Understanding what should be included in a required HIPAA BAA is essential.
Earlier this month, I wrote an article HIPAA: Back to basics with the BAA, where I promised to write about the nuances of the requisite business associate agreement (BAA). Unless someone is new to the healthcare industry or a business associate (which includes subcontractors) that recently started creating, receiving, maintaining, or transmitting (including storage) protected health information (PHI), by now there should be an awareness that a business associate is directly liable under the HIPAA Rules. Like covered entities, business associates may be subject to civil, and in egregious cases, criminal penalties.
This leads us to the BAA—a written agreement between the parties that serves three primary purposes:
Notably, after having read and drafted numerous BAAs, one quickly learns that all BAAs contain very similar, if not identical language. That’s because BAAs have certain content requirements, which must be included. Other items, such as particular state law, venue/jurisdiction, and indemnification (just to name a few) are not compulsory but are often seen.
As HHS explains on its website, a BAA is “[a] written contract between a covered entity and a business associate [or a business associate and its subcontractor that] must:
Armed with this information (and after reviewing the HHS website link), hopefully it provides a renewed appreciation for what will be included in a BAA and what may be included. It never ceases to amaze me when I receive (often caustic) questions or push back on the compulsory items that HHS has set forth. This article may serve as a basis for a polite way to push back if faced with a similar situation.
Optimize your practice with the Physicians Practice newsletter, offering management pearls, leadership tips, and business strategies tailored for practice administrators and physicians of any specialty.
Special Report: 60 years of Medicare
August 1st 2025On Medicare's 60th anniversary, President Harry Truman's eldest grandson joins the director of the Truman Library in Independence, Missouri, to reflect on Truman's vision, LBJ's 1965 signing and the program's lasting impact on U.S. health policy.
Ep. 75: Physician struggles, with AMA President Bobby Mukkamala, M.D. (Part 2)
August 1st 2025American Medical Association President Bobby Mukkamala, M.D., explains what the AMA is doing for physicians in terms of prior authorizations, private practice, artificial intelligence and scope of practice.