Ounce of Prevention: Do You Have Business Associate Agreements With Every Required Party?

May 14, 2024
Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and obligations with respect to the privacy and security of patient Protected Health Information (PHI). Most healthcare providers will qualify as a CE. CEs must obtain “adequate written assurances” from their BAs that the PHI will only be used or disclosed as permitted by law and as instructed by the CE, and BAs must impose these obligations and limitations on their subcontractors. These written assurances typically take the form of a Business Associate Agreement (BAA).

Both CEs and BAs are directly liable for failing to have compliant BAAs in place. Failure to have BAAs is a violation of HIPAA and can result in significant fines if discovered, particularly in the event of a HIPAA breach.

It is critical for all entities who create, receive, maintain or transmit PHI to ensure they have BAAs in place. CEs must ensure they have BAAs with all of their BAs; BAs must ensure they have BAAs with CE customers and BA subcontractors; subcontractors also need to ensure they have BAAs in place with their BA customers (often known as sub-BAAs). All parties need to ensure their BAAs comply with the statutory requirements, at a minimum.

How to Confirm?

To assess whether you have BAAs in place:

  1. Start by making a list of all entities with whom a BAA is necessary.
    • For CEs, make a list of vendors who create, receive, maintain and transmit PHI on your behalf.
    • For BAs, create a list of all CE customers and a list of all subcontractors to whom you delegate responsibilities that involve customer PHI.
    • For subcontractors, create a list of all customers you handle PHI on behalf of.
  2. Confirm each of the entities listed in response to item number one has a BAA.
  3. Create a mechanism for tracking all BAAs that includes verification that such BAAs were actually signed by both parties and the date of such signature. Ensure there are checks in place to confirm the signed BAA exists prior to sharing PHI.
  4. Periodically audit all BAAs by selecting a random sample for verification of all signatures. Consider pulling this random sample from a monthly accounts payable (or for subcontractors and BAAs, an accounts receivable) list to confirm that there is a signed BAA in place for all entities.

If you need assistance reviewing, creating or auditing your BAAs, McGuireWoods attorneys can assist.


Ounce of Prevention is a McGuireWoods series that details healthcare laws and regulations and offers tips on how providers can ensure they are in compliance. To recommend a topic for a future installment, email Gretchen Heinze Townshend at [email protected] or Tim Fry at [email protected].

Subscribe