Skip to content

Business Associate Agreements: What They Are and Why They Matter

When a healthcare organization experiences a data breach, the investigation rarely ends at the front door. Increasingly, breaches originate with or are made significantly worse by a third-party vendor who had access to patient data and wasn’t held to the right standards.

Business Associate Agreements (BAAs) are one of HIPAA’s primary mechanisms for addressing this risk. They’re also among the most routinely neglected requirements in healthcare compliance.

What Is a Business Associate?

Under HIPAA, a business associate is any person or organization that performs services on behalf of a covered entity that involve the use or disclosure of protected health information (PHI). This includes IT managed services providers, medical billing companies, cloud storage vendors, EHR developers, legal and accounting firms that access patient records, and more. If a vendor touches your patient data in any way, they are almost certainly a business associate.

What Is a BAA?

A BAA is a legally binding contract that establishes how a business associate may use and disclose PHI, requires them to implement appropriate safeguards, and outlines what must happen in the event of a breach. HIPAA requires a BAA to be in place before any PHI is shared with a business associate.

Why BAAs Get Neglected

In our experience, gaps fall into three categories: the agreement was never executed because the vendor relationship moved faster than the compliance process; the agreement exists but hasn’t been reviewed in years; or no one owns the process, so agreements fall through the cracks as new vendors are added.

The Consequences

OCR has levied significant fines for BAA failures; not just for breaches, but for the simple absence of agreements. When a breach occurs and no BAA exists with the vendor involved, penalties compound quickly and your legal recourse narrows considerably.

Building a BAA Program That Works

Maintain a current inventory of all vendors who handle PHI. Make BAA review part of your vendor onboarding process. Review existing agreements annually. And assign clear ownership; this can’t be something that falls through the cracks.

The data you hold on behalf of your patients doesn’t stop being your responsibility when it leaves your systems. BAAs are how you extend your compliance obligations to the vendors who work with you.

Not sure if your BAAs are current and complete? Abacus Healthcare can help you find out.