Business Associate Agreement

The HIPAA Privacy Rule explicitly defines organizations that accredit covered entities as business associates.  Like other business associates, accreditation organizations provide a service to the covered entity which may require sharing of protected health information.

The AASM Accreditation process requires completion of a Business Associate Agreement. The AASM recommends applicants download and sign the AASM’s standardized Business Associate Agreement (BAA) and submit as part of the completed Accreditation Application.

Great for

  • Contract specialists looking to understand why a Business Associate Agreement is needed.
  • Applicants searching for additional frequently asked BAA questions.
View Business Associate Agreement

The HIPAA Privacy Rule explicitly defines organizations that accredit covered entities as business associates. Like other business associates, accreditation organizations provide a service to the covered entity which may require sharing of protected health information.

The AASM offers a BAA that covers in-scope accreditation services. The AASM’s HIPAA BAA is available in the accreditation application or on the accreditation Reference Materials webpage. The AASM recommends the entity uses a pre-signed AASM BAA found in the accreditation application, which can be e-signed and submitted.

The AASM’s services are consistent for all entities; therefore, the AASM strongly recommends use of the AASM HIPAA BAA. In creation of AASM’s HIPAA BAA, the AASM had the BAA vetted by legal counsel specializing in HIPAA privacy. The AASM HIPAA BAA satisfies all requirements of business associates under HIPAA regulations.

Entities wanting to pursue a custom BAA may select “Custom BAA” in the accreditation application. A custom BAA must be uploaded in the accreditation application and a fee of $500 is payable at the time of the accreditation application submission. Customized agreements require careful review by the AASM and may require direct communication with the entity’s legal department. Entities pursuing a custom BAA need to allow an average of 4-6 weeks for review and potential revisions before the agreement is ready for signature.

The AASM does not create, maintain, or transmit any PHI of the covered entity. During the accreditation process, a site visitor will conduct an inspection of the entity to determine compliance with the Standards for Accreditation. During this inspection, our site visitor will review a set of patient records prepared by the entity. The site visitor will neither copy nor remove any PHI from the entity. Additionally, the AASM does not accept any PHI in response to additional information in support of the standards.

The BAA is a legal document only valid when signed by an authorized individual designated to review and approve official legal documents on behalf of an accrediting entity. Typically, hospital owned entities require a CEO’s or privacy officer’s signature. Freestanding entities may have the owner sign all legal documents. Entities applying for accreditation are responsible for determining the appropriate signatory ensuring that an authorized individual has reviewed and signed the agreement.