A Beginner’s Guide to the HIPAA Business Associate Agreement

HIPAA (Health Insurance Portability and Accountability Act of 1996) provides a legal framework for protecting private medical information.

The law protects not only personally identifiable information but virtually all data collected by organizations working in or adjacent to the field of medicine. It provides both standards for protecting the data and how to share the data safely to ensure efficiency between business partners.

One of the provisions of the law is the mandatory HIPAA business associate agreement.

These contracts are required whenever a business begins to work with a HIPAA covered entity.

Is your business considering taking on clients in the healthcare industry? Keep reading to learn everything you need to know about a HIPAA business associate agreement.

Who’s Who: Working in the Healthcare Sector

HIPAA laws apply to two main parties: covered entities and business associates.

Covered Entities

A covered entity may be:

  • Healthcare providers (some exclusions apply)
  • Health insurance companies/health plan
  • Health clearinghouse

These entities must abide by all HIPAA laws, including and especially the HIPAA Privacy Rule.

Because covered entities rarely do all their work alone: they rely on a network of secondary businesses or individuals to help them carry out even essential functions. The Privacy Rule recognizes this and thus allows covered entities to share their data with “business associates.”

Business Associates

Business associates may be a person or a company who provides a covered entity with an activity or function that involves access, use, or disclosure of protected health information.

In some cases, covered entities are considered to be business associates when the relationship between the two parties reflects a transactional nature.

Binding Agreement: HIPAA Business Associate Agreement

As a business, you should be no stranger to written contracts. But there’s one contract you may not have needed to sign before: theHIPAA business associate contract.

The HIPAA business associate contract is a contract that outlines the responsibilities that must be upheld by both your business and the covered entity you’re working with.

These contracts are mandatory by law.

If your business wants to create a partnership where you have any access in any way (generating, maintaining, receiving, or transmitting) protected health information from or on behalf of a covered entity, you’ll need a HIPAA business associate agreement.

Even if you’re sending the data onto a subcontractor to deal with, you and the subcontractor both have the same liabilities within the law.

The only exception to this is when two covered entities transfer data to each other to fulfill their primary role and not as a business relationship.

For example, a healthcare provider can transfer a patients’ records to another healthcare provider as part of a provider referral system.

Who Drafts the Agreement?

Covered entities take on the most liability when working with other businesses or contractors. It’s up to the entity to understand that your relationship is a business relationship covered by HIPAA and for drafting the agreement.

The covered entity will also be in charge of drafting the HIPAA business associate agreement.

The client will draft an agreement outlining two sets of responsibilities:

  • The responsibilities the covered entity requires
  • The requirements of HIPAA and other laws

Your client also updates the agreement when needed. It’s up to them to remain abreast of changes in the legislation or other requirements and keep you updated as required.

Who Is Liable for Security Under HIPAA?

Technically speaking, only the covered entity is liable for complying with HIPAA, but the government’s commitment to protecting the privacy of patient’s mean that everyone who works with or near that information needs to uphold privacy regulation.

By signing a HIPAA business associate agreement, you agree to uphold the same protocols as the covered entity.

Required Provisions of a Business Associate Agreement

Every business associate agreement will likely reflect the individual practices of the covered entity you’re working with. However, each will also have required provisions that serve as a common denominator in the contract.

It’s useful to familiarize yourself with these provisions before signing the contract to understand what parts of the agreement are based on the law and what practices go above and beyond to protect customers.

Here are a few of the required provisions along with the corresponding legislation

  • Use and Disclosure (45 C.F.R. 164.504 (e)(2)(ii)(A)

Use and disclosure provisions stipulate that you will neither use nor disclose PHI other than in ways explicitly allowed by HIPAA.

  • Safeguards (45 C.F.R. 164. 504(e)2)(ii) (b))

The Safeguards provision requires the business association to use the required and appropriate safeguards in protecting and maintaining PHI to avoid disclosures not allowed by law.

  • Minimum Necessary Requirement (45 C.F.R. 164.502(b); 164.514(d))

The Minimum Necessary Requirement provision dictates that a business associate may not disclose more than the minimum data provided to complete their job. The provision is related to the law, but may extend to provisions provided by the covered entity.

  • Reporting (45 C.F.R. 164.504(e)(2)(ii)(C))

Reporting provisions require business associates to report unauthorized disclosure or use of PHI to the covered entity, including and especially any security breaches or incidents.

  • Mitigation (45 C.F.R. 164.530(f))

Mitigation requires that business associations do their best to mitigate the harm done in the event a disclosure that violates the agreement occurs.

  • Subcontractors (45 C.F.R. 164.504(e)(2)(ii)(D))

The Subcontractors provision provides the standards under which a business associate can share data with their subcontractors. It states that the same standards apply to subcontractors as do to business associates.

  • Right of Amendment (45 C.F.R. 164.504(e)(2)(ii)(F))

Right of Amendment allows the business associate to amend PHI when the covered entity requests them to do so.

  • Right of Access (45 C.F.R. 164.504(e)(2)(ii)(F))

Right of Access provides that business associates must allow both covered entities and the subject of PHI right to access the PHI.

Sign the Dotted Line

The protection of private health information is serious business, especially in the digital age.

Today, private medical information can be stolen by thieves located anywhere in the world as long as they have the digital key. And because covered entities can’t perform all their business functions alone, they rely on businesses like yours to protect them by upholding the law.

Even the smallest mistake can lead to a serious violation, so education and prevention are the most significant business assets you can have.

Do you know your risk of HIPAA violations? Get in touch today to protect yourself, your business partners, and ultimately patients, so you can all sleep better at night.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top