LACyber is a Division of Lincoln Archives Inc.

​​​​​​​Do I Really Need A Business Associate Agreement?

(Uploaded: 2018-12-07 15:35:36 -- Author: Kathryn Turner)

As the fines from data breaches continue to increase, it is especially important to understand how personal health information is protected in every aspect. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) set requirements as to how to protect information, but often covered entities resort to a contractual relationship, between a covered entity and a vendor, through a business associate agreement to ensure this protection stays intact at all times.

Often times this security makes or breaks the survival of a covered entity. As technicalities of the business associate’s agreement are often self-taught and with limited resources, it’s difficult to understand what is expected of both parties. 

Below we’ll define what really is a  Business Associate Agreement, how it can greatly reduce risks but also some  Common Misconceptions.


What is a Business Associate Agreement?

A HIPAA Business Associate Agreement (BAA) is a contract between a HIPAA-covered entity, i.e a hospital, and the organization providing services to the covered entity, i.e. business associate.

Essentially, the BAA is a legal contract that describes how the business associate adheres to HIPAA along with the responsibilities and risks they take on.

The BAA also typically defines the services that the business associate is providing; the type of data they are interacting with and addresses areas around breach notification, such as timelines and penalties.

The contract creates accountability and liability between both parties who may handle PHI on behalf of the other entity.


Managing Risk When Implementing a Business Associate Agreement

When implementing a BAA, the goal is to both secure personal health information as well as meet HIPPA compliance standards.

Five considerations for implementing a BAA:

1.            Sign a BAA!

This should be prior to any PHI being transmitted between parties.

2.            Keep a firm grasp on security.

Encrypt all transmitted PHI in your network.

3.            Understand the risks.

Require best practices regarding the transmission, storage, and destruction of a BAA

4.            Require and conduct regular risk analyses

Be sure to regularly scan computers and other information systems to identify potential security risks and respond accordingly.

5.            Regularly review BAAs with vendors

Remember to identify changes in business processes that would require alterations to the current BAA.


While there is a ton of information out there concerning how to be HIPPA compliant through a business associate agreement- there are also many conflicting suggestions.


Five Common Misconceptions debunked:

  1. A BAA puts all of my liability on the business associate
    A BAA is a shared responsibility between a covered entity and a business associate. Even if a breach occurs and it’s the business associate’s fault, providers can still face monetary penalties.
  2. I need to sign a BAA with all of my vendors
    Implementing BAAs with partners and vendors when it’s not appropriate can put your organization at even more risk than not having a BAA in place at all. If a business associate experiences a breach – you may inherit shared responsibility. Reduce your risk by limiting exposure.
  3. Subcontractors don’t need to sign a BAA, because the vendor they’re subcontracting with already has one in place with the covered entity.
    The latest HIPAA rules state that covered entities must obtain satisfactory assurances from their business associate. If PHI passes through your system, you are automatically considered a business associate, and the vendor with which you are contracted will require a BAA with you.
  4. Encrypting the data in transit and storage assures you’re HIPAA-compliant.
    While data encryption is necessary for HIPAA compliance, it’s not the only thing to look for. Additional controls are required for security, risk management, disaster recovery, data retention, auditing, and more. For example, the HIPAA Rules require, “[implementation] of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
  5. All BAA’s are created equal
    Each BAA will need to be tailored to your organization. Pay attention to breach notification terms and other requirements addressed in the HIPAA Omnibus Rule Final. Do you have a BAA that’s older than 2013?  It will most likely need to be updated to account for the additional requirements.

While achieving HIPPA compliance can sometimes feel like a maze, remembering the necessary considerations, as well as misconceptions to avoid, can save you many headaches down the road! Remember, take an informed approach to security and compliance-- uphold trust among business associates and the patients who trust that their data is secure.

LACyber is a division of Lincoln Archives providing comprehensive Data Breach Defense Services. Lincoln Archives and LACyber are proud to be a part of Lincoln Family of Companies serving the Western New York Community since 1914.

Back to Blog Post Listings

We'd love to hear from you!