What a BAA Must Include

 

Under 45 CFR §164.504(e), the BAA must:

1. Describe the permitted and required uses of PHI

2. Require the Business Associate to:

   • Not use/disclose PHI except as permitted

   • Use appropriate safeguards (technical, administrative, physical)

   • Report breaches or security incidents

   • Ensure subcontractors also comply

   • Make PHI available to the Covered Entity as needed

3. Require termination if the Business Associate violates the terms

 

Request Confirmation

 

Request confirmation of a valid Business Associate Agreement (BAA) when a third-party vendor (e.g., Datavant, Advantmed, CIOX) is requesting PHI on behalf of a health plan for HEDIS, Risk Adjustment, or any other activity under HIPAA.

 

Legal Basis for Requesting a BAA Confirmation

 

Under 45 CFR §164.502(e) of the HIPAA Privacy Rule:

 

A covered entity may only disclose PHI to a business associate if:

1. There is a valid Business Associate Agreement (BAA) in place, and

2. The disclosure is for a permitted function (e.g., payment or health care operations)

 

Why It Matters

 

• If you disclose PHI to a third party without verifying a valid BAA, you—not the payer—are on the hook for a HIPAA violation.

• HIPAA does not require them to give you a copy, but they must be able to confirm the BAA exists and is valid.

• If they refuse to confirm it, you can legally decline to disclose PHI.

 

That’s a major red flag and you are not required to accept vague statements like “we have a BAA” without further confirmation.

 

Under HIPAA, you are responsible for ensuring that PHI is only disclosed to parties who are lawfully permitted to receive it and that includes verifying the existence and purpose of a valid Business Associate Agreement (BAA).

 

Here's Why “We Have a BAA” Isn’t Good Enough:

 

HIPAA doesn’t require them to give you the full contract, but it does require that you exercise due diligence before disclosing PHI.

 

If they simply say:

 

“We have a BAA with [Plan Name]”...but provide no date, purpose, scope, or party details, they’re:

 

• Giving you no way to verify compliance, and

• Putting your practice at risk for improper disclosure

 

You Have the Right to Request:

 

At minimum, written confirmation that includes:

 

• Who the BAA is between (e.g., “Advantmed and Blue Cross and Blue Shield of Illinois”)

• What services are covered (e.g., “HEDIS chart abstraction”)

• Effective date or valid period (to confirm it’s current)

• A statement affirming that PHI will be used/disclosed solely for HIPAA-permitted purposes

 

Without a valid BAA:

 

• Any disclosure of PHI is a HIPAA violation even if the vendor is acting on behalf of a payer

• You, the provider, are legally responsible for the breach

• BAAs are not optional they are required by federal law

 

You Do NOT Have to Comply Until They Do

 

Pushback Statement for Vague BAA Statement

 

Subject: Request for BAA Confirmation – HIPAA Minimum Necessary Standard

 

Dear [Vendor Name],

 

We received your record request stating that your organization has a Business Associate Agreement (BAA) with [Health Plan Name]. However, to ensure HIPAA compliance on our end, we require more specific confirmation.

As a Covered Entity, we are obligated under 45 CFR §164.502(e) to verify the relationship before disclosing PHI. Please confirm in writing:

 

• The names of the parties to the BAA (e.g., [Vendor] and [Health Plan])

• The purpose of the BAA (e.g., Risk Adjustment, HEDIS review)

• That the agreement is current and valid

• That PHI will only be used/disclosed as permitted under HIPAA

 

Once this confirmation is received, we will evaluate and respond to the request based on the minimum necessary standard. We appreciate your cooperation in maintaining HIPAA compliance.

​

POINT TO PONDER on BUSINESS ASSOCIATE AGREEMENTS

​

Just because someone has a Business Associate Agreement with a health plan doesn’t mean they’re authorized to receive your patients’ records.

​

HIPAA holds you, the provider, responsible for ensuring that any disclosure meets federal law including verification of the recipient and the presence of required agreements.