Business Associate Agreement(BAA)
HealthcareHIPAA contract between a covered entity and a vendor that handles protected health information on its behalf.
Glossary · Healthcare
Health Insurance Portability and Accountability Act (HIPAA)
U.S. law setting privacy and security standards for protected health information held by covered entities and their vendors.
Definition
In long form.
HIPAA establishes national standards for the protection of certain health information. The Privacy Rule governs use and disclosure of PHI; the Security Rule governs administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule requires notice to affected individuals, HHS, and (in some cases) the media when unsecured PHI is breached. Enforcement is handled by the HHS Office for Civil Rights.
In context
Any software that touches PHI for a covered entity needs a BAA in place and must comply with the Security Rule. Common implementation work: encryption at rest and in transit, role-based access control, audit logging, six-year retention.
Related terms
Adjacent definitions.
Discovery first
Talk to us about your engagement.
Discovery calls are free. Scope, timelines, and pricing are quoted after we understand what you’re solving.