Skip to Content
Cyber and Privacy Risk and Insurance

Business Associate Agreement Requirements and Negotiated Provisions

Melissa Krasnow | September 15, 2017

On This Page
Introducing new employee

When is a business associate agreement required? Who is a covered entity? A business associate? What about breach costs? Indemnification? And cyber liability insurance coverage?

The following is a brief overview of business associate agreements along with links for more information.

When Is a Business Associate Agreement Required?

A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). Learn more here. A covered entity may request a party to enter into a business associate agreement even where it is not required. Learn more here and here.

Who Is a Covered Entity?

The US Department of Health and Human Services, Centers for Medicare and Medicaid Services tool helps find out whether an organization or individual is a covered entity. Learn more here. See also 45 CFR 160.103 regarding covered entities.

Who Is a Business Associate?

A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Learn more here. See also 45 CFR 160.103 regarding business associates, protected health information, and subcontractors.

Where Can I Find an Example of a Business Associate Agreement That Shows Required and Optional Provisions?

The US Department of Health and Human Services, Office for Civil Rights sample business associate agreement provisions (published January 25, 2013) is one starting point. Learn more here.

Which Additional Business Associate Agreement Provisions Commonly Are Requested and Negotiated?

Breach cost, indemnification, and cyber liability insurance coverage are examples of additional provisions that are commonly requested and negotiated. Whether there are breach cost, indemnification, or cyber liability insurance coverage provisions in any related agreement is one issue to consider.

Breach Cost. Issues to take into account regarding breach cost provisions include how a breach is defined, whether the breach is under the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act only or also under the state breach notification laws, who caused the breach, specified breach costs, and any limits.

Indemnification. Issues to consider regarding indemnification provisions include whether the indemnification provision is mutual, who is indemnified, which events trigger indemnification, specified costs, and any limits.

Cyber Liability Insurance Coverage. Issues regarding cyber liability insurance coverage provisions include whether a party has and will have cyber liability insurance coverage (a related issue is how much it costs and will cost the party), the scope and nature of the coverage, particular amounts of coverage, the time period for coverage, and changes in coverage.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.