What is a Business Associate Agreement and how does it work with HIPAA?

A Business Associate Agreement is an essential piece of the HIPAA compliance system. These contracts are called business associate agreements (BAA). They set forth all the provisions for each party’s adherence to HIPAA requirements.

Without knowing it, many doctors considering using third party technology may be breaching HIPAA compliance.

As part of HIPAA  compliance, any covered entities (this includes physicians) must enter into special contracts with external business associates that may handle, or be exposed to, protected health information (PHI).

Entities that might need a Business Associate Agreement for HIPAA compliance are:

  • A Telemedicine video provider, or a third party mHealth app
  • A health plan using a third-party administrator to help with claims processing.
  • A CPA firm providing accounting services to a healthcare provider, if they have access to protected health information.
  • A hospital consultant who performs utilization reviews
  • A healthcare clearinghouse translates a claim from a nonstandard format to a standard format for a healthcare provider then sends the process transaction to a payer.
  • A physician using an independent medical transcriptionist’s services
  • A pharmacy benefits manager managed a health plan’s pharmacist network


To ensure compliance, HIPAA Business Associate Agreements should:

  • Describe how the business associate is permitted and required to use PHI.
  • Require that the business associate not use or disclose PHI other than as required by law.
  • Require the business associate to use appropriate safeguards to ensure the PHI is used as detailed in the contract.
  • Take reasonable steps to cure any breach by the HIPAA business associate. If this is unsuccessful, the covered entity is required to terminate the contract with the business associate.
  • Detail how they will report and respond to a data breach, including data breaches that are caused by a business associate’s subcontractors.