AuditXYZ

Lesson 5 of 5

HIPAA Business Associates: Agreements and Obligations

10 min readIntermediate

HIPAA Business Associates

A business associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. If your company provides services to healthcare organizations and handles PHI in the process, you are a business associate and must comply with HIPAA.

Common Business Associate Examples

Cloud service providers hosting ePHI, IT companies managing healthcare systems, billing companies processing claims, EHR vendors, shredding companies destroying PHI, consultants with PHI access, and attorneys handling PHI cases. The definition is broad — if you touch PHI while providing services, you are likely a business associate.

The Business Associate Agreement

A Business Associate Agreement (BAA) is a legally required contract between a covered entity and a business associate. It must specify the permitted uses and disclosures of PHI, require the business associate to implement appropriate safeguards, require reporting of breaches, ensure subcontractors agree to the same restrictions, and make PHI available to individuals exercising their rights.

No PHI should be shared before a BAA is in place. This is one of the most common HIPAA violations — sharing PHI with a vendor before executing a BAA.

Business Associate Obligations

Business associates must comply with the Security Rule, report breaches to the covered entity, ensure subcontractors sign BAAs, make PHI available when required, and limit PHI use to what the BAA permits. The HITECH Act extended direct liability to business associates — they can be fined and penalized independently of the covered entity.

Subcontractors

Business associates must ensure their subcontractors who handle PHI also sign BAAs. This creates a chain of accountability. For example, if a SaaS company (business associate) uses a cloud provider (subcontractor) to host ePHI, the cloud provider must also sign a BAA.

Managing Business Associate Relationships

Maintain an inventory of all business associates and their BAAs. Review BAAs annually to ensure they remain current and compliant. Monitor business associate compliance through questionnaires, attestations, or audits. Include BAA requirements in your vendor management process to prevent PHI sharing before agreements are in place.