HIPAA
7 min read
HIPAA Business Associate Agreement (BAA) Guide: Requirements, Template & Common Mistakes
A Business Associate Agreement (BAA) is a legally required contract between a HIPAA covered entity and any business associate that creates, receives, maintains, or transmits protected health information (PHI) on behalf of the covered entity. Without a proper BAA in place, both parties are in violation of HIPAA, regardless of whether a breach has occurred. This guide covers everything you need to know about BAAs, from determining who qualifies as a business associate to structuring compliant agreements.
Table of Contents
What Is a Business Associate Under HIPAA?
Under HIPAA, a business associate is any person or organization that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information. This definition was significantly expanded by the HITECH Act and the 2013 Omnibus Rule, which made business associates directly liable for compliance with many HIPAA provisions. Common examples of business associates include cloud hosting providers that store ePHI, IT managed service providers with access to systems containing PHI, medical billing and coding companies, claims processing firms, practice management software vendors, email encryption services used for PHI transmission, shredding companies that destroy PHI-containing media, and attorneys or accountants who receive PHI. Importantly, a vendor becomes a business associate even if they do not intend to access PHI, as long as the possibility exists that they could. For example, a cloud storage provider is a business associate even if data is encrypted and the provider does not hold the decryption keys, because the provider maintains ePHI. The determination of business associate status focuses on the function performed and the potential for PHI access, not on whether PHI is actually viewed or used.
- A business associate performs functions involving the use or disclosure of PHI on behalf of a covered entity
- The 2013 Omnibus Rule made business associates directly liable for HIPAA compliance
- Cloud providers are business associates even if they cannot decrypt the stored PHI
- Business associate status is determined by function and potential access, not actual PHI viewing
- Examples include IT providers, billing companies, cloud hosts, and shredding services
When Is a BAA Required?
A BAA must be executed before any PHI is shared with or accessible to the business associate. There is no grace period or exception for organizations that are in the process of negotiating an agreement. The requirement applies to all forms of PHI including electronic, paper, and oral. Covered entities must have BAAs with every business associate, and business associates must have downstream BAAs (sometimes called subcontractor agreements) with their own subcontractors that handle PHI. There are limited exceptions where a BAA is not required. Treatment-related disclosures between covered entities do not require a BAA. Disclosures to a health plan for payment purposes are also exempt. Conduit entities that merely transport PHI without persistent access, such as the postal service or internet service providers, do not need BAAs. Financial institutions processing payment transactions involving PHI are also exempt under certain conditions. However, when in doubt, the safer approach is to execute a BAA. The cost of having an unnecessary BAA is negligible compared to the penalties for failing to have a required one. OCR has imposed settlements ranging from $50,000 to $1.5 million solely for the failure to have BAAs in place.
- BAAs must be executed before any PHI is shared with the business associate
- Business associates must have downstream BAAs with their own subcontractors
- Conduit entities like postal services and ISPs are exempt from BAA requirements
- Treatment-related disclosures between covered entities do not require a BAA
- When in doubt, execute a BAA; OCR has imposed settlements up to $1.5 million for missing BAAs
Required Provisions of a HIPAA BAA
The HIPAA Privacy Rule at 45 CFR 164.504(e) specifies the mandatory elements of a BAA. The agreement must describe the permitted and required uses and disclosures of PHI by the business associate. It must prohibit the business associate from using or disclosing PHI other than as permitted by the contract or required by law. The BAA must require the business associate to use appropriate safeguards to prevent unauthorized use or disclosure, including implementing the requirements of the Security Rule for electronic PHI. The agreement must require the business associate to report any use or disclosure not provided for in the agreement, including breaches of unsecured PHI. It must require the business associate to ensure that any subcontractors that handle PHI agree to the same restrictions and conditions through a downstream BAA. The BAA must require the business associate to make PHI available to individuals for access and amendment requests, and to make information available for an accounting of disclosures. It must require the business associate to make its practices, books, and records available to HHS for compliance determination. Finally, the BAA must require the business associate to return or destroy all PHI at the termination of the agreement, if feasible.
- Must describe permitted and required uses and disclosures of PHI
- Must require appropriate safeguards including Security Rule compliance for ePHI
- Must require breach reporting and notification to the covered entity
- Must require downstream BAAs with all subcontractors that handle PHI
- Must address PHI return or destruction upon contract termination
Key Sections of a BAA Template
A well-structured BAA template typically begins with definitions of key terms including business associate, covered entity, PHI, ePHI, breach, security incident, and unsecured PHI. These definitions should align exactly with the HIPAA regulatory definitions. The obligations section details the business associate's duties, including implementing administrative, physical, and technical safeguards, maintaining a security management process, designating a security official, and training workforce members. The permitted uses and disclosures section specifies exactly what the business associate may do with PHI, typically limiting it to performing services under the underlying service agreement, management and administration of the business associate, and data aggregation services if applicable. The breach notification section should specify the timeframe for reporting breaches to the covered entity, the information that must be included in the report, and the business associate's obligations to mitigate harmful effects. The subcontractor section addresses how the business associate will manage its own vendors, including the requirement for downstream BAAs. The term and termination section defines how the agreement can be terminated for cause if the business associate violates the agreement, and how PHI will be handled upon termination. Many organizations also include provisions for indemnification, limitation of liability, and dispute resolution, though these are not required by HIPAA.
- Definitions section must align exactly with HIPAA regulatory definitions
- Obligations section covers safeguards, security management, official designation, and training
- Permitted uses must be limited to performing services, administration, and data aggregation
- Breach notification section must specify reporting timeframes and required information
- Term and termination section must address PHI return or destruction
Common BAA Mistakes That Lead to Violations
The most prevalent BAA mistake is simply failing to execute one at all. OCR investigations frequently discover that covered entities have shared PHI with vendors for years without a BAA in place. The second most common mistake is using a BAA template that has not been updated since the 2013 Omnibus Rule, which significantly changed business associate obligations. Pre-Omnibus BAAs that lack provisions for Security Rule compliance, breach notification, and subcontractor management are non-compliant. Another frequent error is failing to execute downstream BAAs with subcontractors. A cloud hosting provider that stores ePHI for a business associate needs its own BAA with that business associate. Organizations also commonly make the mistake of treating the BAA as a one-time document that is signed and forgotten. BAAs should be reviewed and updated when regulations change, when the scope of services changes, or when the business associate's data handling practices are modified. Vague language around permitted uses and disclosures is another problematic pattern, as overly broad permission clauses may not satisfy HIPAA requirements. Finally, some organizations fail to include adequate breach notification timeframes, using language like "promptly" or "as soon as practicable" instead of specific deadlines such as 30 or 60 days.
- The most common mistake is not having a BAA at all with vendors that handle PHI
- Pre-2013 Omnibus Rule BAAs lack required provisions and must be updated
- Downstream BAAs with subcontractors are frequently overlooked
- BAAs should be reviewed periodically, not signed once and forgotten
- Vague breach notification timeframes weaken the agreement's enforceability
BAA Enforcement and Consequences
OCR has made BAA compliance a priority in its enforcement efforts. In its most recent audit program, OCR found that a significant percentage of covered entities lacked required BAAs with their vendors. Raleigh Orthopaedic Clinic paid $750,000 for providing a business associate with access to PHI on a shared server without executing a BAA. Care New England Health System paid $400,000 for using a business associate that stored PHI without a BAA for over two years. North Memorial Health Care paid $1.55 million when a business associate's laptop containing PHI of 9,497 individuals was stolen, and the investigation revealed no BAA was in place. Beyond OCR enforcement, the absence of a BAA creates significant legal exposure. Without a BAA, the covered entity has no contractual mechanism to require the business associate to comply with HIPAA, report breaches, or return PHI upon termination. In litigation following a breach, the absence of a BAA can be used as evidence of negligence. Organizations should maintain a comprehensive inventory of all business associates and the status of their BAAs, with regular reviews to ensure agreements remain current and complete.
- OCR audits have found widespread BAA non-compliance among covered entities
- North Memorial paid $1.55 million when a breach revealed no BAA existed with a business associate
- Without a BAA, there is no contractual mechanism to enforce HIPAA compliance on vendors
- Absence of a BAA can serve as evidence of negligence in breach litigation
- Organizations should maintain a current inventory of all business associates and BAA status
Key Takeaways
- A BAA is legally required before any PHI is shared with or accessible to a business associate
- Business associates are directly liable for HIPAA compliance since the 2013 Omnibus Rule
- BAAs must include specific provisions mandated by 45 CFR 164.504(e) including breach notification and subcontractor requirements
- The most common violation is simply failing to have a BAA in place at all
- Pre-Omnibus BAA templates are non-compliant and must be updated
- Organizations should maintain a business associate inventory with regular BAA reviews
- OCR settlements for missing BAAs have reached $1.55 million
Frequently Asked Questions
What happens if you don't have a BAA with a vendor?
Operating without a required BAA is a HIPAA violation for both the covered entity and the business associate, regardless of whether a breach occurs. OCR settlements for missing BAAs have ranged from $50,000 to $1.55 million. Both parties face potential enforcement action and have no contractual mechanism to enforce HIPAA compliance obligations.
Does a cloud provider need a HIPAA BAA?
Yes. Any cloud provider that stores, processes, or transmits PHI on behalf of a covered entity or business associate is itself a business associate and requires a BAA. This applies even if the data is encrypted and the cloud provider does not hold the decryption keys, because the provider maintains the ePHI.
How often should a BAA be updated?
BAAs should be reviewed and updated whenever HIPAA regulations change, when the scope of services changes, when the business associate's data handling practices are modified, or at minimum annually. Organizations should avoid treating BAAs as static documents that are signed once and never revisited.
What is the difference between a BAA and a DPA?
A BAA (Business Associate Agreement) is required by HIPAA for U.S. healthcare data, while a DPA (Data Processing Agreement) is required by GDPR for EU personal data. Both govern how third parties handle sensitive data, but they have different legal bases, required provisions, and applicable penalties. Organizations handling both types of data may need both agreements with a single vendor.
Can a BAA be part of a larger service agreement?
Yes. A BAA can be a standalone document or incorporated as an addendum or exhibit to a larger service agreement. What matters is that all required provisions under 45 CFR 164.504(e) are included and that the BAA is executed before PHI is shared. Many organizations prefer a standalone BAA for clarity and easier updating.
Do business associates need BAAs with their subcontractors?
Yes. The 2013 Omnibus Rule requires business associates to execute downstream BAAs with any subcontractor that creates, receives, maintains, or transmits PHI on the business associate's behalf. This requirement flows down through the entire chain of entities handling PHI.
Generate HIPAA policies automatically
PoliWriter creates all the policies you need for HIPAA compliance, customized to your organization. AI-powered, audit-ready, hours not months.
Get Started Free