What is Business Associate – Roles & Responsibilities, BAA

Business Associate - What is it, Roles & Responsibilities, Covered Entities, HIPAA Privacy Rule, BAA expiration date

What is Business Associate – Roles & Responsibilities, BAA

Whether you’re smack dab in the middle of the medical field or providing support from the sidelines, odds are you’re worried about HIPAA compliance.

It may surprise you to learn how many different pieces of private information are protected under HIPAA and its accompanying regulations titled HITECH and Omnibus. Today, we’ll demystify the need-to-know HIPAA compliance terms and everything that goes into business associate agreements.  

Topics covered in this article include:  

  • The difference between a “Covered Entity,” “Business Associate,” and “Business Associate Subcontractor.” 
  • The importance of Business Associate and Subcontractor Agreements
  • How HIPAA-compliant email encryption works  
  • Frequently asked questions about being a Business Associate
  • How Canary Mail can keep you HIPAA compliant
hipaa compliance

Our team is dedicated to making your experience with digital security as straightforward as possible. We’ve poured time and resources into ensuring that our email encryption services are both HIPAA compliant and easy to master. 

We know that having full control over your email security is important. Read on to learn more about the ins and outs of being a Business Associate and how email encryption plays in fulfilling your digital safety obligations. 

HIPAA Terminology

hipaa meaning-min

Privacy Jargon

Electronic Health Records (EHR)

The digital version of a patient’s paper chart. These invaluable tools allow professionals to update results in real-time. With the benefits of automation and workflow streamlining come heightened responsibilities. It is important to keep EHRs secure as they are the entirety of a patient’s medical history, medications, images, and treatment plans. 

Protected Health Information (PHI)

Protected Health Information (PHI) is Any health-related information combined with a unique identifier that matches a particular individual. This includes the date of birth, social security number, address, etc. Digital examples include IP addresses, biometric data, and payment methods. The digital version of this information is called ePHI (Electronic Protected Health Information). 

Laws & Regulations


A federal law that applies to everyone’s right to privacy in health care. Associated regulations cover employees, patients, clients, etc. The Department of Health and Human Services Office for Civil Rights (HHS OCR) is responsible for monitoring organizations that are legally required to comply with HIPAA


Health Information Technology for Economic and Clinical Health Act

Established to increase the use of Electronic Health Records (EHR). This act rewards health care providers that use digital medical records and imposes penalties for failing to digitize their health record systems. It also outlines technical requirements for hospitals, doctors, and other healthcare providers who use EHR.

The introduction of HITECH extended HIPAA requirements to Business Associates and Business Associate Subcontractors. It also established firmer breach penalties even in cases where the violation went unnoticed. 

Omnibus Rule

Improves patient privacy protections and strengthens individuals’ rights to their health information. Direct examples this rule applies to include: 

  • Patients may pay out of pocket in full and instruct their provider to keep information about their treatment private from their health plan
  • Healthcare providers are able to share vaccination records with schools directly (with a written or verbal release from the student’s parent or guardian)
  • Marketing, fundraising, and sale of Protected Health Information (PHI) is prohibited without authorization

Differences Between Covered Entities and Business Associates

Simply put, the differences lie in which tasks each individual or group undertakes regarding the information being shared, stored, and analyzed. Business Associates tend to be vendors and third-party companies that work for Covered Entities. 

When it comes to healthcare privacy laws, everyone that comes into contact with (e)PHI is expected to adhere to the same levels of privacy and protection. Likewise, Covered Entities and Business Associates are held equally liable for HIPAA law violations and breaches.  

Covered Entities

Covered Entities fall into three categories:

  1. Health Plans such as insurance agencies
  2. Health Care Clearinghouses such as billing services and community health information systems
  3. Health Care Providers who electronically transmit any health information 

This includes academic medical centers, physicians, hospitals, etc. Important to know is that Covered Entities can be institutions, organizations, or even individuals. Researchers and physicians involved in clinical studies are only two examples of entities that must comply with HIPAA

Business Associate (BA)

In short, anyone who has access to (and therefore the possibility of sharing) identifiable information. 

Examples of Business Associates include:

  • Third-party administrators that assist with claims processing
  • Consultants that perform utilization reviews
  • Pharmacy benefits managers

BAs assist Covered Entities in adhering to HIPAA Privacy Rules in a number of ways:

  • Data analysis
  • Processing
  • Administration
  • Quality Assurance
  • Claim Management and Processing
  • Repricing
  • Billing
  • Etc.  

Here’s the formal definition: “A person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule.” 

Business Associate Subcontractors

Any company or individual hired by the BA to complete tasks related to private and protected information. This may include:

  • Attorneys
  • Transcription Services
  • Email Encryption Providers
  • IT Support Vendors
  • Etc. 

Overall, HIPAA requirements trickle all the way down to positions that you may not expect to have any connection to (e)PHI and EHR. That’s why documentation of expectations, responsibilities, and privacy protocols are so critical. 

What are Business Associate Agreements (BAA) & Business Associate Subcontractor Agreements?


Under HIPAA, HITECH, and the Omnibus Rules, all involved in the management, sharing, and protection of (e)PHI are held to the same guidelines and standards.

Signed contracts ensure that all Covered Entities, BAs, and any individuals or companies the BA may employ are complying with these regulations. Everyone that comes into contact with EHRs and (e)PHIs must be committed to the protection of the sensitive information involved.

BAAs and Subcontractor BAAs cover:

  • (e)PHI Use and Disclosure
  • HIPAA Security Safeguards
  • Breach Notification and Security Incident Protocols
  • Third-Party Disclosures

To fully comply with HIPAA guidelines, a BA needs to know everything possible about the email service provider they are communicating through. A significant tool for controlling access to sensitive, protected information is email encryption.  

More info about BAA and Subcontractor BAAs

HIPAA Compliant Email Encryption

The internet wasn’t nicknamed “information highway” for nothing. Just as many retro scifi movies depict, emails are sent through a veritable network of servers and cloud based providers before being received. While in transit, it is likely that the body and attachments of these emails are seen by hackers, third-party companies, and even email providers themselves.

It’s impossible to fully trust email service providers without meticulously combing through the user and privacy agreements. A BAA should always be established between the BA and their service provider. However, there is a quick and simple way on top of that to ensure security. 

Encryption creates layering of code that hides sensitive information from these prying eyes. 

It’s not just any type of coding that’s needed though. End-to-end encryption, such as our SecureSend function, is the highest level of security that HIPAA compliant services can guarantee. 

Ensuring that each and every email is manually encrypted can get messy and time consuming. That’s why the Canary Mail team has worked hard to make our interface intuitive and user friendly. With us, you’ll never have to worry if your emails are HIPAA compliant again. 

Business Associate FAQ

Can you be a Covered Entity and a Business Associate simultaneously?

Yes, you can simultaneously be classified as a Covered Entity and a Business Associate. 

What are the obligations of Business Associates?

Exact protocols and responsibilities should be thoroughly outlined in the BAA and any resulting subcontractor BAAs. General duties include:   

  • Not to use or disclose (e)PHI other than as permitted by the agreement
  • Use safeguards to prevent unauthorized access to (e)PHI
  • Report to the Covered Entity any use or disclosure of (e)PHI including breaches and other security incidents
  • Hold subcontractors responsible for proper reception, maintenance, and transmission of (e)PHI. 

Do BAAs have a set expiration date?

A BAA must be in effect for the entire time a BA offers assistance to a Covered Entity. If a BAA has an expiration date that is a red flag that something is amiss. 

Are there any situations in which a BAA is NOT required? 

Yes. There are rare and niche BAA circumstances where a contract is not required. Some of these explain many health care providers’ resistance to digitizing health records and private information. These exceptions include: 

  • Services whose functions do not come into contact with PHI such as janitors, electricians, etc.
  • Conduits for physical PHI such as the postal service
  • When information is disclosed with patient/client authorization (pursuant to a waiver)

If you are unsure of your status in regard to private information, we recommend seeking out a qualified professional with expertise in these matters.   

How can Canary Mail Help Business Associates?

how can canary mail help business associates-min

We are dedicated to protecting data privacy. Not only are our Enterprise Plans completely HIPAA compliant, but they also come with easy-to-learn tutorials. 

Our SecureSend feature even allows you to revoke an email anytime after sending and set expiration dates. That means that your whole team has total control over sensitive content and attachments

Contact us at any time to discuss business associate agreements and how Canary Mail can integrate seamlessly with your pre-existing infrastructure. 

Learn about our simple licensing and intuitive administrative control center today! 

With us, you never have to worry about who has access to your information ever again.

Download our

free trial

to learn more. 

Discover a new way to email

Discover A New Way To Work - TechOS X Webflow Template
Discover A New Way To Work - TechOS X Webflow Template