2026 HIPAA Update Effective July 1, 2026.

    Loading...

    Business Associate Agreements: What They Are and Why You Need One

    > TL;DR: A Business Associate Agreement (BAA) is a legally required contract between a HIPAA covered entity and any vendor that creates, receives, maintains, or transmits protected health information on its behalf. Operating without BAAs for all applicable vendors is one of the most commonly cited — and most expensive — HIPAA violations. This guide covers who needs a BAA, what it must contain, and how compliance platforms with built-in BAA tracking eliminate the manual overhead of managing them at scale.

    A business associate agreement (BAA) is a legally required contract under HIPAA (45 CFR 164.502(e) and 164.504(e)) between a covered entity, such as a healthcare provider or health plan, and any third-party organization that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity's behalf. The BAA extends HIPAA's privacy and security obligations to the third party and is mandatory before any PHI can be shared. Operating without a BAA exposes both parties to federal enforcement actions and civil monetary penalties.

    There is a question that comes up in almost every HIPAA training session: "Do we need a BAA with that vendor?" The answer is almost always yes, and the consequences of getting it wrong are expensive.

    A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA between a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and any person or organization that performs functions or activities involving the use or disclosure of protected health information (PHI) on the covered entity's behalf. The requirement is spelled out at 45 CFR 164.502(e) and 164.504(e), and it has been a central part of HIPAA enforcement since the HITECH Act expanded its reach in 2009.

    The BAA is not a formality. It is the legal mechanism that extends HIPAA's privacy and security requirements to the third parties who touch your patient data. Without it, both the covered entity and the business associate are exposed to enforcement actions, civil monetary penalties, and breach liability.

    This guide covers who counts as a business associate, what a BAA must include, how the requirements evolved, and how to manage these agreements without losing track of them.

    Who Counts as a Business Associate?

    The HIPAA Privacy Rule defines a business associate as any person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides certain services to, a covered entity. The definition was broadened significantly by the HITECH Act of 2009, which made business associates directly liable for compliance with certain HIPAA provisions. The 2013 Omnibus Rule finalized these changes and further clarified the scope.

    Here are specific examples of business associates that healthcare organizations commonly work with:

    IT service providers and managed service providers (MSPs). If a company manages your network, maintains your servers, or has access to systems that contain ePHI, they are a business associate. This is true even if they claim they "never look at patient data." Access is the trigger, not intent.

    Cloud service providers. Any cloud platform that stores, processes, or transmits ePHI on your behalf is a business associate. This includes infrastructure providers (AWS, Microsoft Azure, Google Cloud), SaaS applications that handle patient data, and cloud-based backup services. In 2016, OCR published specific guidance confirming that cloud service providers are business associates when they handle ePHI, regardless of whether they actually view the data (Source: HHS OCR, Guidance on HIPAA & Cloud Computing, 2016).

    Electronic health record (EHR) vendors. Your EHR vendor stores and processes the bulk of your patient data. They are absolutely a business associate, and you need a BAA with them. Most established EHR vendors have standard BAAs as part of their contracts, but you should review them carefully rather than assuming they meet all requirements.

    Medical billing companies and claims processors. Any entity that processes claims, handles billing, or manages revenue cycle operations involving PHI qualifies as a business associate.

    Medical transcription services. Transcriptionists who convert dictated notes into written records are handling PHI and require a BAA.

    Document destruction and shredding companies. If you hire a company to destroy paper records or electronic media containing PHI, they are a business associate. The act of destroying PHI is itself a function that requires a BAA.

    Consultants and auditors. Compliance consultants, accounting firms conducting audits, legal counsel reviewing cases that involve PHI, and quality improvement consultants who access patient data all qualify.

    Health information exchanges (HIEs). Organizations that facilitate the electronic sharing of health information between entities are business associates.

    Answering services. If an after-hours answering service takes calls and collects patient information (symptoms, callback numbers, prescription requests), they are handling PHI and need a BAA.

    Data analytics firms. Companies that analyze patient data for population health management, outcomes research, or operational improvement qualify when they receive PHI.

    Pharmacy benefit managers. PBMs that manage prescription drug benefits and access member health information are business associates of the health plans they serve.

    Who Does Not Count as a Business Associate?

    Not every vendor relationship requires a BAA. The following are generally excluded:

    When in doubt about whether a vendor relationship triggers the business associate requirement, err on the side of caution and put a BAA in place.

    What Must Be in a Business Associate Agreement?

    The Privacy Rule at 45 CFR 164.504(e)(2) specifies required elements for BAAs. A compliant agreement must address each of the following:

    Permitted and Required Uses and Disclosures of PHI

    The BAA must establish what the business associate is allowed to do with PHI and what it is prohibited from doing. It must specify that the business associate will not use or disclose PHI other than as permitted or required by the agreement, or as required by law. The agreement should clearly describe the services the business associate provides and the scope of PHI access needed to perform those services.

    Safeguard Requirements

    The BAA must require the business associate to use appropriate safeguards to prevent the use or disclosure of PHI beyond what the agreement permits. After the Omnibus Rule, business associates are directly subject to the HIPAA Security Rule, so the BAA should reference compliance with the Security Rule's administrative, physical, and technical safeguards for any ePHI the business associate handles.

    Breach Notification Obligations

    The agreement must require the business associate to report any use or disclosure of PHI not permitted by the agreement. Under the Breach Notification Rule (45 CFR 164.410), business associates must notify covered entities of any breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery. Your BAA should specify the notification timeline and the information that must be included in the report (identification of affected individuals, description of the breach, types of information involved, recommended mitigation steps).

    Many covered entities negotiate tighter notification windows than the 60-day maximum. A 30-day or even 10-day notification requirement is common in BAAs, and this is an area worth paying attention to during contract negotiations.

    Reporting of Security Incidents

    The BAA should require the business associate to report security incidents, including unsuccessful attempts to access ePHI if that level of reporting is appropriate for your risk tolerance. Note that some organizations have found overly broad security incident reporting requirements to be impractical (receiving thousands of "failed login attempt" reports), so the reporting scope should be clearly defined.

    Subcontractor Requirements

    If the business associate uses subcontractors who will access PHI, the BAA must require the business associate to enter into agreements with those subcontractors that impose the same restrictions and conditions that apply to the business associate. This provision, strengthened by the Omnibus Rule, creates a chain of accountability. Your EHR vendor's hosting provider, your billing company's software vendor, your shredding company's transportation subcontractor: all must be bound by BAA terms.

    Access to PHI by the Covered Entity

    The BAA must address the covered entity's right to access PHI maintained by the business associate. This matters because covered entities retain obligations to provide patients with access to their records under the Privacy Rule, even when those records are held by a business associate.

    Amendment of PHI

    The agreement must address the business associate's obligation to make PHI available for amendment and to incorporate any amendments when directed by the covered entity.

    Accounting of Disclosures

    The BAA must require the business associate to make available the information needed for the covered entity to fulfill its obligation to provide patients with an accounting of disclosures under 45 CFR 164.528.

    Availability of Records to HHS

    The agreement must require the business associate to make its internal practices, books, and records related to the use and disclosure of PHI available to HHS for purposes of determining compliance.

    Termination Provisions

    The BAA must authorize the covered entity to terminate the agreement if the covered entity determines that the business associate has violated a material term. It should also address the return or destruction of PHI upon termination of the agreement. If return or destruction is not feasible, the agreement should specify that the protections of the BAA extend to the PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.

    How BAA Requirements Evolved

    The Original HIPAA Privacy Rule (2003)

    When the Privacy Rule took effect in 2003, it required covered entities to have BAAs with their business associates. However, business associates themselves were not directly subject to HIPAA. The covered entity was responsible for obtaining "satisfactory assurances" through the BAA, but enforcement against the business associate was limited to contract law.

    The HITECH Act (2009)

    The Health Information Technology for Economic and Clinical Health Act fundamentally changed the landscape. HITECH made business associates directly liable for compliance with certain HIPAA provisions, including the Security Rule and the Breach Notification Rule. Business associates could now be investigated and penalized by OCR directly, not just sued by the covered entity for breach of contract.

    The Omnibus Rule (2013)

    The HIPAA Omnibus Final Rule, published January 25, 2013, and effective March 26, 2013, with a compliance date of September 23, 2013, implemented the HITECH Act's changes and further clarified business associate obligations. Key provisions included:

    The Omnibus Rule also established that a covered entity could be held liable for the acts of its business associate if the business associate was acting as the covered entity's agent. This raised the stakes for covered entities to be diligent about who they partner with and what their BAAs actually say.

    Consequences of Not Having a BAA

    Penalties for the Covered Entity

    A covered entity that allows a business associate to access PHI without a BAA in place has committed a violation of the Privacy Rule. OCR enforcement actions have made this painfully clear. In 2016, North Memorial Health Care of Minnesota paid $1.55 million to settle allegations that it failed to have a BAA with a major contractor that had access to the ePHI of 289,904 individuals (Source: HHS OCR Resolution Agreement, March 2016). The contractor had been performing services for the organization for over two years without a BAA.

    In 2017, the Center for Children's Digestive Health paid $31,000 for failing to have a BAA with a business associate that stored ePHI (Source: HHS OCR Resolution Agreement, April 2017). While the penalty amount was modest, the enforcement action itself carries reputational costs and required a corrective action plan with OCR monitoring.

    Penalties for the Business Associate

    Since the Omnibus Rule, business associates face direct enforcement. In 2020, CHSPSC LLC, a business associate that provided IT and health information management services to hospital operator Community Health Systems, agreed to a $2.3 million settlement with OCR. The case involved a breach affecting over 6 million individuals, and OCR found failures in risk analysis and information system activity review (Source: HHS OCR Resolution Agreement, September 2020).

    Both Parties Are Exposed

    When a breach occurs and no BAA exists, both the covered entity and the business associate face enforcement risk. The covered entity failed to obtain satisfactory assurances. The business associate, now directly subject to HIPAA, failed to comply with the Security Rule and Breach Notification Rule. OCR can and does pursue both parties.

    State Attorney General Actions

    The HITECH Act also gave state attorneys general the authority to bring civil actions on behalf of state residents for HIPAA violations. Several states have exercised this authority, adding another layer of enforcement risk for organizations without proper BAAs.

    Managing BAAs at Scale

    For a small practice with a handful of vendors, BAA management can be handled with a folder and a spreadsheet. For larger organizations with dozens or hundreds of business associate relationships, it becomes a significant operational challenge.

    Inventory All Business Associate Relationships

    Start by building a complete inventory of every vendor, contractor, and service provider that has access to PHI. This often reveals surprises. Departments may have engaged vendors without involving compliance or legal. Shadow IT solutions may be in use. Former vendors whose contracts expired may still have access to PHI that was never retrieved or destroyed.

    Standardize Your BAA Template

    Work with legal counsel to develop a standard BAA template that meets all regulatory requirements and reflects your organization's risk tolerance. Having a standard template reduces negotiation time and ensures consistency. Be prepared to review and negotiate vendor-provided BAAs as well, since many larger vendors insist on using their own templates.

    Track Execution, Expiration, and Renewal

    Every BAA should be tracked with at least the following information:

    Review BAAs When Circumstances Change

    A BAA should be reviewed and potentially updated when:

    Verify Compliance, Not Just Signatures

    Having a signed BAA does not mean your business associate is actually complying with HIPAA. Organizations with mature compliance programs periodically verify that their business associates are maintaining appropriate safeguards. This can include requesting evidence of the business associate's own risk assessment, reviewing their security certifications (SOC 2, HITRUST), or conducting on-site assessments for high-risk relationships.

    Key Takeaways

    Frequently Asked Questions

    Does every vendor need a business associate agreement?

    No, only vendors that create, receive, maintain, or transmit protected health information on behalf of a covered entity require a BAA. Vendors that provide services unrelated to PHI, such as office supply companies or janitorial services, do not need one. The determining factor is whether the vendor has access to PHI, not the nature of the service itself (Source: HHS OCR, 45 CFR 164.502(e)).

    What happens if you operate without a business associate agreement?

    Operating without a BAA when one is required is a direct violation of the HIPAA Privacy Rule. OCR has levied penalties ranging from $31,000 to $1.55 million specifically for missing BAAs. Both the covered entity and the business associate face enforcement risk, and OCR typically imposes corrective action plans with ongoing monitoring in addition to financial penalties (Source: HHS OCR Enforcement Actions).

    Can you use a template for a business associate agreement?

    Yes, using a standardized BAA template is both acceptable and recommended. HHS has published sample BAA provisions, and many legal counsel develop organization-specific templates that meet all requirements under 45 CFR 164.504(e). However, you should review vendor-provided BAAs carefully, as larger vendors often insist on their own templates that may not fully address your organization's risk tolerance or notification timeline preferences.

    Do subcontractors of business associates need BAAs?

    Yes. Under the 2013 Omnibus Rule, subcontractors that access PHI are themselves considered business associates and must be bound by BAA terms. The business associate is required to enter into agreements with its subcontractors that impose the same restrictions and conditions. This creates a chain of accountability extending from the covered entity through each level of the vendor relationship (Source: HHS OCR, 78 FR 5566, Omnibus Rule, 2013).

    Can a BAA be part of a larger service contract or does it need to be separate?

    Either approach is acceptable under HIPAA. A BAA can be a standalone document or incorporated as an addendum or exhibit to a master service agreement. The critical requirement is that all provisions specified under 45 CFR 164.504(e) are included and that both parties execute the agreement. Many organizations prefer standalone BAAs for easier tracking and independent updates.

    Stop Chasing Down BAAs Manually

    Managing business associate agreements across an entire organization does not have to mean digging through shared drives and hoping nothing slipped through the cracks. Live Compliance helps healthcare organizations track, manage, and monitor their BAA inventory alongside their broader compliance program, ensuring that every vendor relationship is documented, every agreement is current, and nothing falls off the radar. If your BAA management process still relies on spreadsheets and memory, there is a better way.