10 Things Your BAA MUST Cover and Why

You already know that you need to have a signed BAA with anyone that handles your Protected Health Information (PHI), but can you explain the key reasons why? Here are 10 need-to-know items before you sign yours.

10 Things Your BAA MUST say

1. The BAA must establish the Business Associate’s permitted and required uses and disclosures of PHI (Protected Health Information).
Be sure to go over this before signing because it is important that you both know and agree with how your information is being used.

2. A statement that the Business Associate will not use your (the Covered Entity’s) PHI in any other way than was stated in the terms above, unless required by law.
This is a straightforward statement but it’s good to be as clear as possible when laying out the rules for sensitive information.

3. Require the Business Associate to implement proper safeguards as defined by HIPAA’s Security Rule in order to effectively protect your PHI.
It’s one thing for the Business Associate to promise not to give or sell your information; it’s another thing if it was never secure to begin with. Talk with them and find out how they’re securing your PHI from theft.

4. The Business Associate must agree to notify the Covered Entity of any breaches without unreasonable delay and no later than 60 days from the date of discovery.
If there is a breach of your information, you need to know about it. Especially because you are required to notify your own clients within the same general timeframe. Even if the breach may be the fault of the Business Associate (and they would therefore hold the liability), you’d still want to know that your partner will act quickly and transparently with you.

5. Require the Business Associate to disclose PHI as specified in its contract to satisfy Covered Entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments and accountings.
You want to be able to keep detailed track of your information, whether just for compliance or to also help with billing. If you’re videoconferencing for example you need to know with Who, When, and for How Long. Doing that manually is neither reliant nor efficient in the digital age. Make sure your Business Associate is keeping track and making this information available to you.

6. To the extent the Business Associate is to carry out a Covered Entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation.
Referring to #5, this provision is to make sure that the Business Associate will follow the same rules and requirements when assisting with your obligations (to the extent of their obligation).

7. The Business Associate is required to make its internal practices, books, and records (relating to the use and disclosure of PHI) available to Health and Human Services (HHS) on behalf of the Covered Entity to determine compliance with the HIPAA Privacy Rule.
While your Business Associate has probably already explained to you the details of their HIPAA compliance, they are also formally agreeing to make themselves transparent to HHS to prove it.

8. Require the Business Associate, if feasible, to return or destroy all PHI (received from or created by from the Covered Entity) if and when the contract is terminated.
This section is extremely important because you don’t want to find yourself with a bad Business Associate and worry what will happen after you rightfully terminate a contract. Your Business Associate might hold necessary PHI that you need / information they shouldn’t have after a contract ends.

9. The Business Associate must ensure that any of their affiliates that have access to (Covered Entity’s) PHI agree to the same restrictions and conditions as the Business Associate with respect to such information.
Chances are that your Business Associate has their own Business Associate. Make sure that this third party has also signed an agreement (with them, not yourself) to uphold your PHI to the same safety and confidentiality standards you expect to see from your Business Associate.

10. A statement that your Business Associate will authorize the termination of the contract (by the Covered Entity) if they have violated a material term of the agreement.
Even if you’ve signed a year or two year agreement, you are not obligated to stay in the contract if they did not uphold their end. You want to make sure they agree to this and will not try to hold you unwillingly.


This post is for informational purposes only and not a replacement for legal advice. For more detailed information on these ten provisions, please see HHS’s guide on Business Associate Contracts.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *