What is a Business Associate?
A Business Associate or BA is a person or business that partners with a Covered Entity to help ensure the security of any protected health information, ePHI, or PHI. Covered Entities are generally healthcare plans, healthcare clearinghouses, and certain healthcare providers.
Most Covered Entities are not able to carry out all internal healthcare-related functions by themselves, instead, they rely on a Business Associate to help perform these functions and comply with HIPAA rules and regulations.
Some examples of a Business Associate include lawyers, accountants, billing companies, cloud storage services, web hosts, email encryption services, etc. When a Covered Entity partners with a Business Associate, by law, a Business Associate Agreement or BAA must be established between the two parties for HIPAA compliance purposes.
A BAA is a written contract between two parties that creates a bond of liability and outlines the duties each party is responsible for in accordance with the HIPAA Privacy Rule. It is a critical part of becoming HIPAA compliant and protects Covered Entities and Business Associates from potential fines or penalties relating to HIPAA legislation.
Since both Covered Entities and Business Associate’s must protect any private health information that is stored, received, or sent, it is in both party’s best interests to have a BAA in place. It is important to also know that if a Covered Entity enters into a BAA agreement but fails to make certain that the BA is able to operate within HIPAA compliant policies before entering the contract, the Covered Entity could still be responsible if a BA were to breach HIPAA policies by failing to safeguard any PHI being delt between either party.
There are no set standards or templates for a Business Associate Agreement, each BAA should be tailored based on the distinctive relationship between the Covered Entity and their corresponding Business Associate. Any Covered Entity dealing with protected health information, ePHI, or PHI MUST have a BAA in place to be considered HIPAA compliant and therefore be protected from any financial penalties associated with HIPAA policies.