How to Execute BAAs

Beth Plumptre
July 14, 2023

Healthcare’s growth into a modern, data-backed industry has pushed privacy and security protections into high gear. In 2021, 88% of hospitals exchanged data via Electronic Health Record Systems (EHRs)

In this increasingly interoperable ecosystem, patient data is accessed across different states, Health Information Exchanges (HIEs), IT systems, providers, pharmacies, and other stakeholders. So while data is at its most impactful for care continuity, confidential and Protected Health Information (PHI) is also at its most vulnerable.

Efforts like The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are working to secure interconnected data structures across health organizations. This rule mandates Business Associate Agreements (BAAs) for every individual or organization handling and exchanging patient information. The agreement ensures that collaborators maintain patient information responsibly, and with proper security measures.

We’ll be examining BAAs and their importance for securing the healthcare landscape. This guide will dig into the organizations qualified to enter these agreements, and how a health organization may execute this contract with a Business Associate.

What is a BAA?

BAAs establish a game plan for individuals or entities accessing, using, or disclosing PHI. The agreement is between HIPAA’s covered entities (health plans, healthcare clearing clearinghouses, healthcare providers) and their business associates (BA), plus subcontractors like Metriport, where our Medical API helps providers and other associates access and retrieve medical data for their patients.

According to the Department of Health and Human Services (HHS), a BA is:

“A person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”

This means an organization that handles health data on behalf of a covered entity must first enter into a BAA.

BAs cover individuals or organizations contracted for activities like data analysis, claims processing or administration, utilization, and quality assurance reviews. An organization offering legal, actuarial, accounting, data aggregation, or financial services will also sign the dotted lines of a BAA to guarantee patient safety. That said, a covered entity may disclose PHI to a BA without executing a legal agreement. However, this usually depends on factors like the service provided or the context for sharing health information. 

Exceptions to the Business Associate Standard

BAAs assure covered entities that a third party is trustworthy, and will show the utmost care when handling or creating data. But in some events, this agreement isn’t necessary, and information exchange can happen without a contract in place.

To clarify when an organization falls under this exception, the HHS shares a few cases where BAAs are not needed before disclosing health information: 

  • Where a covered entity transfers information to a healthcare provider to support patient treatment. For example, a hospital will not need a BAA before sharing a patient’s chart with a specialist for care continuity. Likewise, a physician collaborating with a laboratory will not need an agreement before exchanging a patient’s PHI for treatment.
  • Disclosures made to a health plan sponsor such as an employer, group health plan, health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan.
  • Cases where PHI is collected and shared by a health plan that is a public benefits program such as Medicare.
  • A Business Associate Contract is also unnecessary where a provider shares PHI for payment purposes, or where a BA simply acts as a channel for patient data such as the postal service or specific couriers.

When an organization falls within these limits, it’s in the clear to manage patient data without any agreement. However, this is on the condition that patient safety remains the focus, and any information exchanged is to promote care delivery by a provider. 

How is a BAA Executed?

Business Associate Agreements are at the heart of HIPAA compliance in health organizations. These contracts list out responsibilities and obligations towards, plus permitted use cases for PHI.

Like most legal agreements, a BAA is executed under terms that are written and agreed to by the parties involved. When executing a BAA, the following must be present in the legal agreement:

Basic information

A BAA will have the common particulars of a contract to be legally enforceable, such as the date and names of the Covered Entity, BA, or another subcontractor.

Permissible uses and disclosures of PHI

Healthcare organizations can determine how vendors use or share PHI by making special provisions in a BAA. In the agreement, organizations can list what will be considered permissible or prohibited use of valuable health information.

For instance, cloud service providers may be permitted to maintain PHIs, but have no authorization to use or disclose these records. Likewise, vendors may be expressly barred from selling or using patient information for marketing information, without receiving the right consents. A vendor may also be prevented from sharing PHI for personal reasons or to unauthorized entities under the agreement.

Procedure in the event of a data breach

With healthcare as the most targeted in cyberthreats (79% of reported data breaches are healthcare-related), organizations handling PHI must put appropriate safety measures in place.

These measures must be listed in the BAA, with procedures in place for managing unwanted access to valuable information by third parties.

Liabilities and consequences

It’s in the best interest of any Business Associate to comply with the privacy and safety requirements under HIPAA. BAs that wrongfully expose PHI can be held liable, along with covered entities.

Under the HHS, BAs are directly liable where they violate HIPAA in the following ways:

  • Failing to provide the Secretary with records and compliance reports to determine safety practices.
  • Retaliating against any person or entity for opposing their use of PHI under HIPAA
  • Not complying with the requirements of the Security Rule
  • Making prohibited use of PHI
  • Not sharing a data security breach with the covered entity or other BA

Process for returning or destroying PHI

The Business Associate Agreement should also contain provisions that define how health information should be returned or destroyed by the covered entity or Business Associate.


BAAs are solidifying data-exchange structures in healthcare, helping to raise patient trust in care delivery systems.

As stakeholders in data access and transfer, covered entities and BAs have a duty of care to handle patient information to the highest standards that align with laid down regulations.

Stay up-to-date with news from Metriport.

View Blog

Get the latest updates and blog posts from the Metriport team.

Metriport icon