HIPAA

Business Associate Agreements (BAA)

A Business Associate Agreement is a legally required contract ensuring that vendors and subcontractors handling PHI comply with HIPAA requirements.
Browse HIPAA topics
Business Associate Agreements (BAA)HIPAA Breach Notification RuleHIPAA Compliance ChecklistHIPAA Privacy RuleHIPAA Security Rule

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a covered entity and a business associate, or between a business associate and a subcontractor. The agreement establishes the permitted and required uses and disclosures of protected health information (PHI) by the business associate, mandates appropriate safeguards, and defines each party's responsibilities for compliance.

No covered entity may share PHI with a vendor, contractor, or service provider until a BAA is executed. This requirement is absolute — even if a business associate has robust security practices and excellent intentions, the absence of a signed BAA is itself a HIPAA violation.

BAAs are a central element of HIPAA compliance. For broader context on how they fit into the compliance framework, see the main HIPAA page and the HIPAA glossary entry.

Who is a business associate?

A business associate is any person or organization that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. The HITECH Act expanded this definition significantly, making business associates directly subject to HIPAA's Security Rule and certain provisions of the Privacy Rule.

Common examples include cloud service providers, IT managed service providers, billing companies, EHR vendors, data analytics firms, consultants, shredding companies, email platforms used to transmit PHI, law firms, and accountants. A critical point: simply stating that a vendor "will not access PHI" does not eliminate the BAA requirement if the vendor's services involve PHI in any form. A cloud provider hosting encrypted ePHI is a business associate even if it never decrypts the data.

Subcontractors

Under the Omnibus Rule, subcontractors of business associates are themselves considered business associates. This means a business associate must execute BAAs with its own downstream vendors that handle PHI. The chain of contractual protection must extend to every entity that touches PHI.

When is a BAA required?

A BAA is required whenever a covered entity engages a business associate to perform a function or service involving PHI, or whenever a business associate engages a subcontractor for the same purpose. The timing is important: the BAA must be in place before any PHI is shared.

When a BAA is NOT required

A BAA is not needed when the vendor is a mere conduit (like the postal service), the relationship is between a covered entity and a patient, the vendor's services do not involve PHI, or covered entities share PHI for treatment purposes. The determination should always be documented — when in doubt, executing a BAA is the safer approach.

Required provisions of a BAA

The Privacy Rule (45 CFR 164.504(e)) and Security Rule specify the provisions a BAA must contain. While organizations may negotiate additional terms, the following elements are mandatory:

The mandatory provisions are:

  • Permitted uses and disclosures — describe how the business associate may use PHI, consistent with the Privacy Rule. The BAA may not authorize uses that would violate the Privacy Rule if done by the covered entity itself.
  • Appropriate safeguards — require the business associate to implement Security Rule safeguards (administrative, physical, and technical) to prevent unauthorized use or disclosure.
  • Breach reporting — require reporting of any impermissible use or disclosure, including breaches of unsecured PHI. The Breach Notification Rule sets a 60-day deadline, but many BAAs negotiate shorter timelines.
  • Subcontractor compliance — require downstream vendors handling PHI to agree to the same restrictions and execute their own BAAs.
  • Individual rights support — make PHI available for individual access requests, amendment requests, and accounting of disclosures.
  • HHS access — make internal practices, books, and records available to HHS for compliance determinations.
  • Return or destroy PHI — at termination, return or destroy all PHI. If infeasible, extend protections and limit further use.
  • Termination authority — authorize the covered entity to terminate the agreement for material violations.

Liability under a BAA

The HITECH Act fundamentally changed the liability landscape for business associates. Before HITECH, business associates were liable only to the covered entity through the contractual terms of the BAA. After HITECH, business associates are directly liable to HHS for compliance with the Security Rule, the breach notification requirements, and certain Privacy Rule provisions.

Covered entity liability

A covered entity is not liable for a business associate's HIPAA violations if the entity did not know (and by exercising reasonable diligence would not have known) of the violation pattern. However, if the covered entity knows of a violation and fails to take reasonable steps to cure the breach or terminate the agreement, the entity becomes liable.

Business associate liability

Business associates face the same tiered penalty structure as covered entities — from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Criminal penalties of up to $250,000 and imprisonment also apply.

Contractual indemnification

Beyond HIPAA's statutory penalties, BAAs frequently include indemnification clauses, limitation of liability provisions, and insurance requirements that allocate financial risk between the parties. These terms are negotiated commercially and are not required by HIPAA, but they are practically important for managing exposure.

Managing BAAs at scale

Healthcare organizations often maintain dozens or hundreds of BAAs. Effective management requires a centralized inventory tracking all agreements and their renewal dates, standardized templates with all required provisions, automated renewal tracking, periodic vendor risk assessments, ongoing compliance monitoring through certifications and audit reports, and thorough documentation of every decision and agreement.

Common BAA mistakes

Organizations frequently encounter these pitfalls with BAAs:

  • Missing BAAs entirely — the most basic and most common violation. Every vendor relationship should be evaluated for BAA necessity during procurement.
  • Using outdated templates — BAAs drafted before the 2013 Omnibus Rule may lack required provisions for breach notification, subcontractor compliance, and Security Rule obligations.
  • Failing to cascade to subcontractors — a business associate that does not execute BAAs with its own vendors breaks the chain of protection.
  • Ignoring termination provisions — when a vendor relationship ends, the BAA's return-or-destroy provisions must be enforced. Orphaned PHI at former vendors is a significant risk.
  • Not monitoring compliance — executing a BAA is not a one-time event. Ongoing oversight of business associate security practices is expected.

The HIPAA compliance checklist includes BAA management requirements as a core component of the overall compliance program.

Related topics

security-ruleprivacy-rulebreach-notificationcompliance-checklist

Related terms

What is Access Control?What is an Audit Trail?What is a Business Associate Agreement (BAA)?What is Breach Notification?What is a Business Associate?What is a Covered Entity?What is Encryption?What is Evidence Collection?What is GRC?What is HIPAA?What is the HITECH Act?What is Incident Response?What is the Minimum Necessary Rule?What is Protected Health Information (PHI)?What is Security Awareness Training?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough