Who Needs a Business Associate Agreement Hipaa

If you are operating in the healthcare industry, you have probably heard of HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets standards for protecting sensitive patient information. The act requires healthcare entities to have contracts with their business associates to ensure that the data is being protected and handled appropriately. In this article, we will discuss who needs a Business Associate Agreement (BAA) under HIPAA.

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a written agreement between a covered entity and a business associate. According to HIPAA regulations, a business associate is any person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to a covered entity. A BAA is important because it outlines the responsibilities of the business associate and the covered entity regarding PHI.

Who Needs a Business Associate Agreement?

The following entities are considered covered entities under HIPAA and must have a BAA with any business associate:

1. Healthcare Providers – This includes doctors, nurses, hospitals, clinics, and any other provider that handles patient data.

2. Health Plans – This includes insurance companies, HMOs, and any other plan that pays for patient healthcare.

3. Healthcare Clearinghouses – These are entities that process healthcare information from non-standardized formats to standard formats.

Any entity that falls under one of these categories must have a BAA with any business associate that handles PHI on their behalf.

Examples of Business Associates

The following are examples of entities that could be considered business associates:

1. Medical Billing Companies – Medical billing companies handle patient data when submitting claims to insurance companies.

2. Cloud Storage Providers – These are companies that manage electronic PHI.

3. Consultants – Consultants may need access to PHI to provide advice or expertise to healthcare providers.

4. Law Firms – Law firms may need access to PHI when assisting with legal matters.

5. IT Companies – IT companies may need access to PHI to provide technical support.


In summary, covered entities in the healthcare industry must have a Business Associate Agreement with any business associate that handles PHI on their behalf. This includes healthcare providers, health plans, and healthcare clearinghouses. Business associates can include medical billing companies, cloud storage providers, consultants, law firms, and IT companies. By having a BAA in place, both the covered entity and the business associate can ensure that they are following HIPAA regulations and protecting patient data.