Business Associate Agreements & Covered Entity Compliance
Written by Joanne Byron, LPN, BS, CCA, CIFHA, CHA, COCAS, CORCM, CHCO, HPOC, OHCC, CMDP, ICDCT-CM/PCS
Building a chain of trust between healthcare providers (Covered Entities) and Business Associates (BAs) is a regulatory requirement under HIPAA designed to ensure that Protected Health Information (PHI) remains secure throughout its entire lifecycle, even when handled by third parties.
This chain of trust ensures that privacy and security obligations flow down to every subcontractor that creates, receives, maintains, or transmits PHI. This can produce increased confidence with your organizationโs ability to earn and maintain patient trust.
Is Your Organization a Covered Entity, Business Associate or Both?
According to the Office of Civil Rights (OCR), the HIPAA enforcement agency, a Covered Entity (CE) is one of the following:
A Health Care Provider | A Health Plan | A Health care Clearinghouse |
|---|---|---|
This includes providers such as:
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. | This includes:
| This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. |
It may not always be straightforward. If you are not sure if your organization is a covered entity โ the Centers for Medicare & Medicaid Services (CMS) provides a an educational website and also a Covered Entity Decision Tool (58-pagePDF).
A HIPAA covered entity (CE) acts as a business associate (BA) when it performs functions or services involving protected health information (PHI) on behalf of another covered entity. This activity-specific role requires a Business Associate Agreement (BAA) for that specific work, even while the organization acts as a CE for its own operations.
The key distinction is that the "business associate" status applies to the service being performed (e.g., providing administrative services) rather than the entity's status as a healthcare provider or payer.
Key Scenarios and Requirements:
- Services for Another CE: If a hospital (CE) handles billing or provides administrative services involving PHI for an unaffiliated clinic (another CE), the hospital acts as a BA.
- Subcontractor Relationships: If a BA hires a covered entity to perform work involving PHI, that hired CE is acting as a BA to that BA.
- Data Sharing: While sharing for "treatment" between CEs doesn't need a BAA, sharing for services to one another (e.g., managing a personal health record or PHR) does. Common examples include patient portals, health apps, and online trackers, which can contain medical history, diagnoses, and medication logs. According to OCR, it is an electronic application used by individuals to maintain and manage their own health information, rather than records solely controlled by a doctor or insurer (EHR).
PHRs are often, but not always, covered by HIPAA regulations. Key details include:
- Control: Unlike Electronic Health Records (EHRs) managed by providers, PHRs are managed by the individual or their caregiver.
- Types: They can be tethered (linked to a provider) or standalone (independent).
- HIPAA Coverage: If a PHR is provided by a HIPAA-covered entity (like a health plan or doctor), it is covered under the HIPAA Privacy Rule.
- Alternative Protection: If a PHR is offered by a company not covered by HIPAA, it is governed by the FTCโs Health Breach Notification Rule.
- Compliance: When acting as a BA, the entity must adhere to HIPAA Security Rule and Privacy Rule requirements for the PHI it handles for that specific relationship.
A covered entity functions as a business associate in the following type of situations:
- Centralized Administrative Services: A hospital (CE) provides billing, claims processing, or data analytics services for an independent physician group or affiliated clinic.
- A hospital acting as a central billing clearinghouse for independent physician groups.
- Specialized Clinical Services: An independent laboratory (CE) that typically treats patients directly acts as a BA if it analyzes data for a health plan's quality improvement program.
- A large health system providing laboratory services.
- Data Processing Support: A health insurance company (CE) assists another health plan with data processing or administrative tasks.
- Managed Service Providers or IT support that requires access to another entityโs patient records.
- Patient Safety Organizations (PSOs): PSOs are specifically treated as business associates when they receive and analyze patient safety event reports from other providers. Key Covered Entity Requirements regarding use of PSOs:
- Risk Analysis & Mitigation: CEs must perform risk assessments to identify threats to ePHI, including data shared with PSOs, and implement appropriate security measures.
- Staff Training & Governance: Implement comprehensive training on identifying PSWP and handling it according to both HIPAA and safety rules.
- Breach Reporting: Any unauthorized disclosure of PSWP is treated as a breach, requiring prompt response and reporting to the Office for Civil Rights (OCR)
Compliance Obligations for the Dual Role
When acting as a business associate, the covered entity is required to:
- Sign a BAA: It must execute a formal agreement with the other covered entity before PHI is shared.
- Adhere to BA Duties: It must follow the specific privacy and security requirements outlined for business associates, including reporting breaches and following "minimum necessary" standards.
- Segregate Data: Large organizations often use internal "self-BAAs" or separate departments to ensure PHI from their BA activities is not improperly mingled with their own patient data.
For more detailed regulatory definitions, you can refer to the HHS Summary of the HIPAA Privacy Rule.
When a BAA is NOT Required Between Covered Entities
Not all exchanges of PHI between covered entities trigger a business associate relationship. A Business Associate Agreement (BAA) is generally not required for:
- Treatment Purposes: When two independent providers disclose or exchange PHI for treatment purposes, such as a doctor referring a patient to a specialist or treating a shared patient.
- Standard Payment Activities: When a provider submits a claim to a health plan and the plan pays it; both are acting on their own behalf as covered entities.
- Organized Health Care Arrangements (OHCA): When entities participate in a joint arrangement, such as a group health plan and its insurer, to perform joint health care activities.
- Conduit Exception: Organizations that only transport PHI and do not access or store it, such as the U.S. Postal Service, internet service providers (ISPs), or private couriers.
- Incidental Access: Personnel who might see or hear PHI by chance while providing services, such as janitors, maintenance workers, or electricians, where the access is not the purpose of the work.
- De-identified Data: Sharing data that does not contain identifiers, as long as it cannot be re-identified.
Not sure if a BAA is required?
Do you need help determining if a specific service your organization provides requires a Business Associate Agreement? Consult with a HIPAA-experienced attorney or consultant instead of โguessingโ or consulting with an unqualified professional.
Act Now to be HIPAA Compliant
The HIPAA Final Rule is expected to be published in May 2026, with a 60-day effective date followed by a 180-day grace period for compliance. Covered entities should begin updating their policies now to meet these more stringent requirements.
Establishing a strong chain of trust under HIPAA requires vendor contracts to be updated, compliant and translate legal requirements into operational controls. A robust BAA ensures that all parties involved in creating, storing, and transmitting ePHI (overed entities, business associates, and subcontractors), are bound by the same rigorous privacy and security standards, mitigating risk in an era where nearly half of all HIPAA breaches involve third-party vendors.
A legally binding Business Associate Agreement (BAA) is the foundational document of the chain of trust.
A robust BAA ensures that all partiesโcovered entities, business associates, and subcontractorsโare bound by the same rigorous privacy and security standards, mitigating risk in an era where nearly half of all HIPAA breaches involve third-party vendors.
- Mandatory Clauses: The BAA must explicitly outline permitted uses/disclosures, require the implementation of safeguards (administrative, physical, and technical), and mandate prompt breach reporting.
- Defined Scope and Data Flows: Explicitly mapping where Protected Health Information (PHI) is created, stored, or transmitted to ensure the "minimum necessary" standard is applied.
- Subcontractor Flow-Down Obligations: A crucial component requiring the business associate to bind any subcontractors to the same level of security and privacy protections.
- Stringent Breach Notification Procedures: Defining clear timelines (e.g., within 60 days, or faster, such as 24-hour notice for emergency plans) for reporting incidents to the covered entity.
- Security Safeguards Requirement: Mandating administrative, physical, and technical safeguards, including encryption in transit/at rest, multi-factor authentication (MFA), and regular risk assessments.
- Termination and Destruction Protocol: Ensuring that upon contract termination, PHI is either returned or securely destroyed, with no further retention.
- Audit and Compliance Rights: Granting the covered entity the right to audit the vendor's security controls and requiring access to records for HHS investigations
- Pre-engagement Requirement: The BAA must be signed before any PHI is shared.
Do Your Due Diligence - Trust is built on verification, not just contracts. Conduct comprehensive risk assessments to evaluate a vendor's security posture, policies, and procedures before partnering.
- Verify the vendorโs compliance.
- Review the vendor's documented risk analyses, audit trails, and, if applicable, third-party certifications.
Best Practices for Maintaining the Chain of Trust โ
- Regular Updates: Reviewing and updating BAAs whenever services, technologies (e.g., cloud, AI), or regulations change, such as preparing for upcoming 2025 HIPAA revisions.
- Vendor Due Diligence: Assessing a business associate's security posture before signing a BAA, rather than relying solely on the contract for security.
- Employee Training: Ensuring the business associate trains its staff on the specific requirements of the BAA.
- Assigning Liability: Clearly defining which party covers financial penalties, legal fees, or remediation costs in the event of a breach.
Consult with a HIPAA legal expert to assist your organization as you update your BAAs to be compliant to the New Final Rule. By tightening your BAAs and relationships with vendors, you will move from a compliance posture to an active, operationalized partnership that protects patient data, reputation and builds patient trust.
About the Author
Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, COCAS, CORCM, OHCC, ICDCT-CM/PCS is an educator with Officer of the American Institute of Healthcare Compliance, a Licensing/Certification non-profit partner with CMS. She shares her experience of over 40 years as a nurse, consultant, auditor, and investigator in the healthcare field.
References
- https://aihc-assn.org/product/hipaa-compliance-chco/
- https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html#:~:text=When%20a%20health%20care%20provider,care%20activities%20of%20the%20OHCA.
- https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
- https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html#:~:text=Require%20the%20use%20of%20multi,than%2024%20hours%20after%20activation.
- https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Copyright ยฉ 2026 American Institute of Healthcare Compliance All Rights Reserved