• Pacific Apex

Are You Compliant? Business Associate Agreements for Healthcare Providers.

A Business Associate Agreement (BAA) is a written legal contract between a healthcare provider and an individual or organization who will have access to view, transmit, or store protected health information (PHI) as a service to the provider. Per the Department of Health and Human Services (HHS) and HIPAA compliance rules, a “business associate” is a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a covered entity.


The BAA satisfies the HIPAA Privacy Rule requiring a covered entity (i.e., provider) to obtain, in writing, satisfactory assurances that any PHI a business associate (i.e., vendor) receives or transmits on behalf of the entity will be safeguarded. Per the HHS, the BAA must:

  • Describe the permitted and required uses of protected health information by the business associate;

  • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and

  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.

If you are a healthcare provider working with certain vendors or other professional service providers who may have access to, view, transmit or store PHI, then you should have BAAs in place. If you do not have a BAA, contact Pacific Apex Law Group at (888) 609-8718. Our talented health care and life sciences attorneys are happy to assist you. We look forward to hearing from you!