Are we required to send a Business Associate Agreement (BAA) to all our business contacts?

Yes. 45 CFR 164.502(e), 164.504(e), 164.532(d), and (e) covers the definition of a subcontractor and the requirement to ensure that a Business Associate Agreement is signed by such party. The HITECH Act and the Omnibus rules also cover the need for a Business Associate Agreement and the responsibilities under these regulations of these Business Associates.

In a nutshell, a Business Associate is a subcontractor who has access to your patient information and is paid by a Covered Entity or another Business Associate to accomplish a task. Please keep in mind that there is already legal precedence stating that:
  • The Government may determine a Business Associate relationship exists regardless of the existence of a contract;
  • A subcontractor may be classified as a Business Associate even if he/she do not have direct access to PHI;
  • Covered Entities must obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity;
  • Chain of custody must be preserved, hence contracts between Business Associates and their subcontractors must include the same provisions as those between Covered Entity and Business Associate;
  • Covered Entities must terminate contract relationship with Business Associates if they fail to comply with the provisions of HIPAA Security.

For questions or concerns, contact us via the following:
  • Chatbox/window on your Complete Compliance Suite screen.
  • Telephone: 877-560-4261
  • Email: