Business Associate Agreements


What (or Who) is a "Business Associate"?

A Business Associate is someone, other than a member of your staff or workforce, that performs activities for you involving use or disclosure of protected health information (PHI). This includes, specifically, those performing services on your behalf, such as companies or individuals performing your claims processing, utilization review, and/or billing, or those providing services to you, such as legal, accounting, consulting, practice management, administrative, accreditation, or financial services. In particular, your practice management consultants, your EHR companies and providers, your billing company, and people assisting with marketing activities for your practice are all "business associates" subject to this rule. 

There is an important limitation on this definition. To by a business associate under HIPAA and to require a Business Associate Agreement (BAA), the work of the business associate must deal directly with the use or disclosure of PHI. One is not a business associate (or no BAA is required) under HIPAA if the services they are performing on your behalf or for you do not involve the use or disclosure of PHI to the contractor and where access to any PHI would be incidental, if at all (e.g. your cleaning crew, janitors, trash collection, computer repair people, painters, electrician, etc.). Your CPA or lawyer may or may not be a "business associate" under the rule, depending on the kind of work they are doing and the information you are providing them.

When Do I need a Business Associate Agreement?

If the entity or person performing work for you or on your behalf involves the use or disclosure of PHI, then the HIPAA Privacy Rule requires that you have a written Business Associate Agreement with the entity or person. If you do not, you are in violation of HIPAA.

Model Business Associate Agreement

The model Business Associate Agreement (BAA) provided here is provided free-of-charge for use in your office, either as-is, or modified to suit your needs. It complies with the Final Privacy Rule issued January, 2013 and effective in September, 2013. Every office is required to have an BAA with its "Business Associates." Feel free to use this one if you wish. It is but one example of a Agreement which complies with the final HIPAA privacy rule and which protects YOUR interests.

Note: many of your contractors will have you sign a BAA, but those BAA's are not necessarily writtein to protect you in the event the contractor breaches or violates HIPAA rules.


To use the model agreement provided here, you need only enter the business information in the opening paragraph, then sign and have the contactor sign, the agreement. Keep a copy of the agreement in your files, and provide a copy to the contractor.


For a Word DOC (docx) file of the model Business Associate Agreement, click here.