Compliance Glossary

A HIPAA Business Associate Agreement is a contract between a HIPAA-covered entity (like a healthcare provider) and a business or individual that helps with certain functions involving PHI. It’s essentially a written arrangement that outlines how the PHI is used.

HIPAA requires covered entities to work with business associates who demonstrate the prowess to protect PHI. This must be validated using a contract or an agreement.

Also, the Health and Human Services (HHS) can audit business associates and subcontractors for HIPAA compliance, not just the covered entities. All three levels (covered entities, business associates, and subcontractors) must have a Business Associate Agreement (BAA) to meet HIPAA requirements.

What’s included in the agreement?

The Business Associate/Subcontractor Agreement must spell out several important details, as per HHS guidelines:

• It describes how PHI can be used by the business associate/subcontractor
• It ensures that the business associate/subcontractor will only misuse or share PHI within what the contract allows or requires by law
• It mandates safeguards to prevent improper PHI use or sharing

Once these relationships are identified, you must ensure that third parties safeguard the PHI they handle. A signed agreement documents that the business associate understands and commits to handling PHI securely.