In an ideal world, each healthcare provider (aka Covered Entity) has a signed agreement with all its current business associates.
A business associate is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity".1
The primary reason for a signed agreement between the covered entity and its business associates is that it is required by federal law - the HIPAA Privacy Rule.
The HIPAA Privacy Rule General Provision requires that "a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity".2
On a 2018 court ruling, the Advanced Care Hospitalists PL (ACH), a Florida contractor physicians' group paid $500,000 to the Office for Civil Rights (OCR), in addition to adopting a corrective action plan, as a result of HIPAA Privacy and Security Rules violation.
In 2011 and 2012, ACH sought the billing services of a person, who was misrepresenting himself as part of the company Doctor's First Choice Billings, Inc. (First Choice). The HHS refers to the latter in their publication as an "unknown vendor".
ACH and the "billing vendor" did not have a business associate agreement before and during the vendor's services took place.
According to the Resolution Agreement document, ACH disclosed patients' PHI to the billing vendor without any form of assurances that the latter will protect the PHI and adhere to the HIPAA standards.
Fast forward to the year 2014, a local hospital informed ACH that patients' demographic (name, date of birth, and SS number) and clinical information can be viewed on the billing vendor's website. ACH then filed a breach report to the Office of Civil Rights (OCR) indicating a total of 9,255 patients' PHI may have been affected.
HHS investigation ensued due to the breach incident. Ultimately, three HIPAA violations were found; (1)NO BAA with vendor, (2)NO HIPAA policies and procedures, and (3)NO Risk Analysis.