BAA Primer: Your First Steps to Compliance and Optimal BAA Management

Recent Posts

Executive Summary

A decade ago, management of Business Associate Agreements (BAAs) was relatively easy. In fact, for most industry stakeholders, it was viewed as a low-priority compliance responsibility that essentially amounted to checking off another HIPAA requirement.


Today, the stakes surrounding BAA compliance have become increasingly high. Compliance professionals need to be equipped with a deep understanding of how these agreements fit into a privacy and security strategy and how to optimally manage them. In this white paper, you will learn:


  • Key concepts related to BAA management such as: What is a Covered Entity? What is a Business Associated? Where do I fit in?
  • Why BAA management is increasingly fragmented and complex
  • The role of Breach Notification Timeframes (BNTs) in breach response readiness
  • How to conduct a BAA audit and the substantial resources required for ongoing data analysis and management
  • First steps towards optimal BAA management


Welcome to Compliance!

If you are new to healthcare compliance, we applaud your efforts to protect the industry’s most important asset: patient data. We also recognize the overwhelming nature of navigating healthcare’s complex regulatory web and hope to make your job a bit easier.


So, take a deep breath, exhale and consider how the following information can help you optimize one of healthcare’s growing compliance challenges: management of Business Associate Agreements (BAAs).


Depending on the size of your organization, you may have a team of professionals working with you or you may be the one-stop-shop for all compliance matters. The reality is that compliance staffing models vary widely across hospitals, health systems and other healthcare service providers. Yet, regardless of structure, all healthcare compliance leaders share a common reality: your organization shares data with a growing number of business partners and vendors, and BAAs need to be in place to comply with HIPAA.



BAA Basics: Where do you fit?

HIPAA requires that Covered Entities (CEs) and Business Associates (BAs) enter into a written agreement—the BAA—that ensures protected health information (PHI) is managed in accordance with HIPAA guidelines.


An organization is either a CE, BA or a hybrid of the two.

  • In simple terms, Covered Entities (CEs) are either care providers, insurers or organizations that process healthcare data (clearing houses). These groups engage in the electronic transmission of PHI. For example, hospitals, pharmacies and health plans are all CEs.
  • Business Associates (BAs) are defined as a person or organization that creates, maintains or transmits PHI on behalf of either a CE or another BA. Examples of BAs include data and analytics software providers, billing companies and medical software providers.
  • Many organizations can find themselves in a hybrid situation where they are classified as a CE but also serve as a BA to other organizations. For instance, while a hospital is a CE because it is a care provider, it may also provide managed services such as billing or scheduling to other hospitals or medical practices in its network. In this case, the hospital is acting as a BA.


The lines can get blurred. That is why you must not only understand your organization’s classification, but also how that classification may change with each agreement and relationship.




BAA Management: So, where do I begin?

New compliance leaders often find that they have inherited multiple messes: risk analyses and privacy policies are out of date, compliance audits are behind and of course, BAA management is a disaster. If this is you, rest assured that you are not alone in your struggle. BAA management has become increasingly complex in recent years due to a perfect storm of security and regulatory initiatives.


As the compliance lead, you were likely provided documents that describe the policies and procedures related to all areas of privacy, including HIPAA. You were also likely handed a pile of BAAs in either digital or paper format, although it is probably difficult to determine if the stack you are holding is complete or if others exist.


There are many reasons why BAA management has become fragmented. For example, if your organization is like many in healthcare, it has likely completed a merger, acquisition or a strategic partnership in recent years. Or, it has simply been growing.


The momentum behind healthcare consolidation trends shows no sign of slowing, and while these movements are great for creating economies of scale, they wreak havoc on BAA management. Compliance directors like you must often navigate across multiple facilities and departments to locate agreements within disparate systems and paper files. In addition, your organization may not have a centralized compliance function, which means you must identify and reach out to others who have ownership of BAAs. You are not alone in your compliance headaches!


As a simple exercise, industry experts suggest pulling a sample of existing BAAs and writing down the following information about each one:

  • Who are the two contracting parties?
  • Is my organization the BA or the CE in this agreement?
  • What is the effective date of the contract? (If it is before September 2013, check out the HIPAA Omnibus Rule Callout!)
  • What is the Breach Notification Time (BNT)? (For more information see the BNT callout)
  • Can you identify a point of contact or a preferred method of contact in case of breach?

Enter your work email to continue reading this amazing white paper.

Submitting Form...

The server encountered an error.

Form received.


PHIflow is a data and technology company combining artificial intelligence and legal expertise to help companies understand their HIPAA Business Associate Agreement (BAA) risks and requirements.

2019 © Copyright PHIflow LLC. All Rights Reserved.

Legal & Security

Terms of Service

Privacy Policy


530 7th Avenue, M1, New York, NY 10018

(212) 840-8870