What is a Business Associate Agreement (BAA)?
What is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA between a covered entity and a business associate, or between two business associates. The BAA establishes the permitted uses and disclosures of Protected Health Information (PHI) and requires the business associate to implement appropriate safeguards to protect that information.
Why BAAs are required
Under HIPAA, covered entities cannot simply hand over PHI to vendors and service providers without contractual protections. The BAA creates a legal obligation for the business associate to:
- Protect PHI with appropriate administrative, physical, and technical safeguards
- Report security incidents and breaches to the covered entity
- Limit the use and disclosure of PHI to the purposes specified in the agreement
- Return or destroy PHI when the contract ends
- Make PHI available for individual access requests when required
Without a BAA in place, sharing PHI with a business associate is itself a HIPAA violation, regardless of whether a breach actually occurs.
Required elements of a BAA
HIPAA regulations (45 CFR 164.504(e)) specify that a BAA must include:
- Permitted uses and disclosures — a description of what the business associate may and may not do with PHI
- Safeguard requirements — an obligation to use appropriate safeguards to prevent unauthorized use or disclosure
- Reporting obligations — requirements to report breaches, security incidents, and unauthorized disclosures
- Subcontractor obligations — if the business associate engages subcontractors who will access PHI, the BAA must require those subcontractors to agree to the same restrictions
- Individual rights — provisions supporting the covered entity's obligations regarding individual access to PHI
- HHS access — agreement to make practices, books, and records available to HHS for compliance determination
- Termination provisions — conditions under which the agreement terminates and obligations for return or destruction of PHI
When a BAA is needed
A BAA is required whenever a covered entity engages a business associate that will create, receive, maintain, or transmit PHI on its behalf. Common scenarios include:
- Cloud hosting providers storing ePHI
- IT service providers with access to systems containing PHI
- Billing and claims processing companies
- Legal, accounting, or consulting firms reviewing PHI
- SaaS applications processing health data
- Shredding and data destruction companies
Common mistakes with BAAs
Organizations frequently make errors with BAAs:
- Missing BAAs — using vendors that handle PHI without a signed BAA in place
- Template overreliance — using generic templates without tailoring to the specific vendor relationship
- No tracking — failing to maintain an inventory of all BAAs and their renewal dates
- Stale agreements — not updating BAAs when the scope of services or PHI usage changes
- Ignoring subcontractors — not requiring downstream BAAs when business associates engage their own subcontractors
BAA vs NDA
A BAA is not the same as a non-disclosure agreement (NDA). While an NDA protects confidential business information in general, a BAA addresses the specific HIPAA requirements for handling PHI. An NDA alone does not satisfy the HIPAA requirement for a BAA.
How episki helps
episki tracks all your business associate relationships and BAA status in one place. The platform sends renewal reminders, maintains a complete inventory of agreements, and flags vendors that handle PHI but lack a signed BAA. Learn more on our HIPAA compliance page.
