<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

Ensuring Your HIPAA Compliance with Business Associate Agreements

The Healthcare Insurance Portability and Accountability Act (HIPAA) is legislation that regulates the security provisions and data privacy of patient medical information. This act states that any entity that stores or processes electronic Protected Health Information (ePHI) must comply with the provisions it stipulates to protect healthcare data.

As healthcare organizations have become increasingly reliant on their technology systems, the amount of data they produce and store has grown exponentially. The higher degree of interoperability and integration that exists between various care providers and their suppliers has also increased. Due to the high level of information sharing that exists in the healthcare technology industry, HIPAA categorizes an organization as either a covered entity or business associate.  

Covered Entities and Business Associates

Covered entities are primary healthcare providers such as

  • Doctors
  • Hospitals
  • Pharmacies
  • Dentists

Business associates refer to organizations or individuals that act as  vendors or suppliers to a covered entity and have access to PHI. These include:

  • Data processing enterprises
  • Information storage organizations
  • Law firms
  • Software vendors

Under HIPAA, both covered entities and their business associates need to comply with the rules of the act and implement the appropriate measures to ensure they protect ePHI.

The HIPAA Privacy Rule requires that a covered entity must obtain satisfactory assurances from its business associates. It is vital that they understand the need to protect patient healthcare information. The act further states that these assurances must be in writing. Covered entities and business associates can face similar repercussions should a data breach compromise any ePHI. Entering into a formal contract may mitigate the covered entity’s risk but is also a mandatory HIPAA requirement.

What is The HIPAA Business Associate Agreement?

A business associate agreement (BAA) is a written contract that details the responsibility of the covered entity and business associate regarding the protection of personal healthcare information (PHI). The contract should state that the vendor, supplier, or partner will not use or disclose PHI other than as permitted or required by law.

Due to HIPAA’s stringent requirements and severe penalties, every healthcare provider must enter into a business associate agreement with partners, suppliers, or vendors that access, process, or store PHI. The contract must clearly state that both the covered entity and the business associate are obligated to comply with the rules and regulations of the act.

As the contract’s primary purpose is to protect both parties in the event of a data breach, the agreement must state the stipulations and obligations of each party clearly. It should define the types of personal healthcare information that the covered entity will share with the business associate. It should also detail where and how the business associate can use the PHI and what measures they need to implement to ensure the security and privacy of patient healthcare information.

Download the Free HIPAA Regulation Checklist

What You Need to Include in Your HIPAA BAA

HIPAA details three broad categories of safeguards that every covered entity and business associate should implement to comply with the provisions of the act. Some of the elements described under each category are required, while others are addressable. Required safeguards are mandatory. Failing to comply with necessary safeguards can result in a HIPAA sanction or financial penalty. Addressable safeguards offer some flexibility. In some circumstances, an organization may not need to comply with the stated regulation, but they need to fully document the reason and present this documentation during a HIPAA audit.

The HIPAA Safeguards


The administrative safeguards focus on elements that define an organization’s security management process. It typically includes items such as:

  • Policies
  • Procedures
  • The maintenance of security measures that protect PHI 

Cybersecurity awareness training, risk analysis, risk management, data backups, and disaster recovery plans are just some of the mandated HIPAA administrative safeguards that a business associate should be required to comply with, as part of the Business Associate Agreement.


Physical safeguards deal with measures such as facility access controls that mitigate physical security risk.  A BAA would specify the physical security requirements that a business associate should comply with.

Some of the requirements that fall under this category include:

  • Secure workstation access
  • Physical security mechanisms for all devices 

This section of the act also deals with the safe disposal of media containing ePHI. The reuse of media that previously stored patient healthcare information is also covered under this HIPAA safeguard. 


The third and final category details the technical safeguards covered entities and business associates need to implement to protect ePHI. 

Some of the requirements that fall under this category include:

  • Unique user identification
  • Emergency access procedures 
  • Encryption 

It also details the integrity controls that organizations need to put in place to ensure that ePHI has not been altered or destroyed in an unauthorized manner.

Get Satisfactory Assurances

The HIPAA business associate agreement describes the relationship between a covered entity and its business associates. It also details how a business associate can use any PHI and is a vital instrument in ensuring HIPAA compliance. 

Unlike some commercial contracts, a HIPAA business associate agreement does not automatically indemnify a covered entity against financial penalties. The onus is on the covered entity to obtain satisfactory assurances that the business associate will appropriately safeguard the covered entity’s PHI.  . If the covered entity fails to get this assurance, and there is a compromise involving PHI, the covered entity may still be liable under the act.

Questions about HIPAA compliance? ? We can help. Let’s schedule a consultation.

Get your FREE HIPAA Regulations and Checklist!

Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

August, 22 2023
June, 6 2023
May, 23 2023

Comments are closed.

Building Patient Trust by Nurturing a Culture of Privacy
FFIEC E-Banking Security Guidelines: What You Need to Know
Subscribe to our Blog!