What a Business Associate Agreement is
A Business Associate Agreement (BAA) is a written contract between a HIPAA covered entity — or another business associate — and a vendor that handles protected health information (PHI) on its behalf. The BAA is what makes it lawful to hand PHI to that vendor at all: it binds them to protect the data, use it only for the agreed purpose, and answer for a breach.
It is not paperwork for its own sake. Since the 2013 Omnibus Rule, business associates are directly liable under HIPAA — the government can penalize them, not just the provider that hired them. The BAA is the document that pins down who is responsible for what.
Who counts as a business associate
A business associate is any person or company that creates, receives, maintains, or transmits PHI to perform a function or service for you. Common examples for a small healthcare org:
- IT providers and MSPs with access to systems that store ePHI
- Cloud hosting and storage (servers, backups, file storage)
- EHR, billing, and practice-management vendors
- Document shredding and media disposal companies
- Attorneys, accountants, and consultants who see PHI to do their job
- Answering services and transcription vendors
Two consequences that trip people up:
- Subcontractors are business associates too. If your vendor hands PHI to their vendor, that chain needs BAAs all the way down.
- The "mere conduit" exception is narrow. An entity that only transports data and does not access it — a postal carrier, an ISP moving packets — is not a business associate. A cloud provider that stores your ePHI is, even if it never looks at it.
When you need a BAA — and when you don't
You need a BAA whenever an outside party will handle PHI on your behalf. You generally do not need one when:
- You disclose PHI to another healthcare provider for treatment (a referral, for example).
- The person is a member of your own workforce — employees are covered by your policies, not a BAA.
- The data has been properly de-identified, so it is no longer PHI.
When in doubt, ask a simple question: will this vendor be able to see, store, or move our patients' information? If yes, get the agreement in place before any PHI changes hands.
What the agreement must contain
HIPAA specifies the assurances a BAA must include (45 CFR § 164.504(e)). At a minimum it must:
- Define permitted uses and disclosures of PHI and prohibit any use beyond the contract or what the law allows.
- Require appropriate safeguards, including compliance with the Security Rule for electronic PHI.
- Require the business associate to report breaches and security incidents to you.
- Flow the same terms down to subcontractors who touch the PHI.
- Make PHI available for individuals' access and amendment rights and for an accounting of disclosures.
- Return or destroy all PHI when the contract ends, where feasible.
- Allow termination if the business associate materially violates the agreement.
The BAA does not have to be a standalone document — the terms can live inside a larger service contract — but every one of these assurances has to be there.
Managing BAAs across your vendors
One signed BAA in a drawer is not a program. The vendor inventory this depends on is the same one your HIPAA Security Rule risk analysis should already produce — every system and party that touches ePHI. Auditors expect to see that you actively track them:
- Keep a vendor inventory — every party that touches PHI, with a current, signed BAA on file.
- Match the BAA to reality. If a vendor's access grows, revisit the agreement.
- Set a review cadence. Check BAAs during annual compliance reviews and whenever you onboard or offboard a vendor.
- Close the loop at termination — confirm PHI was returned or destroyed when a vendor relationship ends.
The bottom line
A BAA is the difference between a lawful vendor relationship and an unreported disclosure of PHI. Identify everyone who handles your patients' data, get a compliant agreement signed before the data moves, and keep the list current. It is one of the cheapest pieces of compliance to get right — and one of the most expensive to get wrong.