A BAA is a contract between a covered entity and a business associate in the United States to ensure the privacy and security of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA).

BAAs must be in writing and signed by both parties.

A BAA must include the names of the covered entity and the business associate, the purpose of the agreement, the obligations of the parties, and restrictions on how the business associate may use and disclose PHI.

A BAA must also include a description of the permitted and required uses of PHI, a description of the requirements for safeguarding the PHI, and the duration of the agreement.

The BAA is the only legally binding agreement that a covered entity and business associate can enter into to ensure compliance with HIPAA.

Covered entities are required to have a BAA with all of their business associates who may have access to PHI.

Business associates must also have a BAA with any subcontractors who may have access to PHI.

A BAA must be updated each time there is a change to the services or activities of the business associate or subcontractor.

A BAA must also be updated if any of the provisions of the agreement are violated.

A BAA must include a provision for termination of the agreement in the event of a breach of the agreement by either party.

Business associates must report any discovered breaches of the BAA to the covered entity.

Business associates must also provide the covered entity with an accounting of disclosures of PHI for six years prior to the date of the agreement.

The BAA must include how the business associate will comply with all HIPAA requirements, including the Privacy Rule and the Security Rule.

The BAA must also describe the business associates’ policies and procedures for safeguarding PHI.

The BAA must also include a provision for the business associate to provide the covered entity with an annual report on its compliance with the terms of the agreement.

Business associates are not allowed to use or disclose PHI for their own gain or benefit.

A BAA must include a provision for the business associate to obtain satisfactory assurances from any subcontractor that it will comply with the requirements of the BAA.

A BAA must also include a provision for the business associate to return or destroy all PHI in its possession upon termination of the agreement.

A BAA must also include a provision for the business associate to comply with all applicable state and federal laws.

A BAA must be reviewed and updated annually.

A BAA must also include a provision for the business associate to provide the covered entity with access to PHI in accordance with HIPAA.

A BAA must also include a provision for the business associate to obtain written authorization from the covered entity before disclosing PHI to any third party.

A BAA must also include a provision for the business associate to obtain satisfactory assurances from any subcontractor that it will comply with the terms of the BAA.

A BAA must include a provision for the business associate to ensure that any subcontractor agrees to the same restrictions and conditions that apply to the business associate with respect to the use and disclosure of PHI.

A BAA must also include a provision for the business associate to obtain satisfactory assurances from any subcontractor that it will comply with the security requirements of the HIPAA Security Rule.