Sample BAA language for accounting firms and businesses whose engagements involve Protected Health Information (PHI). HIPAA Security Rule obligations, breach notification, subcontractor provisions, 45 CFR Part 164 Subpart E alignment.
HIPAA applies when an accounting firm or bookkeeper accesses Protected Health Information (PHI) on behalf of a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or a business associate of one. Most accounting engagements don't involve PHI, but several do:
When PHI is involved, the covered entity is required by the HIPAA Privacy Rule (45 CFR §164.502(e)(2)) to have a signed Business Associate Agreement (BAA) with anyone outside their workforce who creates, receives, maintains, or transmits PHI on their behalf. That includes outsourced accounting firms, US or offshore.
HIPAA does not prohibit offshore processing of PHI, but it imposes significant additional operational requirements. The covered entity remains liable for the actions of its business associates regardless of where they're located, so US covered entities using offshore accountants handling PHI need robust BAAs, strong technical safeguards, and ongoing oversight. Offshore BAAs typically include additional specifics not required in purely domestic BAAs: jurisdiction-neutral arbitration provisions, additional breach notification specifics, and explicit subcontractor flow-down requirements.
Baseline BAA covering the required elements under 45 CFR §164.504(e)(2). Adapt to your specific engagement and jurisdiction. Not legal advice; legal review is mandatory before use.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into as of [DATE] between [COVERED ENTITY NAME] ("Covered Entity") and [ACCOUNTING PROVIDER NAME] ("Business Associate").
1. Definitions. Terms used have the same meaning as in HIPAA, HITECH, and implementing regulations at 45 CFR Parts 160, 162, and 164 ("HIPAA Rules"), including definitions of Protected Health Information (PHI), Electronic PHI (ePHI), Business Associate, Covered Entity, and Subcontractor.
2. Permitted Uses and Disclosures. Business Associate may use and disclose PHI only (a) to perform the services described in the underlying services agreement, (b) as required by law, and (c) for proper management of Business Associate's internal operations as permitted under 45 CFR §164.504(e)(4). Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity.
3. Safeguards. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by 45 CFR Part 164 Subpart C (HIPAA Security Rule), including access controls, audit controls, integrity controls, transmission security, and workforce training.
4. Subcontractors. Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions and conditions that apply to Business Associate under this Agreement.
5. Breach Notification. Business Associate shall notify Covered Entity of any breach of unsecured PHI within [5] business days of discovery. Notification shall include: description of the breach, date of discovery, types of PHI involved, identification of affected individuals, and mitigation steps taken.
6. Access, Amendment, and Accounting. Business Associate shall, within [15] business days of Covered Entity's request, (a) provide access to PHI as required under 45 CFR §164.524, (b) make amendments as required under 45 CFR §164.526, and (c) provide accounting of disclosures as required under 45 CFR §164.528.
7. Return or Destruction of PHI. Upon termination of this Agreement, Business Associate shall return or destroy all PHI received from, or created on behalf of, Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the PHI and limit further uses and disclosures.
8. Books and Records. Business Associate shall make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for determining compliance with HIPAA Rules.
9. Term and Termination. Effective as of the date first written and continues until terminated. Covered Entity may terminate if it determines that Business Associate has violated a material term. Upon termination, Section 7 obligations survive.
10. Governing Law; Dispute Resolution. Governed by federal law and the laws of the State of [STATE]. Any dispute shall be resolved through binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules (or International Dispute Resolution Rules if Business Associate is located outside the United States). Notwithstanding the foregoing, Covered Entity may seek injunctive relief in any court of competent jurisdiction to protect PHI.
[COVERED ENTITY]: _____________________________ Date: _____________
[BUSINESS ASSOCIATE]: _____________________________ Date: _____________
Related