Obtaining Signed Business Associate Agreements

Home Bridge Compliance HIPAA​ Obtaining Signed Business Associate Agreements

It is a HIPAA compliance requirement to collect and manage signed Business Associate Agreements (BAAs) from contractors or vendors who handle your protected health information (PHI).

A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on the behalf of, or provides services to, a Covered Entity.

Common examples of Business Associates include:

  • IT providers
  • Web designers
  • Document shredding companies
  • Electronic medical records (EMR)
  • Practice management systems (PMS)
  • Software vendors that store or process PHI

The general rules are:

  • A Covered Entity must receive satisfactory assurances from its Business Associates.
  • The Business Associate will safeguard the PHI.
  • It must be in writing.

Without a BAA, your practice is fully liable for any breach or misuse of patient data by that vendor—even if they cause it.

Collecting signed BAAs:

  • Protects your practice.
  • Limits legal risk.
  • Ensures you’re meeting HIPAA requirements.

See Create a Business Associate Agreement for instructions.

Helpful?