Buck Bond Group
Taking care of business (associates) 

Taking care of business (associates) 

by Tags:

What we encounter 

While recently performing a HIPAA operational review for one of my clients (in their role as a sponsor of a group health plan), I asked for copies of their business associate agreements (BAAs). These are the agreements that are put in place to protect both covered entities and the business associate by setting clear expectations for the handling of protected health information (PHI).   

The folder I received back was noticeably thin; it included only business associate agreements for their medical and dental insurer, and flexible spending account administrator.  

So I asked about other vendors and business partners that might have access to their protected health information or electronic protected health information (ePHI), such as offsite storage, shredding/destruction companies, external ERISA counsel, their health care benefits consultant, video-conferencing applications, etc.   

“Do we need agreements for these?”  


The exchange described above is not uncommon. In fact, most of the clients we work with as sponsors of group health plans do not have a comprehensive inventory of their business associates (BAs).  

Business Associate Agreements (BAAs) 

BAAs are contracts that define responsibility, and thus liability, with respect to the handling of PHI.  As such, it is critical to retain a list of all current business associates and to read and understand the language in your BAAs. The reality is when a breach or security incident occurs, you are responsible for what was declared in your BAA. A BAA that is drafted carefully and understood by both parties to the agreement can be an effective mechanism for transferring risk (and thus liability) from one entity to another. 

A Buck survey confirms what we often see in practice. Of those employers surveyed, 33% did not have or didn’t know if they had an inventory of all of their business associates; the same number responded that they were not sure that those agreements were current.   

Did you do your due diligence? 

HIPAA requires covered entities to go through a due diligence process before the transmission of any PHI, including but not limited to, questioning the business associate to ensure they have policies and procedures in place, that workforce training is regularly conducted on  handling  PHI, and that proper safeguards exist to protect the PHI they will have access to or that you will be transmitting to them. 

After my client handed over the thin folder containing only a few BAAs, we went through a process to identify all potential business associates and subsequently determine whether an agreement was needed.  By creating a comprehensive inventory of their business associates and ensuring written agreements were completed for all identified business associate arrangements they now know they took care of business with ALL of their business associates. 

Getting your BAAs in order 

So, who is considered a business associate? Any vendor or partner you share PHI or ePHI with over the course of the work they’ve been hired to do is a Business Associate, and requires a BAA. The following is a list of some examples of Business Associates we see in the market as related to group health plans. 

  • Accountants 
  • Answering/messaging services 
  • Billing companies 
  • Cloud storage providers 
  • Copier/printer/scanner vendors 
  • External benefit call centers 
  • External IT groups/support 
  • Health benefit consultants 
  • Insurers (medical, dental, flexible spending account administrator, etc.) 
  • Interactive conferencing (e.g. Zoom, WebEx, Microsoft Teams, etc.) 
  • Mobile Apps 
  • Offsite storage/physical storage providers 
  • Outside legal counsel/auditors 
  • Print and Mailing Services 
  • Retiree medical consultants 
  • Shredding services 
  • Website Development 

These examples demonstrate the importance of taking a thoughtful approach to identifying business associates. There may be some that you haven’t considered in the past. Think about all the people, processes and systems that may come into contact with either physical or electronic protected health information.  

You’ll likely find the number is larger than you thought.