News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update

A customer is asking us to sign a BAA

If you handle their patient data, you need one. Review it carefully before signing.

  1. 1

    Determine if you qualify as a Business Associate

    If your product or service involves creating, receiving, maintaining, or transmitting protected health information on behalf of a covered entity, you are a Business Associate and must sign a BAA.

  2. 2

    Review the BAA they have sent

    Check for: what PHI you are permitted to use, breach notification timelines, subcontractor requirements, and termination provisions. Have legal counsel review if it is your first BAA.

  3. 3

    Negotiate terms if needed

    BAAs are negotiable. If their breach notification requirement is 24 hours and you cannot operationally meet that, negotiate for a longer timeline.

  4. 4

    Sign and file the BAA

    Keep a copy of every signed BAA. HIPAA requires you to retain BAAs for 6 years. Store them somewhere secure and searchable.

Important

Use our free BAA Generator to create your own compliant BAA template, or to understand what a BAA you have received should contain.

Related

Ask AI about this situation →

Not legal advice. Follow your organization's policies and consult counsel for legal questions.