What is a BAA, in plain English?
A Business Associate Agreement (BAA) is a contract between a healthcare provider (the "covered entity" โ that's your clinic) and a third party that handles patient information on your behalf (the "business associate" โ that's your compounding pharmacy).
The BAA obligates the business associate to protect that information the same way you're required to under HIPAA. It also establishes what happens if something goes wrong โ like a data breach.
Without a signed BAA, you are in violation of HIPAA the moment you send a prescription containing patient information to a compounding pharmacy. This is true regardless of how small your practice is or how few patients you serve.
โ ๏ธ "But my pharmacy is small / local / trustworthy..."
HIPAA doesn't have a size exemption. A BAA is required whenever PHI crosses your organization's boundary to a third-party vendor โ regardless of the vendor's size, location, or how long you've worked with them. Trust is not a compliance substitute.
When does a compounding pharmacy become a Business Associate?
A third party is your Business Associate when they create, receive, maintain, or transmit PHI on your behalf. Compounding pharmacies do all four:
Your Clinic
Patient name, DOB, diagnosis, Rx details
Prescription Transmission
Fax, portal, or e-prescribe
BAA required before this step
Compounding Pharmacy
Receives, processes, and stores your patients' PHI
What a BAA must include under HIPAA
The U.S. Department of Health and Human Services specifies what a BAA must cover. A BAA that's missing key provisions is nearly as problematic as having no BAA at all.
Permitted uses and disclosures
The BAA must explicitly state how the business associate is allowed to use PHI โ and what they cannot do with it. For compounding pharmacies: dispensing to the specific patient, billing, and operational recordkeeping. Nothing else.
Prohibition on unauthorized use
The pharmacy must agree not to use or disclose PHI in ways not permitted by the agreement or required by law. This means no using patient data for marketing, selling patient lists, or sharing with unauthorized parties.
Appropriate safeguards
The business associate must use reasonable administrative, physical, and technical safeguards to prevent unauthorized use or disclosure. Ask what these are โ a good pharmacy has a documented answer.
Breach notification โ within 60 days
If the pharmacy discovers a breach of unsecured PHI, they must notify you without unreasonable delay and no later than 60 calendar days. The BAA should specify the notification contact and method. You then have your own notification obligations to affected patients.
Patient rights support
The pharmacy must support your ability to comply with patients' HIPAA rights โ including the right to access, amend, or restrict their PHI. If a patient requests their prescription records, the pharmacy must cooperate.
Subcontractor obligations
If the pharmacy uses subcontractors who will access PHI (like a third-party billing company or IT vendor), those subcontractors must be bound by the same protections. The pharmacy must get their own BAAs from their subcontractors.
Termination and PHI disposal
The BAA must specify what happens to PHI when the relationship ends. The pharmacy should return or destroy all PHI at contract termination โ and provide written certification that this has been done.
What happens without a BAA?
HIPAA violations are categorized by culpability. Operating without a BAA when one is required typically falls into the "reasonable cause" or "willful neglect" tiers:
| Violation tier | Penalty per violation | Annual cap |
|---|---|---|
| Unknowing violation | $100 โ $50,000 | $25,000 |
| Reasonable cause (no willful neglect) | $1,000 โ $50,000 | $100,000 |
| Willful neglect, corrected | $10,000 โ $50,000 | $250,000 |
| Willful neglect, uncorrected | $50,000+ | $1,500,000 |
Each patient prescription transmitted without a BAA in place could be treated as a separate violation. For a clinic that has been sourcing compounded medications for months without a BAA, the exposure adds up fast.
OCR enforcement is real
The HHS Office for Civil Rights (OCR) has levied seven-figure penalties against covered entities for BAA failures. In 2023, a multi-state cardiology practice paid $450,000 after an investigation found missing BAAs with several business associates. OCR regularly audits covered entities on BAA compliance. See OCR enforcement cases โ
Common BAA mistakes in pharmacy relationships
Sending prescriptions before the BAA is signed
Using a generic BAA template that doesn't cover compounding-specific data flows
Not updating the BAA when the relationship changes
Assuming the pharmacy's BAA adequately protects your clinic
Not keeping a signed copy on file
How Veridian handles BAAs
Every pharmacy in Veridian's network has a BAA in place through our platform before any clinic can begin sourcing from them. When a clinic onboards through Veridian:
-
โ
Platform-level BAA: Veridian maintains BAAs with all network pharmacies covering the data flows on our platform. Clinics signing our services agreement incorporate these protections.
-
โ
Facilitated direct BAAs: For direct-relationship requirements, Veridian facilitates the execution of BAAs between clinics and pharmacies as part of onboarding. No chasing PDFs.
-
โ
Document retention: Executed BAAs are stored in Veridian's compliance records. You can access copies at any time.
-
โ
Renewal tracking: Veridian monitors BAA effective dates and notifies clinics and pharmacies before agreements expire or need review.
Veridian's licensed pharmacy network is continuously monitored for compliance
BAA execution is handled automatically during onboarding โ no paperwork to chase, no missing agreements in your files.
Apply for Access โ