Glossary of Compliance
Compliance Glossary
Our list of curated compliance glossary offers everything you to know about compliance in one place.
HIPAA Agreement
A HIPAA Business Associate Agreement is a contract between a HIPAA-covered entity (like a healthcare provider) and a business or individual that helps with certain functions involving PHI. It’s essentially a written arrangement that outlines how the PHI is used.
HIPAA requires covered entities to work with business associates who demonstrate the prowess to protect PHI. This must be validated using a contract or an agreement.
Also, the Health and Human Services (HHS) can audit business associates and subcontractors for HIPAA compliance, not just the covered entities. All three levels (covered entities, business associates, and subcontractors) must have a Business Associate Agreement (BAA) to meet HIPAA requirements.
What’s included in the agreement?
The Business Associate/Subcontractor Agreement must spell out several important details, as per HHS guidelines:
- It describes how PHI can be used by the business associate/subcontractor
- It ensures that the business associate/subcontractor will only misuse or share PHI within what the contract allows or requires by law
- It mandates safeguards to prevent improper PHI use or sharing
Once these relationships are identified, you must ensure that third parties safeguard the PHI they handle. A signed agreement documents that the business associate understands and commits to handling PHI securely.
Additional reading
Where Should You Focus Your (Limited) Cybersecurity Budget?
CISO Essentials: The Top 5 Tools You Can’t-Miss
Risk Management Framework (RMF): Key Components and Best Practices

Sprinto: Your growth superpower
Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.
