Business Associate Agreements and HIPAA: Be In The Know

February 1, 2019

by Nick Jaworski, Digital Community Builder of Circle Social, Inc.

Two businesswoman having a meeting and drinking coffee in the office. Text reads 'Business Associate Agreements and HIPAA: Be In The Know'

So you know that you and your third party vendors need to handle information safely or else you could get some serious fines for HIPAA violations, especially in the field of addiction treatment marketing.

So now what?

To motivate your vendors and marketers to take this issue seriously, they need share some of the responsibility and legal liability for handling your patients' information correctly. To do this, you need a Business Associate Agreement, or BAA.

What is a BAA?

A BAA, or Business Associate Agreement, is an agreement between a business and the third-party organizations that they have a business relationship with. Within the wording of the regulations concerning BAA's, they are officially called "business associate contracts," but in common speech, they are almost always referred to as BAAs. A BAA can either be a separate document, or it can be written into the overall contract between the health center and the third-party vendor.

These agreements create a shared liability between the center and the vendor in question, and like most contracts, if one party violates, they may have to make reparations with the other party. They mostly cover how and when third party vendors, like marketing companies, should handle PII (personally identifying information) and PHI (personal health information). Most of them directly cite specific passages of HIPAA that are likely to come up throughout the vendor's work.

A typical BAA will include the following:

  • Necessary definitions
  • Obligations and activities of business associate
  • Permitted uses and disclosures by business associate
  • Provisions for covered entity to inform business associate of privacy practices and restrictions
  • Permissible requests by covered entity
  • Timeline for reporting breaches and/or potential breaches
  • Term and termination
  • Miscellaneous items specific to the business relationship at hand

Some items to watch out for that can't be in your BAA are terms that create unlimited liability or unrealistic timelines for reporting a breach. It's always important to have a lawyer look over your agreement to make sure the contract is viable and enforceable. Check here for a sample business associate agreement. These terms MUST be in writing, and signed by both parties.

Who is required to get a BAA, and who is included in it?

Any individual, like a self-employed contractor, or entity, like a marketing firm, that performs activities for the "covered entity," meaning your health center that requires the business partner to access PHI needs to sign a BAA.

Many vendors can fall under this category, such as:

  • Hospital utilization review consultants
  • Advertising firms
  • Call centers doing lead generation or pre-screening admissions
  • Legal services and attorneys
  • Training consultants for anything from your admissions center to your business development

Once a BAA is in place between the parties involved, employees under each party are also covered. Every individual employee does not need to sign the BAA. For this reason, anyone handling PII and PHI needs to have a clear, in-depth privacy policy, and make considerable efforts to ensure all employees are familiar with it.

Employers in this scenario usually have all of their employees take a HIPAA training and/or sign a waiver regarding the handling of personal information. Some even send teams or team leaders to get certified by programs that focus on HIPAA safety, like BHAP's addiction treatment marketing program.

There are a few notable exceptions to these BAA guidelines, however. For instance, law enforcement may request PHI under certain circumstances, but are not considered business associates, and therefore do not need to sign a BAA.

The Department of Health and Human Services (HHS) also specifies these situations as exceptions to the rule of needing a BAA to share liability for transfer of PHI:

  • Disclosures by a covered entity to a healthcare provider, with the express intent of treating the individual
  • Collection and sharing of PHI by a public benefits program, like Medicare
  • Disclosure to a health care sponsor by a group health plan, health insurance issuer, or HMO that provides health insurance
  • Transfer with individuals or organizations that are a conduit, such as the United States Postal Service

The main takeaway here is that everyone shares a responsibility in some capacity to handle PHI and PII securely, whether they are officially on the BAA or not.

Recent developments regarding handling of PHI

HIPAA compliance can be slippery to maintain sometimes, for two main reasons.

The first is that the act was not explained fully to those it concerned when it was first put into effect, on top of enforcement being low, leading many to believe that several parts of HIPAA were not that serious.

The second is that ways of communicating are constantly evolving. Digital communication, cloud storage, and even electronic records within a facility all need to be secured at all times, and deployed appropriately.

Several recent developments deserve your attention.

Recent OCR Actions Regarding HIPAA

HIPAA violations are usually handled by the Office for Civil Rights, or the OCR. They started picking up speed in enforcing HIPAA regulations in 2014 and 2015. The OCR has begun performing sweeping audits, though their requirements are not identical for each audit.

Some covered entities (meaning health centers, mostly) are being asked to provide privacy policies and procedures, and others are being audited down to their individual security rules and measures, such as their breach notifications. Another development from the OCR is that they have released a fact sheet regarding ransomware (or any malware) as it relates to HIPAA requirements.

The OCR declared that the presence of malware on any covered entity or business associate's computer systems should be considered a breach of HIPAA, and should be treated as such. They also suggested that BAAs be updated to include requirements for business associates to make sure that covered entities are appropriately notified after possible cyberattacks, within a reasonable amount of time.

Recent settlements regarding HIPAA violations have shown just how much security breaches can cost. Settlement have been reached with $2.75 million from the University of Mississippi Medical Center, $2.7 million from with Oregon Health & Science University, and $2.2 million from New York Presbyterian Hospital. The first time ever that a business associate was brought to task resulted in Catholic Care Services settling with the OCR for $5.55 million after a smartphone was stolen, compromising hundreds of patients' PHI.

The rise of cloud storage and its effect on PHI security

Cloud storage is internet storage of data, as opposed to storing data on a physical device, such as a computer's hard drive or a portable flash drive. The companies or individuals hosting this storage are known as cloud service providers (CSPs), and need to be included in a BAA if they are handling PHI for your health center. Also, in order to make sure that this critically important information is available, it is recommended that you implement a Service Level Agreement.

SLAs for cloud storage services usually include:

  • System availability and reliability
  • Data recovery and back-up
  • How data will be handled in the event of termination of the contract
  • Security measures and responsibility
  • Limitations on the use and disclosure of data

While cloud storage has benefits like better backup and easier accessibility between those authorized to access your center's data, there are security challenges to be considered, too.

Healthcare interoperability and data security

With the HITECH Act in place, requiring health centers to keep electronic health records for the benefit of both patients who need to access their information and to improve healthcare interoperability, some security risks arise.

Interoperability refers to the ease of transfer of medical information between healthcare providers and insurance providers. Electronic records can be transferred much more quickly than paper records.

However, HIPAA disclosure requirements remain the same. While paper disclosures often required a signed form or some other security check to access, emails and digital communications are not being treated with the same care.

"Reply-all" mistakes are made in email chains, information can be faxed to the wrong number, permissions to access PHI may not be set up correctly.

It can get messy. You may want a professional to come in and audit your communication procedures. And again, getting certified can help.

What happens if you violate HIPAA?

HIPAA violations are actually quite common, unfortunately. Many medical organizations do not even realize they are violating HIPAA.

Some things that seem normal or like they make sense are still in violation of Title II of HIPAA, the clause concerning unauthorized access to PHI, or de-anonymization of data containing PHI.

For instance, all of the following are common violations:

  • Mixing PII and PHI (personal health information) in ANY electronic communication.
  • Improperly responding to reviews online.
  • Including pictures of people online without proper HIPAA waivers.

However, getting caught doing these things can have dire consequences. Fines for violations can be as much as $50,000 per piece of mishandled information.

As it was listed in the section on recent OCR actions, legal settlements can reach millions of dollars. Mistakes can be discovered in audits of a health center, or due to complaints brought up directly by those whose PHI has been compromised.

How do covered entities prevent HIPAA violations once a BAA is in place?

Having a BAA signed and in place is not very useful if the covered entity is not monitoring activity from time to time to make sure its provisions are being observed. It also is not much help to have your business associates following proper protocol of your own staff does not know how to handle health-related data.

While BHAP is not a legal office, and this article is not official legal advice that will fully protect you, some general best practices are as follows:

  • Analyze your current security system and protocols for gaps in coverage
  • Make a risk mediation plan
  • Have as many fail-safes in place as possible: physical, technical, and administrative if possible
  • Create clear policies and standard-operating procedures, then make sure your staff is fully trained on them
  • Review BAAs to make sure they are being followed
  • Have yearly HIPAA training to keep everyone up-to-date
  • Document everything – from potential breaches to policies, to trainings administered – EVERYTHING

And we cannot emphasize enough that getting certified both teaches you and your staff how to employ good HIPAA protocols and proves that you know what you are doing to anyone you may want to engage in business with. This is especially sensitive and important for addiction treatment marketing. Here at BHAP, we have the perfect certification programs for just that.


A national membership association that provides education and advocacy for those in the behavioral health and addiction treatment industries.

We are the leading and unifying voice of addiction-focused treatment programs.

Join Now

Contact Us

Monday - Friday
8:30 am - 4:30 pm Pacific
(closed major holidays)

a photo of a microphone at a conference. Text reads, 'Check out our calendar of Industry Events'