40% OFF Sale through January 23: COVID Clinical Best Practices. Use "CLINICAL40" coupon code in your shopping cart.

Business Associate AgreementsIn 2016, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) levied millions in fines for the unlawful disclosure of protected health information (PHI) to Business Associates (BAs) and the Business Associate Agreements (BAAs) that they are required to use. HHS defines PHI as any health information that can be used to personally identify an individual patient. PHI often comes in the form of health records that contain demographic information such as a patient’s name, date of birth, address, social security number, telephone number, or financial information.

Under federal HIPAA regulation, Covered Entities (CEs) are required to execute contracts with their BAs in order to keep their patients’ data from being breached and distributed on the black market. Covered Entities are defined under HIPAA regulation as any health care provider, health plan, or clearinghouse that produces, stores, or maintains PHI.

These contracts, called Business Associate Agreements (BAAs), must be exchanged when a BA is hired to handle PHI in any way over the course of services they’ve been payed to provide for the health care provider. Common examples of BAs include lawyers, IT services, billing companies, cloud storage providers, and email encryption services, among others.

What should a good BAA contain?

BAAs should clearly identify the responsibilities of the health care provider and the business associate in regards to PHI. If a breach occurs, the federal government will look at these BAAs to determine liability. That’s why it’s essential for behavioral health specialists to have lawful and up-to-date BAAs to protect their practices and organizations from OCR’s record enforcements and fines.

For easy reference, here’s a quick list of features that every good Business Associate Agreement must contain:

  • The Health Care provider is identified as the Covered Entity
  • The Vendor is identified as the Business Associate
  • Liability in the event of a breach is clearly defined and belongs to whichever party is responsible for the source of the breach


Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with full Business Associate management through The Guard. The Guard is a web-based HIPAA compliance solution with built in Business Associate Agreements and BA management tools. By simply logging in, users have access to a full suite of powerful compliance tools that fulfill the full extent of federal HIPAA regulation.

Compliancy Group’s team of expert compliance coaches is available at any time to field questions and guide users through the implementation process, taking the stress out of managing compliance. With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.

For more information about what you can do to protect your behavioral health practice, check out these upcoming HIPAA educational webinars. Field your HIPAA concerns with our compliance experts and find out how simple compliance can be.