HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Covered entity gets requests for BA agreements

Email This Post Print This Post

The facility I work at is a covered entity.

We continually receive requests to sign a business associate (BA) agreement from other covered entities we do routine business with.

Is there a statement or stated language in the HIPAA/HITECH that can be used to state to these covered entities that we do not need a BA agreement with the other covered entity because we are a covered entity?

It seems that BA documents are being used inappropriately, or as a “catch all, just in case” scenarios.  And, if these are being used like this, is it safer in being compliant to just go ahead and sign the BA even though it is not needed?

Sharon Hallberg


  1. Frank Ruelas says:


    Keep in mind that just be virtue of being a covered entity does not mean that the business associate agreement doesn’t apply. As indicated in the HIPAA rules (45 CFR 160.103) a covered entity may be a business associate of another covered entity.

    Perhaps this is where things are getting tangled.

    Consider asking the covered entity representatives to explain specifically and precisely to you how your organization is seen as a business associate given the underlying relationship or agreement that may exist. This may help shed some light on why the covered entity thinks a business associate agreement may be applicable.

    Good luck!


  2. Frank Ruelas says:

    Sorry for the typos…that’s what I get for trying to do this on a handheld!


  3. Dom Nicastro says:

    Hi Frank:

    I traded e-mails with Sharon about this as well, and I, too, talked about the same thing — that a covered entity can in some cases be considered a BA.

    Lots of scenarios to consider. Hopefully, some of this ground will be covered in upcoming OCR guidance.

    Thanks for blogging to all!

  4. Keith Nelson says:

    Hello Sharon.

    Good question. I also have received requests for us to sign BAAs that are not required.

    If a covered entity is providing treatment for patients of another covered entity, they are not considered a business associate of the covered entity.

    See 164.502 (e)1 (ii)(A).

    Also note that in 160.103 under the definition of Business associate it lists those activities that would qualify and entity as a business associate and treatment is not one of them.

    Good Luck convincing some people, however. If the terms of the BAA follow the requirements of HIPAA and do not contain other adverse provisions we have found that some times it is just easier to sign the BAA rather than try to fight that it is not required. As a covered entity we are required to follow all of the basic provisions in a BAA anyway.


  5. Bridget McCay says:

    Hi Sharon,

    I agree with the comment left by Keith. If you refer to the Federal Register, Vol 67, No. 157, August 14, 2002, pg. 53252, it explains that the Privacy Rule exempts from the business associate requirements disclosures for treatment purposes It references Section 164.502(e)(1) as Keith explained. However our laboratory also receives lots of BAAs to sign. I used to send out an explantory letter saying why we didn’t have to sign, but the agreements just kept coming! We go ahead and sign them now too out of sheer exaution!

Leave a Reply