Companies operating in the U.S. healthcare industry are required to comply with the data security and privacy standards defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA regulations are in part designed to protect the privacy and security of an individual’s sensitive and personal healthcare information.

This article will discuss when an organization needs to enter into a Business Associate Subcontractor Agreement (BASA). We will look at how a BASA differs from a Business Associate Agreement (BAA) and how it protects the organization tasked with HIPAA compliance.

Important Terminology

Let us define some important terms before delving into the details of the business agreements necessary to ensure HIPAA compliance.

Protected Health Information and Electronic Protected Health Information

Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) are the patient data that HIPAA legislation was designed to safeguard. PHI is defined as individually identifiable health information collected from a person which is recorded and received by a covered entity. This includes demographic and genetic information that may be used to identify an individual.

HIPAA lists 18 identifiers that need to be protected including:

  • A patient’s name
  • Dates except for the year
  • Telephone numbers
  • Social security numbers
  • Email addresses
  • Biometric identifiers such as retinal scans

PHI that is transmitted electronically or stored in computer systems is considered ePHI. Some aspects of HIPAA regulations only pertain to ePHI, as we will see shortly.

Covered Entity (CE)

When discussing HIPAA compliance, the following types of individuals and organizations are considered covered entities:

  • Healthcare providers, regardless of the size of the practice, that electronically transmit health information regarding claims, benefit eligibility, and referral authorizations
  • Health plans, except for group plans with less than 50 members that are administered and maintained by the employer who established them
  • Healthcare clearinghouses that process nonstandard information into a standard format

All covered entities need to comply with the HIPAA Privacy and Security Rules.

Business Associate (BA)

A business associate is any person or organization working on behalf of a CE to perform functions related to the use or disclosure of PHI. BAs can be involved in many aspects of a CE’s operations. BAs may also provide services to a CE.

Some examples of BAs are:

  • Medical billing companies
  • Accountants
  • Lawyers and attorneys
  • Backup storage providers
  • IT support vendors
  • Third-party administrators assisting with claims processing

BAs can be held liable for incurring HIPAA violations.

Business Associate Subcontractor (BAS)

A business associate subcontractor is an entity that creates, transmits, or maintains PHI or ePHI for a BA. Companies can simultaneously be a BA for one CE and a BAS for another BA. The examples listed above of potential BAs also cover the range of work a BAS can perform.

A limited set of exceptions exists for entities that are conduits for PHI but do not have any direct relationship with the information. Internet service providers, the U.S. Postal Service, and other couriers and delivery services are not considered to be business associate subcontractors.

What Is HIPAA Compliance?

Two main rules form the foundation of the HIPAA guidelines. CEs, BAs, and BASs are required to follow these rules to maintain HIPAA compliance.

HIPAA Privacy Rule

The HIPAA Privacy Rule addresses the use and disclosure of PHI by organizations subject to HIPAA guidelines. The rule includes standards that help patients understand their health information and how it is being used. A primary objective of the HIPAA Privacy Rule is to protect individuals’ health information while enabling it to be used effectively to provide high-quality healthcare.

CEs can use and disclose PHI without an individual’s authorization in certain cases such as to facilitate treatment, payment, or to be used in the interest of public health. The Privacy Rule applies equally to PHI and ePHI.

HIPAA Security Rule

The HIPAA Security Rule is specifically designed to protect ePHI. It does not apply to PHI transmitted in writing or orally. The Security Rule requires all CEs and BAs to:

  • Ensure the confidentiality, integrity, and availability of ePHI
  • Implement the necessary measures to detect and safeguard ePHI from threats to its security
  • Protect against the possibility of the impermissible use or disclosure of ePHI
  • Certify compliance with the Security Rule by their workforce

The Security Rule deals with electronically transmitted and stored ePHI and was found to be necessary to address the rise of computerized systems used in the healthcare landscape.

Business Agreements Mandated by HIPAA

Failure to comply with HIPAA regulations can result in serious financial penalties levied against the offending entity. Data breaches involving ePHI can also tarnish an organization’s reputation and lead to a loss of customers and consumer confidence.

Covered entities need to protect themselves when partnering with BAs to assist in processing PHI and ePHI. This protection is built into the HIPAA guidelines in the form of two types of agreements between CEs and their partners.

Business Associate Agreement (BAA)

CEs that partner with BAs to assist in processing PHI and ePHI are required to enter into business agreements called “business associate agreements” (BAAs) that define their role and responsibilities. The BAA needs to be signed by everyone in both organizations who have access to PHI.

A BAA is a written contract that defines the responsibilities of each party in protecting sensitive healthcare data. A BAA should establish the following guidelines:

  • The reason the BA is storing or processing ePHI for a CE
  • How the BA can use, store, and process ePHI
  • Assurances that the BA will not use the ePHI in ways not explicitly defined in the agreement.
  • Details on how the BA will safeguard ePHI to prevent data breaches.

Additional factors need to be incorporated into BAAs when working with cloud service providers (CSPs) beginning in 2016. BAAs need to include service level agreements (SLAs) that focus on the role of the CSP. The SLAs should address issues related to using cloud infrastructure to process ePHI. These issues include:

  • System reliability and availability
  • How ePHI will be backed up and recovered
  • How ePHI will be destroyed when services are terminated
  • Responsibility for the security of the cloud infrastructure
  • Limitations on the use, disclosure, and retention of ePHI

A BAA needs to be in place even when the BA only has access to encrypted ePHI.

Business Associate Subcontractor Agreement (BASA)

BAs may decide to engage subcontractors to perform some of the duties required by a covered entity. It is the responsibility of the BA to enter into a Business Associate Subcontractor Agreement with its subcontractors that defines their roles in processing and protecting a CE’s ePHI resources.

The details of a BASA are like those of a BAA. Both documents outline the responsibilities of the signee regarding the protection of ePHI. The main difference is that a BAA is between a CE and a BA whereas a BASA is between a BA and its subcontractors. In many cases, a BA may have multiple BASAs that cover various aspects of processing an individual’s sensitive healthcare data.


When contracting with a third party or CSP, a covered entity should insist on a partner willing to enter a BAA. Similarly, a company acting as a business associate needs to have a BASA in place when subcontracting work to another company.

Atlantic.Net offers covered entities the peace of mind of a BAA that guarantees the security and privacy of their ePHI resources. They can address cloud data processing needs while ensuring HIPAA guidelines are followed so a covered entity can achieve and maintain compliance. Contact us today for more information about HIPAA-compliant hosting.