HHS provides sample business associate agreements. Am I required to use the sample BAAs provided by HHS?

HHS provides sample business associate agreements. Am I required to use the sample BAAs provided by HHS?
No. There seems to be a common misunderstanding about the sample business associate agreements (BAA) provided by Department of Health and Human Services (HHS).
Some are under the impression that, the BAA must be in the sample form provided by HHS. As a result, during business associate contract negotiations, some covered entities, business associates, and subcontractors (or their attorneys, privacy officers, security officers, etc.) push back on certain terms and limitations because they believe that all of the language provided in a sample agreement 'must' be included.

While it is certainly true that the HIPAA Privacy Rule and Security Rule do require that certain business associate related language be included in BAAs, this does not mean that every term set forth in the sample agreements provided by HHS must also be included.

HHS has itself clarified this issue in the HIPAA Omnibus Rule released on January 25, 2013 (formally titled: "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule"):
"Finally, in response to the comments requesting a model business associate agreement, we note that the Department has published sample business associate provisions on its web site. The sample language is designed to help covered entities comply with the business associate agreement requirements of the Privacy and Security Rules. However, use of these sample provisions is not required for compliance with the Rules, and the language should be amended as appropriate to reflect actual business arrangements between the covered entity and the business associate (or a business associate and a subcontractor)."
78 FR 5601 (Jan. 25, 2013).

If your organization receives push back or the opposing counsel (or privacy officer, security officer, etc.) insists that the HHS sample BAA must be used in the exact form, please feel free to quote the language above.

If you need help negotiating a business associate agreement for your organization, please contact us. We have negotiated a number of BAAs with covered entities, business associates, and subcontractors.

This FAQ post, and the information on this website, has been prepared for general information purposes only. The information on this website is not legal advice. Legal advice is dependent upon the specific circumstances of each situation and the jurisdiction of each state. The information contained here is not guaranteed to be up to date. Please consult legal counsel in your state to discuss your specific circumstances.

November 2021

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)