and procedures. Just like medical providers, medical plans, and clearinghouses, Business Associates have to conform and comply with the HIPAA Rules.


3. Reporting Breaches and Liability: Business Associates are responsible, liable, and must report breaches just like medical providers, health plans, and clearinghouses.


In summary business associates are not in with both feet. Business Associates must comply and are liable under HIPAA just like medical providers, health plans, and clearinghouses. Have questions about who is a Business Associate, when a Business Associate Agreement needs to be signed or if you are liable for your Business Associates? Watch the video:


Want more information? Need compliance help? Contact us.


The Anatomy of a HIPAA Business Associate Agreement.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: