HIPAA Business Associate Agreement (BAA)

The Business Partner Agreement, also known as the Business Associate Agreement, sets out each party's obligations concerning PHI. HIPAA requires affected businesses to work only with business partners who guarantee full security of PHI. Affiliated Company and BA must express these warranties in writing as a contract or other Agreement. In addition to affected companies, HHS may also review her HIPAA compliance with BA and subcontractors. To comply with HIPAA regulations, a company must enter into a Business Associate Agreement (BAA) for each of the three tiers he does. All three classes are responsible for protecting PHI, so an agreement is best for both parties.

According to HHS, a business partner/subcontract must include the following information −

  • Discuss the permission and required use of PHI by business partners or subcontractors.

  • Business Partner/Subcontractor makes clear that it will use her PHI only to the extent required by law or permitted by these Terms, in accordance with the terms of the Agreement.

  • Require business partners or subcontractors to take reasonable precautions to prevent unauthorized use or disclosure of PHI;

Once the subject entity, business partners, and subcontractors of business partners are interconnected, it is important to ensure that third parties protect her PHI received. BA is aware of signed agreements requiring secure handling of PHI.


Privacy Policy: Healthcare plans, healthcare clearing houses, and healthcare providers are considered businesses subject to privacy regulations. A Protected Entity will work with a third-party Business Partner to improve its business if the Business Partner can ensure that it only uses its PHI for the purposes specified.

Business partners must protect PHI from misuse and unauthorized access and assist the companies involved in complying with data protection regulations. Patients have the right to view and edit their information in accordance with this policy. This must be in writing throughout the Business Partner Agreement.

Cyber Security Terms: To protect ePHI (PHI is stored or transmitted electronically in accordance with this regulation), relevant organizations and their business partners must take appropriate physical, technical and administrative measures. Information submitted in any other form, including hard copies, is not included.

General rules: HITECH made adjustments in 2009 to ensure that business partners are required to comply with its HIPAA, but the polyline rule reinforced this bias and went into effect in 2013. Once the rule goes into effect, HIPAA requires its business partners and suppliers to comply with its PHI, which is protected and directive as the relevant entity. The companies involved are not responsible on behalf of the BAA.

Who should sign the BAA?

Any person or entity working for a Protected Entity that interacts with Protected Health Information (PHI) is considered a Business Partner (BA) and must sign the BAA. The BAA must be signed by the business or organization that interacts with the business concerned. Software and startups that provide software solutions store, process, or transmit protected health information when sold to healthcare providers, cloud service providers, medical hospitals and workplace health agencies, and the client's BAA. signal

The more sellers there are, the more complicated it becomes. For example, a hospital has a business associate agreement (BAA) with 100 software vendors. These 100 software vendors all have their own software solutions and cloud service providers and may have signed the BAA. Each stakeholder is responsible for ensuring that the relevant agreements are implemented.

How does BAA work with My Cloud Provider?

The Business Partners and Cloud Computing Policy was originally published by HHS. According to HHS, cloud service providers (such as AWS and Azure) act as business partners when generating, receiving, storing, or transmitting PHI. Therefore, companies deploying cloud platforms and applications using PHI must have signed the BAA.

A BAA provided by a cloud service provider describes the cloud customer's and cloud provider's responsibilities for her HIPAA protection. Since the BAA may only cover a certain subset of cloud services, it is important that the services covered by the BAA store, process, and transmit only PHI. To solve availability and security concerns, HHS advises enterprises to enter into service level agreements (SLAs) with cloud service providers.


If a company is an affected entity, a business contract with its partner is essential to its HIPAA compliance. His HIPAA-supporting businesses, such as healthcare providers and healthcare clearinghouses, require business partner agreements between business partners and subcontractors to protect PHI from unauthorized access.