Is your business considered a “covered entity”?

If so, the regulations of the Health Insurance Portability and Accountability Act (HIPAA) are clear. You need to set up a business associate agreement (BAA).

These need to be comprehensive, covering business associates and subcontractors.

If you’re only just learning about HIPAA, it’s important to act quickly.

If you don’t correctly protect personal health information (PHI), you could end up in a lot of trouble. Luckily, this article is here to help.

We’ll answer the question “what is a business associate agreement?” and talk you through some key requirements for building your own.

What is a business associate?

“Business associate” is a broad term. It covers anyone who performs activities for a covered entity that involve working with PHI.

Typically, covered entities do not carry out health care activities themselves, preferring instead to outsource these tasks to external organizations.

When this happens, these providers are classed as business associates.

Below are some examples of business associates:

  • Vendors that carry out file sharing
  • Companies that service medical equipment containing PHI
  • Services that translate files
  • Lawyers
  • Cloud-based software providers
  • Accountancy or consulting services
  • File shredding services.

What is a covered entity?

According to HIPAA rules, a covered entity can be any of the following:

  • A healthcare provider
  • A healthcare clearinghouse
  • A healthcare provider that electronically transmits PHI. This covers any transactions that the Department of Health and Human Services (HHS) has adopted standards for.
  • A “hybrid entity” that carries out HHS-covered electronic transitions. Most commonly, this applies to universities with student medical centers.

If you fall into any of the categories listed above, you will need a business associate contract.

What is a subcontractor?

Your business associates may decide to outsource some of their services to external businesses. These are known as subcontractors.

You may only have an arrangement with a business associate.

However, a subcontractor may be carrying out some services and working with your data.

Now, let’s look at a business associate agreement definition.

What is a business associate agreement?

A BAA forms a legal contract between a covered entity and a business associate.

It’s important to note that not every business that deals with PHI needs a business associate agreement.

The law only applies to the covered entities that are listed above.

It’s equally useful to remember that not every associate that works with a HIPAA-covered entity needs an associate agreement.

Associates that need business associate agreements under HIPAA include:

  • Associates that disclose PHI. This may cover an associate if they carry out some of the following tasks: Data administration, data analysis, and QA testing.
  • Associates that disclose PHI when handling, accrediting, managing, consulting, aggregating, or carrying out financial activities for a covered entity.

What about employees?

As employees work for you, they are not classed as business associates.

Staff that work with PHI don’t need to sign a BAA contract.

When it comes to responsibility, however, the HHS is clear.

It’s the job of the employer to ensure that staff are clued up. It’s important that you provide training so employees know how to keep PHI safe.

What about contractors?

Contractors hired by your business to carry out certain tasks are not associates.

It is, however, still your responsibility if a contractor breaches PHI.

In this scenario, a BAA is not required.

The HHS reasons that a contractor working solely for you would not have the infrastructure to generate their own policies.

Rather, HHS says that a confidentiality agreement is needed.

If you’re working with a contractor, be sure to include the below elements in your confidentiality agreement:

  • The forms of PHI that are covered within your agreement
  • That a contractor must return and delete any data when requested
  • The forms of information that the contractor can copy or alter
  • The measures in place if a contract is breached.

What’s different about a HIPAA business associate agreement?

A BAA contract is not as simple as an ordinary business contract.

Normally, you need a two-way agreement when signing a contract with a business associate.

You might be setting up a working agreement between yourself and an external partner.

With a BAA you need to think more broadly.

Who is carrying out services for your business partner? Are they disclosing PHI? If so, they will also need to be covered by an agreement.

It’s the job of your associate to create a contract. But it’s still important that you ensure the correct agreements are in place.

Dealings with a subcontractor are not your responsibility.

They are, however, still working with your customer’s data. Any malpractice will reflect badly on your business.

As with business associates, not all subcontractors need BAAs.

For example, postal and carrier services are considered “conduits” of PHI.

It’s time to consider all your associates and their arrangements with subcontractors.

Who needs business associate agreements?

As established, there are multiple parties that may need a BAA contract. Let’s recap. An agreement may be needed if:

  • You’re working with a business associate that provides services that disclose PHI for a covered entity.
  • Your business associate is working with a subcontractor to provide services that disclose PHI for a covered entity.

PHI isn’t needed if:

  • You’re working with a contractor that discloses PHI. Instead, a confidentiality agreement is needed.
  • A subcontractor is considered a “conduit”.
  • A business associate or subcontractor discloses information that HHS hasn’t adopted standards for.

What are some key business associate agreement requirements?

When putting together your BAA agreement, there are many important BAA requirements to account for.

Let’s look at some of the key ingredients that should be found within a BAA contract.

What to include

Clarify disclosure and use of PHI

This should form the basis of your BAA document.

Your contract should clarify how an associate can use PHI. In other words, what services do you need them to complete? How does data play a part in those services?

The agreement should specify that the use of data outside those requirements (unless specified by law) is a breach of contract.

Remember, your contract must always work within the HIPAA framework. Be sure to have a good understanding of legislation before drafting your contract.

Storage of data

HIPAA documents privacy and security requirements are clearly outlined. It’s important that PHI is stored safely and securely.

Specify requirements for associates when storing PHI. What protections and firewalls need to be in place in case of a breach?

You should also consider availability. HIPAA specifies a “right of access” for individuals.

This allows patients to view their health data if they wish.

To fulfill these requirements, it’s important to assign a specific set of records for PHI.


The HHS is free to investigate businesses at any time.

If they find that you have breached HIPAA, who will be held responsible?

It’s important that your agreements hand liability to a single party. Specify the consequences for failure to comply.

Education and training

Both parties need to ensure employees have an understanding of the law. Outline a clear set of protocols for education and training.

Ultimately, staff should know how to keep PHI safe. They should know what they can and cannot do under the legislation.

Response to data breaches

How should an associate respond if a data breach occurs?

Outline a step-by-step process for notifying your organization and responding.

Consider steps that can be taken to reduce the harm of a data breach.

It’s important not to overlook associates working with subcontractors. Establish the need for an equally clear protocol with third parties.

Data deletion

HIPAA specifies that individuals have the right to request their PHI be deleted.

Ensure that your contract shows how you will meet this requirement. How should parties delete data if they receive a request?

Uniform procedures

As mentioned, associates may work with subcontractors to provide certain services.

To ensure the protection of PHI, stipulate that associates apply the same conditions to subcontractors.

Ask that associates inform you of how they’re working with subcontractors, and what data is being used.

Storage of forms

It’s important to consider the storage of your HIPAA forms themselves.

Forms need to be stored in a safe and secure way, so they can be accessed when needed.

PandaDoc helps healthcare providers stay compliant with federal law when handling PHI.

Mandatory PHI disclosure

There will be times when the law requires you to disclose PHI information.

Ensure that your contract clearly specifies what these scenarios would be.

You should also set out a clear procedure of what to do in these circumstances.

What not to include

It’s easy to make mistakes within your BAA.

If you’re not careful, these mistakes can hinder your ability to comply with your contract. Let’s look at some things you should avoid when creating your contract:

Unclear formatting

There will be times when you need to find important documentation at a pinch.

Inconsistent formatting can impact your ability to find your document quickly. Try to establish a clear and uniform structure.

Overly complex documentation

It’s vital that both parties can understand your policies. Staff need to read and understand the documentation.

Using overly complex “legalese” and writing reams of text will only confuse matters.

Unassessed policies

It goes without saying that your BAA document needs to be HIPAA compliant.

The policies that you include must all work within the framework of legislation.

Conduct risk assessments to ensure your document is in line with legal guidelines.

How to ensure a compliant document

As we’ve established, there’s a lot to include in your BAA document.

There are also a great deal of easy mistakes to avoid. To properly ensure a compliant document, it’s useful to seek external help.

Luckily there are online resources available to help.

PandaDoc HIPAA provides services to distribute HIPAA forms and collect patient information.

As a business associate for healthcare providers, PandaDoc limits access to patient information from its own employees, except in scenarios where access to this data is required to complete their job duties.

What happens when HIPAA regulations are violated?

Violating HIPAA can mean serious consequences for you and your business.

The severity of the punishments depends on the “tier” of the infringement. HIPAA punishments are separated into four tiers:

Aside from monetary fines, individuals can face jail time. The length of imprisonment ranges from one to ten years.

Create an effective BAA with PandaDoc

By now, you should have a better idea of what a business associate agreement is.

There’s no escaping the fact that it’s an essential document. It gives peace of mind to your customers, letting them know that their data is in safe hands.

As we’ve explored, there’s a lot to bear in mind when writing your contract.

And, as shown above, any mistakes can have costly consequences. This doesn’t just apply to fines but your reputation with customers.

Luckily, there’s an easy way to simplify the process.

The HIPAA business associate agreement template by Uploadcare ensures the security of your customers’ personal health information.

With a few clicks of the mouse, you can communicate how you expect associates to safeguard information.

A business associate agreement is essential.

Don’t delay in making your contract. Why not schedule a 15-minute demo, and learn more about how PandaDoc can help?


PandDoc is not a law firm, or a substitute for an attorney or law firm. This page is not intended to and does not provide legal advice. Should you have legal questions on the validity of e-signatures or digital signatures and the enforceability thereof, please consult with an attorney or law firm. Use of PandaDocs services are governed by our Terms of Use and Privacy Policy.