HIPAA Business Associate Agreement Explained

Troy Fine

by Troy Fine

January 05, 2023
HIPAA Business Associate Agreement

According to data from IBM published in the HIPAA Journal, healthcare data breaches are the costliest, with the average cost increasing from $2 million to $9.42 million per incident. The unfortunate truth is that these breaches are both common and expensive.

Working with external vendors can increase your risk, which is one reason why having business associate agreements in place is so important. Not sure where to start? In this post, we’ll share what you need to know about HIPAA business associate agreements and why they matter to your organization.

What is a Business Associate?

Business associates are a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of a covered entity that involves access by the business associate to protected health information. This can include vendors, consultants, service providers, and subcontractors.

If you hire a business associate to help you with your healthcare operations, then you must have a business associate agreement in place before they begin work. Failure to do so could result in penalties from the Department of Health and Human Services (HHS).

Business associates may have access to sensitive information like patient medical records, so they must safeguard this data appropriately. A business associate agreement helps both parties understand their roles and responsibilities in securing patients' private health information.

What Makes a Business Associate Agreement Necessary?

Most other organizations you work with are typically not regulated by HIPAA and don’t have to comply with HIPAA regulations.

However, according to the HHS

“The HIPAA rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.”

Simply put, this is another step to ensure that all parties are keeping data secure and being mindful of access. 

How to Evaluate Potential Business Associates

Before you come to this agreement, you need to find the right vendor for your needs. The question is: What should you be looking for?

Here are some things to ask: Do they have written policies and procedures? A good vendor will have written policies and procedures on how they manage protected health information.

Do they have a dedicated security officer? In our current landscape, there’s an increasing need to have more eyes on information policies and management. That is, in part, the role of a security officer. When a business associate has someone take on this role, it’s more likely that confidentiality will be maintained and best practices will be followed. How secure is their environment? Does it have physical security such as biometric access controls or video surveillance, as well as technical controls such as multi-factor authentication, firewalls, intrusion detection systems, encryption, and anti-virus software? What training do your employees receive? HIPAA requires that all employees receive training on how to handle PHI securely, so find out what type of training your vendor provides for employees that are responsible for handling PHI. Do they have an incident response plan? This is essential for any company that handles PHI. A good vendor should have a plan for handling incidents in case something goes wrong with their system or if there is a breach.

Do they engage third parties to perform independent assessments of their controls? Having controls in place is necessary, but there may be blind spots if those controls are only being evaluated internally. External independent assessments of controls can play a key role to ensure their effectiveness.

You may also choose to add to or change this list based on the specific type of vendor. The key is to ensure that any vendor you choose and their staff are keeping up with security best practices and that they know what to do in the event that something goes wrong.

When Does a Business Associate Agreement Need To Be in Place?

A business associate agreement must be in place before a vendor handles PHI on your behalf. Having a BAA in place is essential because it helps ensure that the other company is following all HIPAA rules when working with PHI.

Who Needs to Sign a New Business Associate Agreement?

The business associate (the third-party contractor or vendor) and the covered entity (the entity that hires the business associate) must sign a new business agreement. That said, it is a good idea to inform all relevant parties when you engage a new business associate. Everyone in your organization who deals with HIPAA rules should be on the same page. 

How Long is a Business Associate Agreement Valid?

Business associate agreements do not expire once they are in place. Your agreement with a business associate will remain valid unless either party terminates it or there’s a change in regulatory requirements. 

What Happens if a Business Associate Violates HIPAA?

Business associates are directly liable for compliance with certain provisions of the HIPAA rules. If they break one of these rules, they are responsible and must deal with the consequences. Business associates can also face lawsuits from individuals affected by the breach. You can learn more about the obligations of a business associate and see a sample agreement on the HHS website

Need more help making sense of HIPAA compliance?

Drata can help you streamline your HIPAA-specific needs in the user-friendly interface and five-star customer support we're known for. You have one dashboard giving you a central view of your security, risk, and compliance posture at any time. Schedule some time with our team to see what Drata can do for you. 

Trusted Newsletter
Resources for you
New Launches From Drataverse

New Launches From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Image - SOC 2 penetration test list

Penetration Tests and SOC 2: Preference, Tradition, or Requirement?

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
HIPAA vs HITRUST hero image

HIPAA vs. HITRUST: Key Differences Explained

HIPAA Compliance Checklist Hero

HIPAA Compliance Checklist: Essential Steps for Compliance [2023]

HIPAA Compliance Healthtech

HIPAA Compliance: How Healthtech Companies Can Remain Compliant

How to Conduct a HIPAA Risk Assessment (1)

How to Conduct a HIPAA Risk Assessment