HIPAA Business Associate Agreement

HIPAA Business Associate Agreement Decisions
Determine if a HIPAA BAA is required – questions to consider and examples

When considering a HIPAA business associate agreement, the first step is to determine if such an agreement is necessary. Along with the examples listed below, a provider must answer the following questions in making the determination.

When is a HIPAA Business Associate Agreement Required

  1. Does the person or organization perform a function on your behalf that requires the use or disclosure of PHI (protected health information)?
    1. If the answer is no, this is not a business associate
    2. If the answer is yes, continue with the next step
  2. Is the person or organization being considered a covered entity according to HIPAA?
    1. If no is your answer, a HIPAA business associate agreement should be completed
    2. If yes, go to the next step
  3. Does the individual or organization perform task(s) directly related to treatment?
    1. If the answer is no, a HIPAA BAA should be completed
    2. If the answer is yes, this is not a business associate

For further clarification, note the example lists below of who/what is considered a HIPAA business associate and would need the agreement with you – and those who do not qualify.

Examples of HIPAA Business Associates

  • Accountants
  • Accreditation agencies
  • Attorneys
  • Auditors
  • Billing services
  • Cleaning Services
  • Consultants
  • Copying companies
  • Data entry services
  • Document management solutions providers
  • Healthcare clearinghouses
  • IT service providers
  • Management companies/consultants
  • Quality assurance providers
  • Shredding companies
  • Third party administrators
  • Transcription entities
  • Utilization review entities

Examples of Entities that are not HIPAA Business Associates

  • Board members
  • Courier/delivery services
  • Employees
  • Financial institutions that process consumer conducted financial transactions which pay for healthcare services
  • On-site volunteers
  • Professional staff
  • Providers that are considered part of an Organized Healthcare Arrangement with your organization

Need a HIPAA BAA Template?

If it is determined that the entity you are dealing with requires a HIPAA business associate agreement, download a BAA template here to use as a guide. This is what we and our parent company use. All identifying information has been removed. You can edit as necessary for each instance where a HIPAA business associate agreement is required.