Business Associates in Healthcare

Business Associates in Healthcare

Business Associate Agreements (BAAs) Are Required By HIPAA

Vendors that have access to PHI(Protected Health Information) must give assurances that they are protecting that data adequately. This is done through a signed Business Associate Agreement (BAA), a contract between you and the vendor that states the vendor understands and complies with HIPAA regulations.

Vendors That Usually Require a BAA

  • EHR and other software vendors, if they access your data for troubleshooting or if they host your data for you
  • IT consultants
  • Data centers, managed servers, data storage providers, backup services, even though they may not access your data to provide services, a BAA covers potential for insider misuse
  • Collections agencies
  • Accountants, particularly when they provide accounts receivable services where they may encounter patient names
  • Storage facilities
  • Shredding companies, especially when they remove your paper records for off-site destruction
  • Transcription companies

Vendors That May Not Need BAAs

  • Phone and internet providers, covered by HIPAA’s conduit exception
  • Couriers and delivery services
  • Other covered entities, including physicians and laboratories
  • Janitorial services, but your risk assessment should document your clean-desk policies to minimize incidental exposure

You do not need to sign a BAA with the subcontractors of your Business Associates. But your Business Associates have to get those contracts signed with their business associates.

Importance of a Risk Assessment

A thorough review of all BAAs should be part of your annual risk assessment. It is important to ensure that all Business Associates have a valid, up-to-date agreement that covers all the terms required by HHS.

Scroll to Top