Ask the IT Expert – BAA’s?

What is a BAA and who needs to sign them?

If you have had any experience with HIPAA, you have probably heard the term BAA. A BAA is a Business Associate Agreement and all of your vendors that may come in contact with PHI (Patient Health Information) must sign one and comply with it.

This means (obviously) your IT Vendor, but others you may not think of like the office cleaning company, the shredding company, your accountant, software vendors and subcontract employees.

What PHI might they have access to?

Your accountant for instance, if he has access to patient names, addresses etc.,
Your cleaning company, if they clean areas where you store medical files.
The Shredding company as they handle PHI prior to it being shredded.
The list can be quite long.

What your Business Associates may not realize is signing a BAA means their company must comply with HIPAA regulations as well and are now subject to audits by the Department Health and Human Services just like you. They will have to do an annual Risk Assessment and have policies and procedures to cover their actions with PHI. Some of your Business Associates may be able to be removed from needing a BAA if you can find ways to remove them from accessing PHI. For instance if you can give your accountant numbers for your clients instead of names and addresses.

So what do you do if they refuse to sign the BAA?

The general rule is, you cancel your association with that company, or you inform them that due to their refusal to comply with the rules set forth as a Business Associate, you as the Covered Entity are required to report it to the Secretary of Health and Human Services. (and yes if you continue to do business with them you must report it, here is the link This will generally get them moving on actually signing it as no one likes to be reported to the government.