HIPAA Business Associate Agreements
Enforced by: HHS OCR (US)
Current as of March 26, 2013
Plain Language Summary
Every vendor that touches PHI on your behalf needs a Business Associate Agreement (BAA). No BAA = direct HIPAA violation regardless of whether a breach occurred.
A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. Processing by a business associate must be governed by a written contract specifying the permitted and required uses and disclosures of protected health information.