Business Associate Agreement (BAA)

Under HIPAA (45 CFR §164.502(e)), a covered entity may not disclose PHI to a business associate without a signed BAA in place. Business associates include any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity, waste haulers who handle documents containing patient information, IT vendors with access to EHR systems, billing companies, cloud storage providers, and shredding services all qualify. Since the 2013 HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance, not just contractually bound.

A common compliance gap is the failure to execute BAAs with all qualifying vendors. Many facilities have BAAs with their EHR vendor and clearinghouse but overlook their medical waste hauler, their document destruction provider, or their answering service. Each missing BAA is a separate HIPAA violation. HHS has pursued enforcement actions specifically for BAA failures, with settlements reaching $1.55 million for a single provider.

BayArea Compliance executes a BAA with every client as standard practice, we handle medical waste that may contain PHI on labels, manifests, and containers. Our HIPAA|360 program also includes a vendor audit that identifies all of your business associate relationships and verifies that current, compliant BAAs are in place for each one.