Health and Human Services defines a Business Associate as, “any entity or person that is not directly employed by a provider, but who works with and on behalf of the provider and has access of the PHI of the provider’s patients.”
Examples of Business Associates include:
- Billing companies
- Collection companies and their attorneys
- Drug and medical suppliers
- Hosted Software and Cloud Service Providers
- IT and Computer techs
- Other Covered Entities performing BA services
For organizations utilizing Microsoft Office 365, a business associate agreement (BAA) is automatically executed with Microsoft for your organization upon activation of license agreement and includes all covered services.
“For Microsoft cloud services: The HIPAA Business Associate Agreement is available via the Online Services Terms by default to all customers who are covered entities or business associates under HIPAA. See 'Microsoft in-scope cloud services' on this webpage for the list of cloud services covered by this BAA.”
More information is available at the following link: Health Insurance Portability and Accountability (HIPAA) & HITECH Acts
As of April 2, 2020, the following services are listed in scope of the agreement: “Office 365 Services, Microsoft Azure Core Services, Microsoft Dynamics 365 Core Services, Microsoft Intune Online Services, Microsoft Power Platform Core Services, and/or Microsoft Cloud App Security, each as defined in the “Data Protection Terms” section of the Online Services Terms incorporated into the Agreement; Microsoft Healthcare Bot; and any additional Azure online services and U.S. Government online services listed as in scope for this BAA on the Microsoft Trust Center at https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA (or successor site); excluding Previews.”
As a Microsoft customer, a copy of their BAA is available here for download: Microsoft Business Associate Agreement
There is no signature or further action that needs to be taken for the BAA to be implemented. It is available and in place for all organizations who qualify. Please note that Microsoft Office 365 customers are not able to revise or alter the provided agreement. Organizations who are utilizing Microsoft Professional Services should reach out to their customer service representative for more information.
*Excerpt from Microsoft Office 365 BAA as of April 2, 2020
HIPAA One and Microsoft ensures the safety and liability protection granted from using cloud and hosted service providers holding patient information. Like Microsoft, HIPAA One provides vendor management software (VMS) to our customers to assist in the management of their business associate agreements and documentation. VMS allows full customization and management of BAA contracts to all vendors including requesting proof of compliance from vendors. VMS software is included in the cost of base HIPAA One licensing at no extra charge.
We hope you will use these tools to help ensure compliance with HIPAA and protect your patient information.