Athenahealth Business Associate Agreement (BAA): How to Get It and What It Covers

Athenahealth BAA Availability

Athenahealth provides a standard Business Associate Agreement to covered entities and eligible partners that will create, receive, maintain, or transmit Protected Health Information (PHI) through its solutions. The BAA is typically included in contracting for new customers and is made available to existing clients upon request.

Availability can vary by product module and use case. If your workflow involves PHI, expect a BAA to be required; if your evaluation is limited to non-PHI sandboxes or de-identified data, the BAA may not be necessary until PHI is introduced. Always align your procurement timeline to ensure the BAA is fully executed before go-live.

• New customers: usually receive the BAA during the master services or subscription agreement stage.
• Existing customers: can request the latest BAA from account management or support, especially when adding new services that handle PHI.
• Partners/subcontractors: may require a separate BA-to-BA agreement or flow-down terms if they will access PHI via your environment.

Note: This overview is for general information on HIPAA compliance and the HITECH Act and is not legal advice. Consult counsel for contract interpretation.

BAA Access Process

Obtaining Athenahealth’s BAA follows a predictable sequence designed to confirm HIPAA Compliance before PHI flows. Use the steps below to streamline execution:

1. Scope your use of PHI: Identify which features, interfaces, and integrations will touch PHI and what minimum necessary data elements are required.
2. Request the current BAA: Ask your sales, customer success, or support contact for the most recent version aligned to your product footprint.
3. Legal and security review: Route the BAA and related security exhibits to your privacy, security, and legal teams to confirm Data Safeguards, permitted uses, and Breach Reporting Requirements.
4. Complete required details: Verify legal names, addresses, and any identifiers (for example, NPIs) and list subcontractors that will require flow-down terms.
5. Execute via approved e-signature: Ensure signing authority is documented and that countersigned copies are archived in your compliance repository.
6. Enablement and validation: Only transmit PHI after execution. Validate access controls, user provisioning, and logging before production cutover.

Revisit the BAA during renewals, when adding new interfaces, or if your data flows or subcontractors change.

BAA Coverage Details

While specific language can vary, Athenahealth’s BAA generally tracks HIPAA and the HITECH Act. Expect provisions that address the following areas essential to HIPAA Compliance:

Core privacy and use limitations

• Permitted uses and disclosures: Business associate may use PHI solely to deliver contracted services or as required by law, observing the minimum necessary standard.
• Prohibited activities: No unauthorized sale, marketing, or disclosure of PHI beyond what the agreement and law permit.

Security obligations and Data Safeguards

• Administrative, physical, and technical safeguards: Implementation of policies, workforce training, facility protections, and security controls consistent with the HIPAA Security Rule.
• Subcontractor flow-down: Any subcontractor that handles PHI must sign written terms imposing the same restrictions and safeguards.

Breach Reporting Requirements and incident handling

• Security incidents and breaches: Prompt notice to the covered entity of any incident involving PHI, with details sufficient to support risk assessment and downstream notifications.
• Cooperation duties: Assistance with investigation, mitigation, and documentation required under HIPAA/HITECH breach notification rules.

Rights, retention, and termination

• Access and amendments: Support for individual rights requests routed through the covered entity (access, amendments, accounting of disclosures).
• Return or destruction: Upon termination, PHI is returned or securely destroyed unless infeasible, with continuing protections for retained copies.
• Documentation and audit: Maintenance of records needed to demonstrate compliance and accommodate audits where applicable.

Confirm any de-identification and analytics language if you plan to use de-identified data sets; BAAs often reference the HIPAA de-identification standards.

Compliance Certification

A BAA is a contractual requirement; it is not a certification. To evaluate a vendor’s broader security posture, organizations commonly request third-party reports and attestations. In healthcare, these may include:

• Electronic Healthcare Network Accreditation Commission (EHNAC): Accreditation programs assessing privacy, security, and operational standards for healthcare networks and service providers.
• SOC 2 Type II: Independent attestation of the design and operating effectiveness of security controls over a defined period.
• HITRUST: Certification framework mapping multiple regulations and standards to a unified control set.

Ask for current reports, scope statements, and effective dates. Certifications and attestations provide assurance about controls but do not replace the BAA or your own due diligence.

Data Security Measures

Expect a layered control set aligned to the HIPAA Security Rule. While implementations differ by product and hosting model, common safeguards include:

• Encryption: TLS for data in transit and strong encryption for PHI at rest, with managed keys and rotation practices.
• Access controls: Role-based access, least privilege, multi-factor authentication, and periodic access reviews.
• Monitoring and logging: Centralized logging, audit trails for PHI access, anomaly detection, and alerting.
• Vulnerability and patch management: Routine scanning, risk-based patching, and secure configuration baselines.
• Network security: Segmentation, firewalls, secure APIs, and protection against common web threats.
• Resilience: Backups, disaster recovery plans with defined RPO/RTO targets, and tested incident response procedures.
• Secure development lifecycle: Code reviews, dependency management, and pre-release security testing.
• Third-party risk: Vendor assessments and contractual flow-downs when subcontractors access PHI.

Verify which measures apply to your specific deployment and integration patterns, especially for data exchange with external systems.

BAA Agreement Requirement

Under HIPAA, you must have a signed BAA with any business associate before sharing PHI. This includes cloud platforms, EHR modules, billing services, analytics, and integration partners that encounter PHI on your behalf.

• No BAA, no PHI: Do not transmit PHI until execution is complete and validated across all involved entities.
• Inventory and governance: Maintain a current register of BA relationships, contract versions, and renewal dates.
• Change control: Reassess the BAA when adding products, enabling new interfaces, or onboarding subcontractors.
• Training and process: Educate staff on minimum necessary use, secure transmission, and incident reporting workflows.

Conclusion

The Athenahealth Business Associate Agreement operationalizes HIPAA Compliance by defining how PHI may be used, protected, and reported in the event of an incident. Obtain and review the BAA early, validate Data Safeguards against your risk profile, and keep contracts current as your environment evolves. With the right controls and documentation in place, you can confidently deploy Athenahealth services while protecting patient privacy.

FAQs

How can healthcare providers obtain Athenahealth's BAA?

Request the current BAA from your Athenahealth sales or customer success contact during contracting, or through support if you are an existing customer. Complete required details, route it for legal review, and execute via e-signature before moving PHI into production.

What does the Athenahealth BAA cover regarding PHI?

It typically addresses permitted uses and disclosures of PHI, required administrative/physical/technical safeguards, subcontractor flow-downs, Breach Reporting Requirements, assistance with individual rights requests, and return or destruction of PHI at termination, aligned with HIPAA and the HITECH Act.

Is signing the Athenahealth BAA mandatory for HIPAA compliance?

Yes. If Athenahealth will create, receive, maintain, or transmit PHI for you, a signed Business Associate Agreement is required under HIPAA before any PHI is shared. The BAA complements—rather than replaces—your own compliance program and risk management.

What security measures does Athenahealth implement to protect patient data?

Expect layered Data Safeguards such as encryption in transit and at rest, role-based access with MFA, audit logging and monitoring, vulnerability and patch management, network segmentation, backups and disaster recovery, a tested incident response process, and oversight of third-party subcontractors handling PHI.