A Business Associate Agreement (BAA) is a written contract that specifies each partys responsibilities when it comes to protected health information (PHI) . It establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI. HIPAA-covered entities are required to enter into business associate agreements (BAAs) with any third party that handles PHI. These agreements include clauses outlining the permissible and impermissible uses of PHI, each party’s liabilities, consequences of failing to comply with stated requirements, and more. Business associate agreements form the backbone of an organization’s HIPAA compliance program.

A BAA is a crucial component for any company complying with HIPAA. It is in both the covered entities and their business associates best interests to have a BAA in place, since both parties are responsible for protecting PHI. Business associate contracts must include the criteria of 45 CFR 164.504(e) and must be incorporated into any contract or other written agreement between a covered entity and its BA. These contracts must determine what PHI the business associate will access, how the parties will indicate acceptance of the terms of the agreement, and how the covered entity will use commercially reasonable efforts to cure any breach of or violation of a BAA caused by a BA.

It is important to note that business associate agreements need to be vetted against relevant HIPAA rules, and it’s a good idea to use advanced contract management tools to create, upload, and share templatable workflows within minutes, with no coding required. There are many examples of business associate agreements online, but it is important to take care before using such templates as they may have been designed for a different relationship. Each BAA should be customized for the unique nature of the relationship between the covered entity and the respective business associate.