Business Associate Agreement: A Basic Guide
Jump to Section
ContractsCounsel has assisted 27 clients with business associate agreements and maintains a network of 38 business lawyers available daily.
What Is A Business Associate Agreement?
A business associate agreement, also known as business associate contracts, is a legally-binding document that establishes a party’s responsibilities regarding personal healthcare information (PHI). The contract must provide guidance on a privacy policy for protecting PHI and electronic PHI (ePHI) on cloud services, applications, storage, and communications.
Numerous rules and regulations are surrounding PHI and ePHI. Health care lawyers can help business associates and providers draft an agreement.
Here is an article about what a business associate agreement is .
Understanding Business Associate Agreements
Business associate agreements are specific to healthcare providers and others who deal with PHI. They are part of the continuous effort to ensure that PHI and ePHI are not inadvertently or intentionally disclosed to unauthorized individuals. Specific individuals must sign a business associate agreement and acknowledge all applicable laws.
Who Should Sign A Business Associate Agreement?
All relevant parties should sign a business associate agreement. However, these agreements are generally signed by managers with protocols implemented and delegated to the team individually.
These are the following individuals who typically sign a business agreement:
- Vendors
- Contractors
- Hospitals
- Clinics
- Labs
- Attorneys
- And more
If you have questions about who should be signing a business associate agreement in your organization, ensure that you speak with healthcare lawyers for advice. They can help you identify all parties with a vested legal or financial interest in the matter.
Here is an article on the basics of business associate agreements .
Who Needs A Business Associate Agreement?
There are two parties who could need a business associate agreement. The first one is a business associate, and the second is a covered entity. Both parties have separate duties and responsibilities that should be carefully established in a business associate agreement.
Who Is Considered A Business Associate?
Business associates are individuals or business entities who perform specific activities that involve the direct use or divulgence of PHI or ePHI. These activities include operation management and administration according to the Privacy Rule and Administrative Simplification Rules.
A business associate can range from software companies to cloud services providers. Anyone who could potentially view PHI or ePHI and is not a covered entity employee is a business associate.
Covered Entity vs. Business Associate
Covered entities are hospitals and healthcare providers and are different from business associates. Business associates are not employed by covered entities. However, a business associate provides a service to the covered entity as part of its normal course of business.
Here is an article about business associates .
Parts of a Business Associate Agreement
Under HIPAA and HITECH, business associates must follow specific security rules and routinely review them when working with a covered entity. For both parties to protect themselves, it is essential to address the key parts of a business associate agreement. Leaving out important details can result in legal problems in the future.
These are the parts of a business associate agreement under Health and Human Services (HHS) guidelines:
- Part #1: Establish permitted uses of PHI as well as any disclosures.
- Part #2: Require that the business associate not use the information as permitted or required by law.
- Part #3: Demand that the business associate utilize reasonable security protocols to prevent unauthorized use of PHI.
- Part #4: Set terms and conditions related to breaches of PHI.
- Part #5: Address the business associate’s obligation to handle PHI copy requests.
- Part #6: Explain how HIPAA obligations require business associates to comply with applicable laws.
- Part #7: Require the business associate to maintain high internal standards and practice related to the handling of PHI.
- Part #8: Determine how contract terminations should be handled as well as how to return or destroy PHI data.
- Part #9: Specify how business associates should deal with subcontractors and their use of PHI.
- Part #10: Provide for contract termination of a material business associate violation from the terms contained within.
As you can see, business associate agreements are highly technical and complex. It is necessary and imperative to understand the role of HIPAA compliance and BAAs when forging this type of relationship with a covered entity. If you have any questions, privacy lawyers are able to provide specific legal advice.
Image via Pexels by Ketut Subiyanto
HIPAA-Compliance and BAAs
The Health Insurance Portability and Accountability Act (HIPAA) sets standards that are not just limited to covered entities. HIPAA standardized how PHI should be used, stored, transmitted, and disclosed for everyone working in the healthcare industry. Since business associates use PHI, it is essential that BAAs comply with current rules and regulations.
Here is an article about HIPAA business associate agreements .
BAAs and Cloud Services
Before business associates can use, store, or process PHI, they must ensure that the services of the covered entities are secure. Even if the business associate claims that they are HIPAA and HITECH compliant, they cannot use ePHI until a risk analysis is performed when it is being stored in the cloud.
However, there is an added element in that cloud services are also considered business associates. As such, covered entities must ensure that they have BAAs in place with them as well. Before uploading any PHI data to cloud services, the covered entity must have a signed BAA with their providers.
Cloud computing service providers can be liable for accessing ePHI if their services do not comply with HIPAA standards, even if they did not see any data. It is also essential to remember that not all cloud computing providers are willing to sign BAAs.
Also, BAAs do not necessarily make cloud services to be HIPAA compliant upon signing. Even with an agreement in place, HIPAA laws can be violated, which means that no provider can be authentically HIPAA compliant alone.
Simply put, HIPAA compliance is determined by how the platform is used.
Getting Help With a Business Associate Agreement
Federal and state laws take HIPAA violations seriously. As such, it is critical to hire healthcare lawyers when getting help with a business associate agreement. The value, knowledge, and experience they provide will protect you and your organization in the future while avoiding common pitfalls.
These are the advantages of hiring healthcare lawyers when dealing with a business associate agreement:
- Vast knowledge of laws that help you avoid HIPAA violations
- Ability to interpret laws and court rulings when making decisions
- Business associates and covered entities will understand their rights
- Experience will help clients better prepare for the transaction
- Manage expectations among all negotiating parties
- Compliance under all federal, state, and county regulations and laws, such as the CCPA
- Representation in case future disputes arise
Due to the intricate nature of healthcare laws, especially those related to PHI and HIPAA, ensure that you do not make the critical mistake of guessing your way through the business associate agreement. Doing so could create problems in the future, and the losses could far outweigh the costs of hiring privacy lawyers the first time around.
Privacy lawyers will listen to your needs and draft a contract that meets them. They will also focus on keeping patient information private and secure.
Here is an article with resources for providers on PHI compliance and data security .
Need Help from Privacy Lawyers?
Get help from privacy lawyers in your state with ContractsCounsel. Post your project for free to start receiving proposals.
ContractsCounsel is not a law firm, and this post should not be considered and does not contain legal advice. To ensure the information and advice in this post are correct, sufficient, and appropriate for your situation, please consult a licensed attorney. Also, using or accessing ContractsCounsel's site does not create an attorney-client relationship between you and ContractsCounsel.
Need help with a Business Associate Agreement?
Meet some of our Business Associate Agreement Lawyers
Jane C.
Skilled in the details of complex corporate transactions, I have 15 years experience working with entrepreneurs and businesses to plan and grow for the future. Clients trust me because of the practical guided advice I provide. No deal is too small or complex for me to handle.
"Jane was fantastic! She was quick, efficient, and handled everything smoothly. Her work was outstanding, and I couldn’t have asked for a better experience. Highly recommend!"
Jason P.
Jason is a self-starting, go-getting lawyer who takes a pragmatic approach to helping his clients. He co-founded Fortify Law because he was not satisfied with the traditional approach to providing legal services. He firmly believes that legal costs should be predictable, transparent and value-driven. Jason’s entrepreneurial mindset enables him to better understand his clients’ needs. His first taste of entrepreneurship came from an early age when he helped manage his family’s small free range cattle farm. Every morning, before school, he would deliver hay to a herd of 50 hungry cows. In addition, he was responsible for sweeping "the shop" at his parent's 40-employee HVAC business. Before becoming a lawyer, he clerked at the Lewis & Clark Small Business Legal Clinic where he handled a diverse range of legal issues including establishing new businesses, registering trademarks, and drafting contracts. He also spent time working with the in-house team at adidas® where, among other things, he reviewed and negotiated complex agreements and created training materials for employees. He also previously worked with Meriwether Group, a Portland-based business consulting firm focused on accelerating the growth of disruptive consumer brands and facilitating founder exits. These experiences have enabled Jason to not only understand the unique legal hurdles that can threaten a business, but also help position them for growth. Jason's practice focuses on Business and Intellectual Property Law, including: -Reviewing and negotiating contracts -Resolving internal corporate disputes -Creating employment and HR policies -Registering and protecting intellectual property -Forming new businesses and subsidiaries -Facilitating Business mergers, acquisitions, and exit strategies -Conducting international business transactions In his free time, Jason is an adventure junkie and gear-head. He especially enjoys backpacking, kayaking, and snowboarding. He is also a technology enthusiast, craft beer connoisseur, and avid soccer player.
"Very nice! Great on responding back and being available! Recommend 100% !"
Scott S.
I specialize in business law and contracts, with an emphasis on commercial transactions and negotiations, document drafting and review, employment, business formation, e-commerce, technology, healthcare, privacy, commercial real estate, data security and compliance. Specifically, I've drafted, reviewed and/or negotiated thousands of MSA's, NDA's, TOS', SAAS, sales, service, managed services, referral, reseller, royalty, finder’s fee, employment, contractor, consulting, advertising, marketing, manufacturing, distribution, management, artist, author, agency, photography, rental, lease, vendor, partnership, website, platform, application, privacy, non-compete, non-circumvent, confidentiality, IP ownership and licensing agreements so I'm very familiar with these types of documents. Practicing law since 2006, I worked in-house before starting my own solo practitioner law firm in 2011. I've worked with individuals and start-ups, Fortune 500 companies, and every type of entity in between, always providing quality legal work that fits the exact needs of the person and/or business. I’m a graduate of the Benjamin Cardozo Law School and also have an English degree from Penn.
"Scott was great. Very quick turnaround and shared sharp insights on the employment agreement and restrictive covenant agreement projects. Took documents that were heavily slanted towards the employer to the middle, which was the desired goal. Highly recommend."
December 4, 2023
Tayane O.
Tayane M. Oliveira is a founding partner at Vannucci Oliveira. With a concentration in family law, Tayane is renowned for her commitment to providing compassionate yet powerful representation to her clients. Her experience as an associate attorney at Brodzki Jacobs & Brook, coupled with her unwavering dedication to her clients' welfare, prepared her for her current role at Vannucci Oliveira. Tayane's academic achievements are a testament to her rigorous intellectual curiosity and dedication to her profession. She graduated with a Bachelor of Arts degree in Criminal Justice, supplemented by a minor in Psychology, from Florida Atlantic University in 2013. The culmination of her academic pursuit came in 2017, when she earned her Juris Doctor degree, cum laude, from the esteemed Nova Southeastern University's Shepard Broad College of Law. Before co-founding Vannucci Oliveira, Tayane honed her skills in the heat of the courtroom, representing clients in an array of general civil litigation matters. This diversified exposure instilled in her an ability to tackle complex legal challenges, a skill she employs to benefit her clients in family law. Originally from Brazil, Tayane brings an international perspective to her practice. When not delving into legal briefs or advocating for her clients, she indulges in travelling, reading, spoiling her puppies, and exercising, activities that not only rejuvenate her but also provide her with a broader perspective on the world and her practice. *Supreme Court Certified Portuguese Speaking Mediator
December 4, 2023
McCoy S.
P. McCoy Smith is the Founding Attorney at Lex Pan Law LLC, a full-service technology and intellectual property law firm based in Portland, Oregon, U.S.A and Opsequio LLC, an open source compliance consultancy. Prior to his current position, he spent 20 years in the legal department of a Fortune 50 multinational technology company as a business unit intellectual property specialist; among his duties was setting up the free & open source legal function and policies for that company. He preceded his in-house experience with 8 years in private practice in a large New York City-based boutique intellectual property law firm, working simultaneously as a U.S. patent litigator and U.S. patent prosecutor. He was also a patent examiner at the U.S. Patent & Trademark Office prior to attending law school. He is licensed to practice law in Oregon, California & New York and to prosecute patent applications in the U.S. Patent & Trademark Office; he is also a registered Trademark and Patent Agent with the Canadian Intellectual Property Office. He has degrees from Colorado State University (Bachelor of Science, Mechanical Engineering, with honors), Johns Hopkins University (Masters of Liberal Arts) and the University of Virginia (Juris Doctor). While in private practice, and continuing into his in-house career, he taught portions of the U.S. patent bar exam for a long-standing and well-known patent bar exam preparation course, and from 2014-2020 was on the editorial board of the Journal of Open Law, Technology & Society (JOLTS), and starting in 2023 will be on the editorial board of the American Intellectual Property Law Quarterly Journal (AIPLAQJ). He is the author or co-author of chapters on open source and copyright and patents in “Open Source Law, Policy & Practice” (2022, Oxford University Press). He lectures frequently around the world on free and open source issues as well as other intellectual property topics.
December 6, 2023
Eliza J.
Eliza brings a distinguished track record of delivering outstanding results for her clients, showcasing expertise across a spectrum of legal areas. Eliza is not just an attorney; she's your dedicated advocate with a proven record of achieving excellent results for her clients. Her representation spans numerous family law cases, including dissolutions, custody, support, probate, and civil litigation matters. Eliza's unique background as a Registered Nurse and licensed Attorney sets her apart. Before establishing her law practice, she served as a Registered Nurse in various hospitals across Los Angeles and the Bay Area. Notably, she contributed to prominent institutions such as Los Angeles County Public Health and the City of Anaheim. Additionally, Eliza ventured into entrepreneurship, managing her own Professional Fiduciary and Consulting business. Her legal acumen extends to civil litigation, personal injury, medical malpractice, nursing home abuse, worker's compensation, and family law matters. Eliza earned her Bachelor's Degree in Nursing and Public Health from CSU Dominguez Hills. In 2008, she furthered her education, obtaining a Master's Degree in Nursing, Administration, and Healthcare Management, along with a Quality Improvement Certificate. Eliza culminated her academic journey by earning her law degree from the JFK University of Law in 2016. Eliza's multidisciplinary background uniquely positions her to navigate the intricacies of legal matters, offering a comprehensive and compassionate approach to her client's diverse needs. Eliza's diverse background uniquely positions her to understand and address your legal needs comprehensively. Trust her to navigate your case with care and dedication, ensuring you receive the support you deserve.
December 6, 2023
Kenneth W.
Committed to a career in advocacy as an attorney, educator, and consultant, I specialize in education, family, personal injury, and criminal law. While at John Rue & Associates LLC, I led litigation and alternative dispute resolution, handling complex class-action lawsuits involving discrimination, privacy, administrative, and education law. I also directed conflict resolution through mediation, reducing costs and securing favorable client outcomes. While in law school, I served as a law clerk at Wilson Elser, excelling in crafting answers, overseeing discovery, attending depositions, and conducting exhaustive legal research. My responsibilities extended to preparing deposition summaries, assisting in motion practice, drafting persuasive briefs, evaluating cases, and contributing to trial preparations. I thrived in managing client affairs, supporting colleagues, and ensuring compliance with relevant laws. I am eager to explore opportunities to contribute my skills and passion to impactful projects aligned with client needs. I look forward to discussing opportunities and demonstrating how my qualifications will meet client needs.
Find the best lawyer for your project
Browse Lawyers NowHIPAA
Business Associate Agreement
California
Can you explain the key components and legal requirements of a Business Associate Agreement?
I am a small business owner in the healthcare industry and recently started working with a new vendor to handle our patient data. I have been asked to sign a Business Associate Agreement (BAA) by the vendor, but I am not familiar with the legal requirements and key components of such an agreement. I want to ensure that I am compliant with HIPAA regulations and that our patient data is adequately protected, so I would appreciate it if you could provide me with a clear understanding of what a BAA entails, what provisions should be included, and any potential legal pitfalls I should be aware of before signing.
Dolan W.
Hello! As you may know, a Business Associate Agreement ensures compliance with HIPAA when a healthcare entity shares patient data with an outside vendor. The BAA specifies how the vendor, or business associate, will use, disclose, and protect the Protected Health Information they access. It must include safeguards for PHI, like data protection measures and prompt notification in case of a data breach (e.g. if someone hacks into your systems). The agreement should also cover what happens to PHI once the contract ends, requiring the business associate to return or destroy it. Specific terms may allow your business to audit the vendor's compliance or end the contract if they fail to meet HIPAA standards. Lastly, make sure any subcontractors involved also comply with HIPAA to maintain data security throughout the process because rogue employees sometimes do whatever they want. We are able to draft BAAs for you. Just request me on the site and best of luck! Dolan
Quick, user friendly and one of the better ways I've come across to get ahold of lawyers willing to take new clients.
View Trustpilot ReviewNeed help with a Business Associate Agreement?
Business lawyers by top cities
- Austin Business Lawyers
- Boston Business Lawyers
- Chicago Business Lawyers
- Dallas Business Lawyers
- Denver Business Lawyers
- Houston Business Lawyers
- Los Angeles Business Lawyers
- New York Business Lawyers
- Phoenix Business Lawyers
- San Diego Business Lawyers
- Tampa Business Lawyers
Business Associate Agreement lawyers by city
- Austin Business Associate Agreement Lawyers
- Boston Business Associate Agreement Lawyers
- Chicago Business Associate Agreement Lawyers
- Dallas Business Associate Agreement Lawyers
- Denver Business Associate Agreement Lawyers
- Houston Business Associate Agreement Lawyers
- Los Angeles Business Associate Agreement Lawyers
- New York Business Associate Agreement Lawyers
- Phoenix Business Associate Agreement Lawyers
- San Diego Business Associate Agreement Lawyers
- Tampa Business Associate Agreement Lawyers
ContractsCounsel User
Client Hospital Staffing Contract and HIPAA Business Associate Contract
Location: Washington
Turnaround: Less than a week
Service: Contract Review
Doc Type: Business Associate Agreement
Page Count: 9
Number of Bids: 7
Bid Range: $300 - $899
ContractsCounsel User