Business Associate Agreement


A business associate agreement establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI.

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) acts like a safety protocol between your healthcare-focused startup and any partner that may handle protected health information (PHI) on your behalf. It's designed to ensure that PHI is handled securely and in compliance with HIPAA laws.

For example, if your startup is a telehealth platform and you engage a cloud service provider for data storage, the BAA with this provider outlines the specifics about how PHI will be managed. It clarifies responsibilities in ensuring data security, what happens in the event of a data breach, and the rights of the patients whose data is being handled. A BAA is crucial in maintaining trust with your users and staying in line with healthcare privacy laws.

Who are the parties in a Business Associate Agreement?

"Covered Entity" - the healthcare provider, plan, or clearinghouse that has patient information protected under HIPAA

"Business Associate" - the company or individual performing services for the Covered Entity that involve the use or disclosure of protected health information

What are the risks when signing a Business Associate Agreement?

As a Business Associate, not thoroughly reviewing a Business Associate Agreement (BAA) could result in unintentional HIPAA violations, leading to severe legal penalties.

If the agreement doesn't clearly define the use and disclosure of Protected Health Information (PHI), it could lead to misuse or unauthorized sharing of PHI.

Ambiguous terms around safeguards for PHI could result in inadequate protection and potential breaches.

Without clear responsibilities regarding PHI breaches, the handling and notification of a breach could be mishandled, exacerbating damages and legal repercussions.

If termination procedures are unclear, you might be unaware of the necessary steps to take upon termination to ensure PHI is appropriately handled, risking potential violations.