Business Associate Agreement

The HIPAA Privacy Rule explicitly defines organizations that accredit covered entities as business associates. Like other business associates, accreditation organizations provide a service to the covered entity which may require sharing of protected health information.

The AASM Accreditation process requires completion of a Business Associate Agreement. The AASM recommends applicants download and sign the AASM’s standardized Business Associate Agreement (BAA) and submit as part of the completed Accreditation Application.

Great for

Contract specialists looking to understand why a Business Associate Agreement is needed.
Applicants searching for additional frequently asked BAA questions.

View Business Associate Agreement

Why does the AASM require our entity to submit a HIPAA (Health Insurance Portability & Accountability Act) BAA?

The AASM offers a BAA that covers in-scope accreditation services. The AASM’s HIPAA BAA is available in the accreditation application or on the accreditation Reference Materials webpage. The AASM recommends the entity uses a pre-signed AASM BAA found in the accreditation application, which can be e-signed and submitted.

Can either the AASM modify our organizations BAA, or can we modify the AASM’s BAA?

The AASM’s services are consistent for all entities; therefore, the AASM strongly recommends use of the AASM HIPAA BAA. In creation of AASM’s HIPAA BAA, the AASM had the BAA vetted by legal counsel specializing in HIPAA privacy. The AASM HIPAA BAA satisfies all requirements of business associates under HIPAA regulations.

Entities wanting to pursue a custom BAA may select “Custom BAA” in the accreditation application. A custom BAA must be uploaded in the accreditation application and a fee of $600 is payable at the time of the accreditation application submission. Customized agreements require careful review by the AASM and may require direct communication with the entity’s legal department. Entities pursuing a custom BAA need to allow an average of 4-6 weeks for review and potential revisions before the agreement is ready for signature.

Are there any risks to our covered entity when providing accreditation services?

The AASM does not create, maintain, or transmit any PHI of the covered entity. During the accreditation process, a site visitor will conduct an inspection of the entity to determine compliance with the Standards for Accreditation. During this inspection, our site visitor will review a set of patient records prepared by the entity. The site visitor will neither copy nor remove any PHI from the entity. Additionally, the AASM does not accept any PHI in response to additional information in support of the standards.

Who is authorized to sign the Business Associate Agreement?

The BAA is a legal document only valid when signed by an authorized individual designated to review and approve official legal documents on behalf of an accrediting entity. Typically, hospital owned entities require a CEO’s or privacy officer’s signature. Freestanding entities may have the owner sign all legal documents. Entities applying for accreditation are responsible for determining the appropriate signatory ensuring that an authorized individual has reviewed and signed the agreement.

Practice Guidelines

Accreditation

Resources

New AASM Scoring Manual

Coding & Reimbursement

CMS – Medicare & Medicaid

Telemedicine

Remote Monitoring

Private Payer Advocacy

Quality Resources

Choose Sleep

Education & Training

Events & Courses

Visit the Career Center

Membership

Community

Other Resources

Join the AASM Community

About the AASM

Industry Engagement

Discover the AASM’s Impact

My Learning

Scoring Manual

ICSD-3-TR

Earn CME/CEC On-Demand