Why do I need to sign a Business Associate Agreement?

There must be a signed Business Associate Agreement (BAA) between a Covered Entity and a Business Associate.

If you are a Business Associate (as defined by the Omnibus Rule), and a Covered Entity whom you are in business with sent your organization a BAA, you, as an authorized representative of your company, must sign the BAA.

Similarly, if a Business Associate initiates a BAA with the Covered Entity, then the latter must sign the BAA.

Not sure if you are a Business Associate? Click here

Signing a Business Associates agreement is but the first step in terms of what you have to do. Under the Omnibus Rule, a Covered Entity must obtain assurances that a Business Associate, and any subcontractor of them that has access to the Protected Health Information (PHI), is meeting the requirements of HIPAA.

In other words, the signed BAA serves as a guarantee that the Business Associate will appropriately safeguard Protected Health Information (PHI).  The BAA also serves to clarify and limit, the permissible uses and disclosures of PHI by the Business Associate.

The law requires a Business Associate Agreement.


For questions or concerns, contact us via the following:
  • Chatbox/window on your Complete Compliance Suite screen.
  • Telephone: 877-560-4261
  • Email: support@epicompliance.com