Can a Vendor Propose Changes to your Business Associate Agreement?

Can a Vendor Propose Changes to your Business Associate Agreement?

We are occasionally asked questions by our clients regarding business associates and business associate agreement (BAAs).

Recently, we were asked if it is okay for vendors to propose changes to a covered entity's BAA:


Under the HIPAA Privacy Rule a covered entity is required to obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.

Further, a covered entity's contract (agreement) with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.

Finally, under HIPAA you (the covered entity) are required to enter into a HIPAA compliant BAA with your vendors who create, receive, transmit or maintain PHI. When vendors will not sign your BAA; or make changes to your BAA; or send you their BAA you must thoroughly review the agreement to ensure it includes all elements specified in the HIPAA Privacy Rule.OCR will hold you the covered entity ultimately responsible. A compliant agreement must include assurances PHI will be properly safeguarded and in the event of a breach all required notification procedures must be clearly explained.

Remember, the vendor is providing services on your behalf and not the other way around. Therefore, you are not required to sign their BAA or approve of their edits and could require them to sign your BAA.

If you have any questions please do not hesitate to contact us by phone: 855-427-0427 or by email: [email protected].