HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Who creates the agreement – BA or CE?

Email This Post Print This Post

The following question comes from an attendee of the July 29 HCPro, Inc. audio conference, Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law. The speakers on the show were Chris Apgar, CISSP, president, Apgar & Associates in Portland, OR, and John R. Christiansen, JD, of Christiansen IT Law in Seattle.

Q. Who is generally responsible for creating the business associate agreements (BAAs) — the covered entity (CE) or business associate (BA)? If the covered entity is responsible, and they do not create the BAA, should the business associate step in and create a BAA?

CHRISTIANSEN: Under pre-HITECH HIPAA, as it will apply until next February 17, the covered entity is responsible for establishing the BAA.

The regulations place that obligation on the covered entity, and it is the entity which can be penalized if there is not one in place. HHS has not had the jurisdiction to require business associates to establish BAAs, or punish them if they don’t.

However, my recommendation to BAs working with CEs which fail to implement BAAs (I’ve had a few as clients) has always been to get the BAA in place themselves, since a compliance audit of the CE which uncovered the absence of the BAA would undoubtedly disrupt, and maybe wreck, the business relationship between CE and BA.

HITECH has, however, changed this, by extending regulatory jurisdiction to BAs, and requiring them to have BAAs, while still requiring CEs to have BAAs. As of February 17, both CE and BA can be penalized if they don’t have a BAA. So both parties will have that obligation.

Bottom line: Until February 17, if a CE hasn’t implemented a BAA, the BA should step up to protect its business relationship with the CE. After February 17, the BA will be required to step up as a matter of law.

APGAR: I agree with John. I regularly advise my clients who are business associates to have their own business associate contract template “in their back pocket” and offer to execute it if the covered entity does not have one or has not required one at the time a contract for services or products is entered into with a potential business associate.

It is good for the business associate’s image with the covered entity (demonstrating understanding of and concern for privacy and security) and places the business associate in a better light legally.  

Also, as John indicated, as of February 2010, business associates will likely also be held responsible for reasonably ensuring a business associate contact is executed timely with the covered entity.


  1. Vince says:

    What happens when you are working with a CE and they send unsecured e-mail? The BA has all the requisites in place for securing PHI, but the CE does not.

    How is that handled with the new HITECH rule?

  2. Chris Apgar says:


    The HITECH Act creates somewhat of a problem for business associates. They will have the same responsibility as the covered entity to report violations to HHS. The problem is, as the business associate, you risk losing a client if you report your client to HHS.

    CMS recently announced that encryption was required for any transmission of PHI over the Internet. I would suggest communicating this to your covered entity client and, depending on the size of the client, offering to provide assistance by allowing secure communication with you through a secure web site (which you would need to pay for the development of if you don’t already have one or go forward with one of the ASP options available on the market).

    As a business associate, I would make sure I was not including any PHI in any responses to the covered entity’s unsecure e-mail unless you make sure it is encrypted before you respond back to the covered entity.

    Sometimes education is helpful and other times you will find your clients not willing to make the investment in secure communication. If that is the case, you need to make the decision to continue accepting unencrypted PHI from the covered entity client and documenting the fact you are doing so and the reasons why or reporting the covered entity to HHS. On one hand, you stand to lose a client. On the other, you may find yourself subject to civil penalties and/or monetary settlements. No easy answers…

    Chris Apgar, CISSP

  3. Jennifer Ruetten says:

    As a CE that has both non-PHI and PHI departments, how do you determine who to send BAA to? Should it only be sent to a BA who has direct access to PHI or to all BA with the thought that the potential to access PHI indirectly is possible?

  4. Ken says:

    Should you have a BA agreement with the Department of Health?

    What about a subcontractor for the Department of health?

Leave a Reply