U.S. Business Associate Agreement (BAA)

A U.S. Business Associate Agreement (BAA) is a U.S. healthcare contract agreement type between [[___]] and business associates when it comes to handling protected health information (PHI).

• Example(s):
  • (Wal-Mart Stores & Castlight Health Agreement, 2012) [1].
  • ...
• Counter-Example(s):
  • a Personal Information Protection Agreement (PIPA): PIPAs are contracts between organizations that exchange personal information. PIPAs typically specify the purpose for which the personal information will be used, the security measures that will be taken to protect the personal information, and the process for resolving disputes. PIPAs are common in Canada, Australia, and New Zealand.
  • Clinical Trials Agreement (CTA)
  • Non-Disclosure Agreement (NDA), also prohibiting its unauthorized disclosure of sensitive information and also involves sharing proprietary information with third parties.
  • Data Processing Agreement, used when sharing personal data with a vendor. Outlines security practices, like a BAA does for PHI. Ensures compliance with data protection regulations.
  • Cloud Services Agreement, when using cloud providers, agreements outline protections for data security and privacy. Similar to BAA in regulating third party use of sensitive data.
  • Contractor Confidentiality Agreement, for contractors accessing confidential business information. Limits use of data and requires security controls like a BAA does for PHI.
  • Partnership Agreement, outlines rights and duties when partnering with another entity, like how a BAA specifies PHI obligations. Facilitates the business relationship.
• See: HIPPA.

References

2022

• https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
  • NOTES:
    • Defines relevant terms like business associate, covered entity, and HIPAA Rules.
    • Outlines obligations and activities of the business associate, including to not disclose PHI improperly, implement security safeguards, report breaches, ensure subcontractors comply, provide access to PHI, amend PHI, account for disclosures, comply with HIPAA regulations, and make records available to HHS.
    • Specifies permitted uses and disclosures of PHI by the business associate, including minimum necessary requirements.
    • Allows the covered entity to inform the business associate of privacy practices and restrictions on use/disclosure of PHI.
    • Addresses term, termination, and post-termination obligations, such as returning or destroying PHI upon termination.
    • Includes optional miscellaneous provisions regarding regulatory references, amendments, and interpretation.
    • Provides sample language to facilitate HIPAA compliance but notes contracts still need to comply with state law and account for specifics of the business arrangement.

2012

• (Wal-Mart Stores & Castlight Health Agreement, 2012) => Wal-Mart Stores, Inc. Associates' Health & Welfare Plan and Castlight Health, Inc., Business Associate Agreement (Sept. 11, 2012), https://www.sec.gov/Archives/edgar/data/1433714/000119312514078776/d636610dex1011.htm.