What should a BAA include?

HIPAA outlines a few essential topics to cover within a BAA. 

  • Permitted uses of PHI
  • Safeguards to prevent PHI use or disclosure violations
  • Compliance with the HIPAA Security Rule
  • Reporting of unauthorized uses and disclosures
  • Agreements with subcontractors
  • Who can access PHI
  • Amendments to PHI
  • Delegation of the covered entity’s duties
  • Records available to the Secretary of the HHS
  • Processes to return or destroy PHI at termination
  • Termination provisions
When you sign a BAA, you have entered into a partnership with the entity or organization that you have chosen to work with.

Provisions such as "Indemnification" could leave you on the hook for millions of dollars should you encounter a Data Breach, which could be as simple as an employee leaving their laptop at Starbucks unattended for a few hours.

It is always advisable to use a qualified attorney when engaging in these agreements.

A large entity may want to use your services in spite of the fact that you might not be able to secure the ePHI data as required by law. To avoid any liability on their side, the craft clever contracts that will leave you holding all the responsibility even if the mistake is not your responsibility.
BAA Facts
  • Who needs a BAA?
  • What if I don't have a BAA
  • BAA Quick FAQ
  • WHY BAA?
  • Planning Your BAA
 Sample BAA
  • Simple BAA
  • Better BAA
  • Best BAA
 Office Locations:

100 Florida Ave
Tampa Fl 33615