Contracts, by their definition, aim to govern the rights of parties whose rights are not otherwise governed. They allow the parties to negotiate the exchange and reduce to an agreement what each party can and should expect of the other. We tend to think of contracts as voluntary arrangements entered by willing participants. In the case of a business associate agreement (BAA), that is not precisely true. This is because BAAs are mandated by government regulation—specifically, the regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This article introduces the reader to BAAs and provides some guidance about when they are necessary and what they should include.

BAAs are intended to secure the protected health information (PHI) of patients. To do this, they bind a business associate to certain standards when handling PHI related to the services of a covered entity. A “covered entity” is defined at 45 C.F.R. Section 160.103 as a health plan, a health care clearinghouse or “a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” A common example of a “transaction covered by this subchapter” is electronic billing for services rendered.