Business Associate Agreements: Fact vs Fiction
Tuesday, August 28th, 2018HIPAA covered entities form partnerships with third parties to safeguard their data assets effectively. Business associate agreements (BAAs) formalize these relationships and, importantly, describe the HIPAA-related risks and responsibilities that business associates (BAs) will take on.
The written contract between the covered entity and business associate must meet the following requirements:
- State the permitted and required uses and disclosure of PHI by the BA.
- Assure that the BA will not use or share information other than as required or permitted by the contract or by law.
- Require the BA to implement suitable safeguards to prevent the unauthorized use of information, including deploying the requirements of the HIPAA Security Rule as it relates to protected health information.
- Report to the covered entity any use or disclosure of information not provided for by the contract.
- Agree to disclose PHI to meet the covered entity’s obligation to provide individuals a copy of their PHI, and also either provide PHI for amendments or incorporate amendments.
- Adhere to the requirements of the Privacy Rule to the extent required.
- Provide to the Department of Health and Human Services records, practices and books related to the use and disclosure of PHI.
- At the termination of the contract, destroy or return all PHI created or received by the BA on behalf of the covered entity.
- Ensure that any subcontractors the BA engages must comply with substantially the same conditions and restrictions that apply to the BA.
- Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.
There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by 
The short answer is “Yes“.
