Glossary · Compliance
Glossary · ComplianceBusiness Associate Agreement (BAA)
A written contract under HIPAA between a covered entity (the practice) and a business associate (a vendor that handles PHI). Required before any PHI is shared with the business associate.
Definition
Business Associate Agreement (BAA).
A written contract under HIPAA between a covered entity (the practice) and a business associate (a vendor that handles PHI). Required before any PHI is shared with the business associate.
Sources
Primary references for this entry.
- HHS Office for Civil Rights HIPAA Privacy Rule.
- 45 CFR 164.504(e).
Related terms
Other terms in Compliance.
- Compliance
HIPAA (Health Insurance Portability and Accountability Act)
The 1996 federal law (and subsequent rules) that establishes national standards for the privacy, security, and electronic exchange of protected health information (PHI).
Open entry - Compliance
HITRUST CSF
A certifiable security framework that maps to HIPAA, NIST, ISO 27001, and other healthcare data protection standards in a single certification. Widely required for U.S. healthcare-data vendors.
Open entry - Compliance
Medical Necessity
The standard that a service must be reasonable and necessary for the diagnosis or treatment of a patient's condition to qualify for coverage. Defined per payer and often documented in Local Coverage Determinations (LCDs) and National Coverage Determinations (NCDs).
Open entry - Compliance
MIPS (Merit-based Incentive Payment System)
The CMS Quality Payment Program track that scores eligible Medicare clinicians on Quality, Cost, Improvement Activities, and Promoting Interoperability. Scores translate to positive, neutral, or negative payment adjustments two years later.
Open entry - Compliance
No Surprises Act (NSA)
The 2022 federal law protecting patients from surprise out-of-network bills in emergency settings and at in-network facilities. Established the Independent Dispute Resolution (IDR) process for payer-provider payment disputes.
Open entry - Compliance
SOC 2 Type II
An independent attestation report on a service organization's controls relevant to security, availability, processing integrity, confidentiality, or privacy, evaluated over a specified period (typically 6 to 12 months).
Open entry
Frequently asked
About Business Associate Agreement (BAA).
Talk to RCM
Ready to recover every dollar your practice earns?
See your projected revenue lift in 60 seconds, or talk to a senior RCM strategist now. No commitment. Same-day slots available.
- 30-day parallel-run guarantee
- Targets written into the contract
- HIPAA · SOC 2 Type II · HITRUST