When is a Business Associate Agreement required?

A BAA is required whenever a covered entity engages a business associate to perform functions or activities involving PHI, or provides PHI to the business associate. This includes technology vendors, cloud providers, billing services, and consultants with PHI access.

Do subcontractors need BAAs?

Yes. Under the HITECH Act, business associates must ensure their subcontractors who handle PHI also sign BAAs agreeing to the same restrictions and conditions. This creates a chain of compliance.

What happens if there's no BAA?

Operating without a BAA when one is required is a HIPAA violation. Both the covered entity and business associate can face penalties. OCR has levied multi-million dollar penalties for BAA failures.

HIPAA Business Associate Agreement (BAA) Guide

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity and a business associate - or between a business associate and its subcontractor. It establishes permitted and required uses of PHI and ensures the business associate will appropriately safeguard the information.

Key Point

A BAA must be in place before the business associate creates, receives, maintains, or transmits PHI on behalf of the covered entity. Operating without a BAA is a HIPAA violation for both parties.

Who is a Business Associate?

A person or entity that:

Creates, receives, maintains, or transmits PHI on behalf of a covered entity
Performs certain functions or activities involving PHI for a covered entity

Examples of Business Associates

EHR/EMR vendors
Cloud service providers hosting ePHI
Billing and claims processing companies
Practice management software vendors
IT service providers with PHI access
Consultants accessing PHI
Data analytics companies
Shredding and data destruction companies
Document storage companies
Legal, accounting, and actuarial services accessing PHI

When is a BAA Required?

A BAA is required in these situations:

Scenario	BAA Required?
Vendor hosts your EHR system	Yes
Cloud provider stores ePHI	Yes
IT company has access to systems containing PHI	Yes
Billing service processes patient information	Yes
Attorney reviews medical records for a case	Yes
Shredding company destroys documents with PHI	Yes
Consultant analyzes patient data	Yes
Answering service takes patient messages	Yes

When is a BAA NOT Required?

A BAA is not required in certain situations:

Workforce Members

Employees, volunteers, trainees, and other persons under direct control of a covered entity are not business associates - they're workforce members covered by the organization's own policies.

Treatment Disclosures

Disclosures to another healthcare provider for treatment purposes don't require a BAA.

Conduits

Organizations that merely transport PHI but don't access it (like the postal service or certain internet service providers) are "conduits" and don't need BAAs.

De-identified Data

If data is properly de-identified per HIPAA standards, it's no longer PHI and no BAA is needed.

Patient-Requested Disclosures

Disclosures to third parties at the patient's request don't require BAAs.

Required BAA Provisions

HIPAA specifies provisions that must be included in a BAA (45 CFR § 164.504(e)):

1. Permitted and Required Uses

Describe what the business associate is allowed (and required) to do with PHI:

Specific services being provided
Types of PHI involved
Purposes for which PHI may be used

2. Prohibition on Unauthorized Use/Disclosure

Agreement not to use or disclose PHI other than as permitted or required by the BAA or as required by law.

3. Appropriate Safeguards

Agreement to use appropriate safeguards to prevent unauthorized use or disclosure, including compliance with Security Rule requirements for ePHI.

4. Breach Reporting

Agreement to report any security incident or breach of unsecured PHI to the covered entity.

5. Subcontractor Requirements

Agreement to ensure any subcontractors with PHI access agree to the same restrictions and conditions.

6. Access for Individuals

Agreement to make PHI available for individuals to exercise their access rights.

7. Amendment

Agreement to make PHI available for amendment and incorporate any amendments.

8. Disclosure Accounting

Agreement to document disclosures and information required to provide accounting of disclosures.

9. HHS Access

Agreement to make internal practices, books, and records available to HHS for compliance determination.

10. Return or Destruction

Agreement to return or destroy PHI at termination if feasible; if not feasible, extend protections.

11. Termination Authority

Authorization for covered entity to terminate if business associate violates a material term.

Additional Recommended Clauses

Beyond required provisions, consider including:

Specific Security Requirements

Encryption standards (AES-256, TLS 1.2+)
Access control requirements
Audit logging requirements
Backup and disaster recovery

Breach Notification Details

Specific timeframes for notification (e.g., 24-72 hours)
Required content of notifications
Contact information
Cooperation requirements

Insurance Requirements

Cyber liability insurance minimums
Errors and omissions coverage
Certificate of insurance requirements

Compliance Verification

Right to audit or inspect
Third-party assessment requirements (SOC 2, HITRUST)
Security questionnaire completion

Indemnification

Breach-related costs (notification, credit monitoring)
Regulatory fines resulting from BA failures
Legal defense costs

Data Location

Geographic restrictions on data storage
Data center requirements
Notification if location changes

Subcontractor Requirements

The HITECH Act extended HIPAA requirements to subcontractors. Business associates must:

Execute BAAs with subcontractors before sharing PHI
Ensure subcontractor BAAs contain the same restrictions
Be responsible for subcontractor compliance

Common Subcontractor Scenarios

Business Associate	Subcontractor	BAA Needed?
SaaS EHR vendor	AWS hosting the application	Yes
Billing service	Clearinghouse processing claims	Yes
IT service provider	Remote support tool vendor	Yes (if PHI accessible)
Any BA	Data backup service	Yes

Negotiation Considerations

For Covered Entities (Customers)

Don't accept vendor BAAs blindly: Review terms carefully
Strengthen breach notification: Require faster notification than HIPAA minimum
Require evidence of compliance: SOC 2, HITRUST, or right to audit
Clarify responsibilities: Ensure safeguards match your expectations
Address data location: Know where your PHI will be stored

For Business Associates (Vendors)

Understand your obligations: Don't agree to terms you can't meet
Cap liability appropriately: Negotiate reasonable indemnification limits
Align breach notification: Ensure timelines are achievable
Clarify scope: Be specific about services covered
Address subcontractors: Ensure your downstream BAAs align

Red Flags in BAAs

Unlimited liability for vendor
Unrealistic breach notification timelines (e.g., immediate)
Requirements that exceed HIPAA
Vague security requirements
No termination provisions

BAA Management

Managing BAAs is an ongoing responsibility:

Inventory

Maintain a list of all business associates
Track BAA status (executed, pending, expired)
Record key terms and expiration dates

Ongoing Oversight

Review vendor compliance periodically
Request updated attestations (SOC 2, security questionnaires)
Monitor for breaches or compliance issues
Update BAAs when services or regulations change

Termination

Ensure PHI is returned or destroyed
Document the termination process
Verify destruction certificates if applicable

A signed BAA doesn't guarantee compliance - it's a contractual foundation. True protection comes from verifying that your business associates actually implement the safeguards they've agreed to.

HIPAA BAA Compliance

HIPAA Business Associate Agreement (BAA) Guide: When Needed & Key Clauses

In This Guide