Business Associate Agreements: What You Need to Know


By: Michael Griffin and Alexandra Held

Business associate agreements are essential to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), the federal law establishing national standards to protect the privacy and security of protected health information (PHI).   

The Department of Health and Human Services’ Office for Civil Rights (OCR) revealed that in 2022, 79% of large breaches of PHI were comprised of hacking/IT incidents. Both healthcare entities and the individuals/businesses providing services to these entities may be liable for breaches if they do not establish appropriate safeguards through a Business Associate Agreement (“BAA”). Accordingly, it is important for businesses and healthcare entities to understand when a BAA is necessary, what provisions should be included, and the consequences of failing to enter into such an agreement.  

Who must enter into a business associate agreement? 

A BAA must be entered into by a HIPAA covered entity and any third party that handles PHI while providing a service to the covered entity, also known as a business associate. Business associates are required to enter into BAAs with any subcontractors used to support the service provided to the covered entity.  

Examples of relationships between covered entities, business associates and business associate subcontractors that would require a BAA include: 

  • An attorney who provides legal services to a health care provider or insurer that involves access to PHI; 
  • A dentist’s office that outsources IT services to a consultant who will access PHI in providing their services;  
  • A CPA firm that provides accounting services to a nursing home requiring access to PHI; and  
  • A hospital that hires a software vendor who then uses a cloud service provider to store data or information containing PHI.  

What is included in a BAA? 

A BAA is a contract between a covered entity and a business associate that sets forth the appropriate measures that will be implemented to safeguard PHI, the permissible uses for such information, and establishes that the covered entity will be notified of any breaches. The BAA will also typically set forth the procedures to be followed in the event of a suspected breach wherein PHI has been compromised. A covered entity must enter into such an agreement with a business associate prior to disclosure of PHI.  

What are the possible consequences if a required BAA is not entered into? 

OCR and state attorneys general have the authority to issue financial penalties for violations of HIPAA. Both covered entities and business associates can be liable for HIPAA violations, and can be audited, investigated or fined.  

OCR’s most recent settlement following an investigation into a large breach exemplifies the potential consequences of failing to enter into a BAA. In May 2023, OCR reached a settlement for potential HIPAA violations with MedEvolve, Inc., a business associate that provides practice management and analytics software services to covered healthcare entities. OCR investigated MedEvolve after a server containing PHI of 230,572 individuals was left unsecured and accessible on the internet. OCR found MedEvolve had committed several potential HIPAA violations, one of which was a failure to enter into a BAA with a subcontractor.  

MedEvolve, was required to pay a financial penalty of $350,000 to OCR and agreed to implement a corrective action plan. This settlement underscores the importance of ensuring that BAAs are entered into with every business that accesses PHI in service of a covered entity. It also highlights why business associates need to take appropriate precautions to minimize the risks of potential unauthorized disclosures of PHI. 

For more information, contact Michael Griffin at, Alexandra Held at or your local FMG attorney.