EHR and practice management for mental / behavioral health
PIMSY mental health practice management software shares part 8 of HIPAA 2016 series: All About That BAA

2016 HIPAA Audits Part 8: All About That BAA

by Donna Koger, 7.19.16

Business Associate Agreement – Not Just Another Document

Did you know there have been $6 million in HIPAA Fines levied so far this year for lack of Business Associate Agreement (BAA) documents?

To avoid this type of HIPAA fine, you may need to do some inventory in your practice to be sure you are compliant. There are two main things you need to do:
1. Identify any sub-contractors who work with your PHI. (see description below)
2. Obtain a BAA from the company or individual

What Is The What?

So, what constitutes a sub-contractor business associate who should provide a BAA to you? A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.

A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

The Rules

According to, a written contract (BAA) between a covered entity and a business associate must:

1. Establish the permitted and required uses and disclosures of protected health information by the business associate;

2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;

3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;

4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;

5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;

6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;

7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;

8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;

9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

For definition, obligations, permitted use, provisions, terms and more information on BAA rules, go HERE.

Sources Include

(photo source: Screencap)

More Information

Find more complimentary resources in our HIPAA Resource Center.
Related Posts:
Part 1: What’s on the Horizon?
Part 2: Into the Breach
Part 3: PHI Identifiers
Part 4: 10 Steps to Compliance
Part 5: Where’s Your PHI Data?
Part 6: HIPAA Crash
Part 7: 5 Steps to Take After a Data Breach


Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.

Kudos from Clients

Seth H.

“PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

~ Seth H., Business Owner

Subscribe To Our Newsletter

Subscribe to the PIMSY newsletter
What topics are you most interested in?