Business Associate Agreements: Required Elements
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, requires covered entities (“CEs”) and business associates (BAs) to execute a business associate agreement (“BAA”) with their business associates (subcontractors) to ensure that the BA agrees to comply with the Privacy and Security Rules affecting protected health information (“PHI”). BAAs are legally binding contracts that outline and define the CE and BA’s responsibility (aka liability) in regards to the managing and handling of PHI (including electronic PHI) and regulatory requirements.
CEs and BAs must execute a business associate agreement prior to using or disclosing PHI with each other. To have a valid BAA, the BAA must include the following elements (“BA Contract Requirements):
- Describe the permitted and required uses and disclosures of PHI by the BA;
- Provide that the BA will not use or further disclose the PHI other than as permitted or required by the contract or as required by law;
- Require the BA to use appropriate safeguards to prevent unauthorized use or disclosure of PHI other than as provided for by the contract and law;
- Require the BA to report to the CE any use or disclosure of the PHI not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
- Require BA to disclose PHI as specified in its contract to satisfy a CE’s obligation with individuals’ right to request for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
- Require the BA to comply with the requirements applicable to the obligation, to the extent the BA is to carry out a CE’s obligation under the Privacy Rule;
- Require the BA to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the CE for purposes of HHS determining the CE’s compliance with the HIPAA Privacy Rule;
- Require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of the CE, if feasible, at the termination of the agreement;
- Require the BA to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA; and
- Authorize termination of the BAA by the CE if the BA violates a material term of the contract.
For additional guidance on drafting a business associate agreement, HHS developed a sample BAA to assist CEs and BAs comply with the BA Contract Requirements.
CEs and BAs should review the business relationships they have with third party service providers to determine if a BAA is required and, if one is required, that the agreement meets the BA Contract Requirements. Additionally, CEs and BAs should periodically review their BAAs to ensure compliance with the terms outlined in the agreement.
 See 45 CFR §164.502(e). A BAA is not required between a CE and BA if the CE is only disclosing a limited data set (as defined by HIPAA) to the BA and the CE executed a data use agreement. See id. at §164.514(e).
See id. at § 164.504(e)(3). These elements are also required in the agreement between the BA and subcontractor.
 If termination of the agreement is not feasible, a CE is required to report the problem to OCR.