It is a HIPAA compliance requirement to collect and manage signed Business Associate Agreements (BAAs) from contractors or vendors who handle your protected health information (PHI).
A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on the behalf of, or provides services to, a Covered Entity.
Common examples of Business Associates include:
- IT providers
- Web designers
- Document shredding companies
- Electronic medical records (EMR)
- Practice management systems (PMS)
- Software vendors that store or process PHI
The general rules are:
- A Covered Entity must receive satisfactory assurances from its Business Associates.
- The Business Associate will safeguard the PHI.
- It must be in writing.
Without a BAA, your practice is fully liable for any breach or misuse of patient data by that vendor—even if they cause it.
Collecting signed BAAs:
- Protects your practice.
- Limits legal risk.
- Ensures you’re meeting HIPAA requirements.
See Create a Business Associate Agreement for instructions.
Helpful?