What is a BAA?
A business associate agreement or BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect personal health information (PHI) and comply with the guidelines provided by HIPAA.
BAAs require that:
- A company dealing with PHI obtains sufficient assurances from its business associates
- The business associate will safeguard the PHI on the company’s behalf
Under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), any HIPAA business associate automatically becomes subject to audits performed by the U.S. Department of Health and Human Services (HHS) and can be held accountable for any data breaches or improper handling of data.
What should be in a BAA?
HIPAA requires that every BAA contains certain elements. As we can read on the HHS website, the contract must:
- Describe the business associate’s permitted and required uses of protected health information.
- Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.
- Require the business associate to use appropriate safeguards to prevent the use or disclosure of protected health information other than as provided for by the contract.
You may also like:
- A review of HIPAA-compliant analytics platforms
- HIPAA, marketing and advertising: How to run compliant campaigns in healthcare
- How PHI and PII impact your HIPAA compliance and marketing
- The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics
