BAA

Business Associate Agreement. A legally required contract under HIPAA that governs how a Business Associate (an MSP serving a HIPAA-covered entity) handles Protected Health Information (PHI). Any MSP that accesses, stores, processes, or transmits PHI on behalf of a healthcare client must have a signed BAA in place before providing services. Failure to have a signed BAA is itself a HIPAA violation.

Required by

HIPAA Privacy Rule (45 CFR §164.504(e)) and Security Rule.

Who needs one

Any MSP providing IT services to hospitals, medical practices, dental offices, behavioral health providers, health insurers, or healthcare clearinghouses.

Why it matters

Without a signed BAA, an MSP cannot legally access PHI. A breach without a BAA in place exposes both the MSP and the covered entity to HHS penalties and civil liability.