Overview
A Business Associate Agreement is not optional. Under HIPAA, any covered entity — hospitals, physician practices, health plans, healthcare clearinghouses — that shares protected health information (PHI) with a vendor or contractor who will use or disclose that PHI on the covered entity's behalf must have a signed BAA in place. The BAA is not a best practice or a risk management recommendation. It is a legal requirement. Operating without a BAA when one is required is a HIPAA violation, independently of whether any breach or misuse occurs.
The definition of who qualifies as a "business associate" is broader than most healthcare organizations initially expect. The obvious cases are clear: the billing company that processes claims, the IT vendor with access to the EHR, the cloud storage provider hosting patient records. But the definition extends to: legal counsel reviewing patient-related contracts, accountants auditing healthcare revenue, quality improvement organizations, e-prescribing services, medical transcription services, and any third-party administrator working with a health plan. Many organizations discover they are missing required BAAs only after a breach investigation reveals an uncontracted vendor relationship.
The HITECH Act of 2009 significantly expanded HIPAA's reach by making business associates directly liable under HIPAA — not just contractually liable to the covered entity. A business associate that violates HIPAA can be fined directly by HHS, independent of any action against the covered entity. This direct liability has transformed the BAA from a pass-through contractual obligation into a primary compliance document for any vendor in the healthcare data supply chain.
Subcontractors add a layer of complexity. If your business associate engages a subcontractor who will also use or disclose PHI on the business associate's behalf, that subcontractor must also sign a BAA with the business associate. The BAA obligation flows down the entire vendor chain. A hospital can't simply sign a BAA with its EHR vendor and consider the obligation discharged — if that EHR vendor uses a cloud hosting provider to store PHI, a BAA must exist between the EHR vendor and the cloud provider.
Key Clauses to Review
Permitted Uses and Disclosures of PHI
Specifies the purposes for which the business associate may use or disclose PHI received from the covered entity. The business associate may use PHI only to perform the services described in the underlying service agreement and for "proper management and administration" of the business associate's own operations. Disclosures to third parties require either covered entity authorization or a legal requirement. The BAA must explicitly prohibit the business associate from using PHI for any purpose not authorized — including for the business associate's own marketing, product improvement, or commercial purposes.
Missing specific enumeration of permitted uses — a general "to perform services" description is insufficient. Business associate permission to use PHI for its own product improvement, training, or analytics without explicit covered entity consent. No prohibition on selling or commercializing PHI in any form. Permitted disclosures that are broader than what HIPAA actually allows. Provisions allowing the business associate to de-identify PHI and use the de-identified data without restriction — de-identification standards must be met and the process should be specified.
Safeguards and Security Requirements
Requires the business associate to implement appropriate administrative, physical, and technical safeguards to protect PHI from unauthorized use or disclosure. The HIPAA Security Rule sets minimum standards for electronic PHI (ePHI): risk analysis, access controls, audit controls, encryption in transit and at rest, workforce training, and incident response. The BAA should require compliance with all Security Rule requirements and may specify additional measures appropriate to the sensitivity of the PHI being handled. Consider requiring security certifications (SOC 2 Type II, HITRUST) as evidence of compliance.
Generic "reasonable safeguards" language without reference to HIPAA Security Rule requirements. No specification of encryption requirements for ePHI at rest and in transit. Missing requirement to conduct and document annual risk analyses. No right for covered entity to audit or assess business associate security practices. Provisions allowing business associate to self-certify Security Rule compliance without any independent verification mechanism.
Breach Notification Requirements
Mandates that the business associate notify the covered entity of any breach of unsecured PHI without unreasonable delay and in no case later than 60 days after discovery. In practice, BAAs should specify a shorter timeline — 5-10 business days — to give the covered entity adequate time to assess and comply with its own 60-day notification obligation to HHS and affected individuals. Notification must include: the nature of the breach, the PHI involved, the individuals affected, steps taken to investigate and mitigate, and steps taken to prevent recurrence.
Notification timeline of 60 days (the maximum) — this gives the covered entity zero buffer before its own reporting deadline. No specification of the content required in breach notifications. Missing obligation to cooperate with the covered entity's breach investigation. Provisions limiting the business associate's notification obligation to "material" breaches — HIPAA requires notification of all unauthorized PHI uses and disclosures, not just material ones. No definition of what constitutes "discovery" of a breach for notification timeline purposes.
Individual Rights Assistance
Requires the business associate to assist the covered entity in fulfilling individuals' HIPAA rights: the right of access (to inspect and copy PHI), the right to amendment (to request corrections to PHI), and the right to an accounting of disclosures (a list of non-routine disclosures). When a patient exercises these rights against the covered entity, the covered entity may need the business associate's cooperation to fulfill the request — particularly for amendment and accounting of disclosures made by the business associate. The BAA must specify the business associate's obligations and timeline for providing this assistance.
No provision for assisting with individual rights requests. Timelines for business associate assistance longer than the covered entity's regulatory deadline to respond to patients. Business associate right to respond directly to patient requests without covered entity involvement. Missing obligation to notify covered entity when the business associate receives a direct patient rights request. No mechanism for the covered entity to pass through patient requests to the business associate efficiently.
Subcontractor Requirements
Requires the business associate to enter into BAAs with any subcontractors who will use or disclose PHI on the business associate's behalf. The subcontractor BAA must impose obligations on the subcontractor at least as protective as those imposed on the business associate by the covered entity's BAA. The business associate remains liable to the covered entity for the acts and omissions of its subcontractors. The BAA should require the business associate to maintain a list of subcontractors handling PHI and notify the covered entity before engaging new subcontractors who will access PHI.
No subcontractor provision at all. Business associate allowed to engage subcontractors with PHI access without entering into BAAs. No notice requirement before engaging new PHI-accessing subcontractors. Missing flow-down obligation ensuring subcontractor BAAs are at least as protective. Business associate not liable for subcontractor breaches — the covered entity needs this protection and HIPAA supports it.
Termination and Return or Destruction of PHI
Specifies what happens to PHI when the BAA terminates — either with the underlying service agreement or independently for cause. Upon termination, the business associate must return or destroy all PHI received from the covered entity, including copies maintained by subcontractors. If return or destruction is not feasible (e.g., PHI is embedded in backup systems), the BAA must specify the protections that will remain in place for retained PHI. The covered entity should have the right to terminate the BAA immediately if the business associate materially breaches its HIPAA obligations.
No return or destruction obligation upon termination. Missing "infeasibility" carve-out with corresponding ongoing protection requirements for retained PHI. No right for covered entity to terminate the BAA for cause (business associate HIPAA breach). Ambiguous treatment of subcontractor-held PHI upon termination. Return timeline that is unreasonably long given the nature of the data and the termination circumstances.
Risk Assessment
HIPAA enforcement has accelerated significantly in recent years, with HHS Office for Civil Rights (OCR) actively investigating both covered entities and business associates. Penalties are tiered based on culpability: from $100-$50,000 per violation (lack of knowledge) to $50,000+ per violation (willful neglect not corrected). Annual caps per violation category range up to $1.9M. Critically, "per violation" can mean per affected patient record in a breach scenario — a breach affecting 100,000 records could generate $100,000 violations at the lowest tier.
The missing BAA is the most common and most avoidable HIPAA finding. OCR breach investigations routinely discover that covered entities were sharing PHI with vendors without executed BAAs. The covered entity pays the penalty even though the business associate caused the breach — because the covered entity failed its obligation to obtain the BAA before sharing PHI. BAA audits should be conducted annually: identify every vendor with PHI access, verify a BAA is in place, and verify the BAA contains the required elements.
Business associate direct liability has transformed the risk profile for healthcare technology vendors. A SaaS company providing services to hospitals is a business associate subject to direct HIPAA enforcement. A 2023 OCR settlement with a healthcare data analytics company for $3.9M for security failures — independent of any covered entity action — illustrates that business associates face real regulatory risk regardless of their contractual relationships. Healthcare technology companies must treat their own HIPAA compliance as a first-order obligation, not just a contractual one.
State health privacy laws add complexity. Many states have health privacy laws that are more stringent than HIPAA — California's CMIA, New York's SHIELD Act, and Texas' THIPA each impose additional obligations. BAAs that satisfy HIPAA alone may not satisfy applicable state law requirements. Companies operating nationally in healthcare should audit their BAA templates against the most stringent state laws in markets where they operate.
Best Practices
Conduct a comprehensive vendor inventory to identify every business associate relationship. Map every vendor with access to PHI: EHR vendors, billing services, IT support, cloud hosting, transcription, legal, accounting, HR benefits administrators, and any others. For each, verify: (1) a signed BAA exists, (2) the BAA contains all required elements, and (3) the BAA reflects the current scope of PHI sharing. This inventory should be maintained as a living document reviewed annually and updated when new vendors are engaged.
Use a BAA template that covers all required elements, not a custom one-page agreement. The HHS website publishes sample BAA language that covers the required provisions. Use this as a minimum baseline. For high-risk vendors (those with access to large volumes of PHI or sensitive categories), consider enhanced provisions: shorter breach notification timelines, specific security certifications, audit rights, and incident response cooperation obligations.
Make BAA execution a precondition for vendor onboarding, not an afterthought. Establish a procurement policy requiring a signed BAA before any vendor is given access to systems containing PHI. Integrate BAA tracking into your vendor management system. Designate a HIPAA Privacy Officer responsible for BAA portfolio management. Don't let the "we'll send the BAA next week" situation persist — the BAA must be executed before PHI is shared.
Review and update BAAs when underlying service agreements change. A BAA executed five years ago may not reflect the current scope of PHI sharing, the current regulatory environment, or the current security standards. Significant changes to a vendor relationship — new services, new data types, new subcontractors — should trigger a BAA review. At minimum, review all BAAs every two to three years.
Frequently Asked Questions
Who needs a Business Associate Agreement?
Any covered entity (hospital, physician practice, health plan, or healthcare clearinghouse) needs a BAA with every vendor or contractor that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. Common business associates: EHR vendors, billing companies, IT support providers, cloud hosting providers storing PHI, transcription services, quality improvement organizations, legal counsel reviewing PHI-containing records, and benefits administrators. If you're unsure whether a vendor qualifies, the safer assumption is that a BAA is required.
What happens if I don't have a BAA in place?
Operating without a required BAA is a HIPAA violation, independently of whether any breach occurs. If a breach does occur and OCR investigates, a missing BAA is a significant aggravating factor that can escalate penalties from the "lack of knowledge" tier to "willful neglect." Recent OCR enforcement actions have included penalties specifically for missing BAAs. The covered entity bears primary liability for not obtaining the BAA; however, since HITECH made business associates directly liable, the business associate may also face independent enforcement.
Can a vendor refuse to sign a BAA?
A vendor can refuse, but a covered entity cannot legally share PHI with a vendor who refuses to sign a BAA. If a vendor refuses, the covered entity must either find a compliant alternative or restructure the service to eliminate PHI sharing. In practice, most enterprise software vendors serving healthcare clients have standard BAAs available. For vendors unfamiliar with HIPAA (common when healthcare companies use general-purpose SaaS tools), providing a template and explaining the requirement usually resolves the issue. A vendor's flat refusal to sign any BAA is a red flag about their overall compliance posture.
Does a BAA make a vendor HIPAA compliant?
No. A BAA is a contractual obligation — it requires the vendor to comply with HIPAA, but it doesn't verify that they actually do. The covered entity remains responsible for the PHI it shares and must conduct due diligence on business associates' security practices. Requesting evidence of HIPAA compliance (SOC 2 Type II reports, HITRUST certification, or independent security assessments) provides meaningful assurance that the contractual obligations are backed by actual security controls. A BAA from a non-compliant vendor is a piece of paper, not protection.
How often should I update my BAAs?
Review BAAs when: (1) the underlying service agreement changes materially, (2) the scope of PHI sharing changes, (3) the vendor adds subcontractors with PHI access, (4) there is a significant regulatory change, or (5) as part of an annual compliance review. HITECH required updates to existing BAAs when it came into effect; subsequent regulatory guidance has required additional provisions. A BAA from 2010 that hasn't been updated likely doesn't reflect current requirements. Establish a BAA renewal cycle — at minimum every three years — regardless of whether specific changes have occurred.