What Is a HIPAA Business Associate Agreement?

Practical guidance for healthcare teams and business associates

If your organization handles protected health information (PHI), every vendor that touches that data needs a signed business associate agreement (BAA) before they receive a single record. Not after. Not “when legal gets around to it.” Before.

What Is a HIPAA Business Associate Agreement?

A HIPAA business associate agreement is a written contract between a covered entity and a business associate. It establishes the permitted uses and disclosures of PHI, requires the business associate to safeguard it, and spells out what happens when something goes wrong. It is a standalone regulatory requirement, and skipping it is one of the fastest ways to draw a six-figure fine from the HHS Office for Civil Rights (OCR). According to HHS enforcement data, the majority of the largest healthcare data breaches in recent years have involved business associates, making BAAs one of the most scrutinized elements during OCR investigations.

Here is what a BAA must include, who needs one, and what happens when organizations get it wrong.

For context, OCR collected over .6 million in HIPAA settlements in 2025 alone, with BAA-related violations among the most common findings. The cost of not having a proper BAA in place regularly exceeds the cost of the agreement itself by orders of magnitude.

Skipping a BAA is also one of the fastest ways to draw a fine from the HHS Office for Civil Rights (OCR).

Who Qualifies as a Business Associate?

Under 45 CFR 160.103, a business associate is any person or organization that performs a function or activity on behalf of a covered entity (or another business associate) involving the use or disclosure of PHI.

Common examples: IT vendors and managed service providers, medical billing companies, cloud providers (AWS, Azure, Google Cloud), document shredding companies, attorneys, EHR vendors, and answering services.

If they see it, store it, transmit it, or could reasonably access it, they probably need a BAA. For a deeper breakdown, see our complete guide to business associate agreements.

What a BAA Must Contain

The required provisions are spelled out in 45 CFR 164.504(e). A compliant BAA must include, at minimum:

  1. Permitted and required uses/disclosures. Specify exactly what the business associate can do with PHI. Prohibit everything else.
  2. Safeguard obligations. Require appropriate safeguards, including Security Rule compliance for electronic PHI (ePHI).
  3. Breach reporting. Require the business associate to report breaches of unsecured PHI without unreasonable delay.
  4. Subcontractor flow-down. Require that subcontractors with PHI access agree to the same restrictions.
  5. Support for individual rights. The business associate must support patient access requests (45 CFR 164.524), amendment requests (45 CFR 164.526), and accounting of disclosures (45 CFR 164.528).
  6. HHS access. Make internal practices and records available to the Secretary of HHS.
  7. Return or destruction of PHI at contract termination, if feasible.
  8. Termination provisions allowing the covered entity to end the agreement for material violations.

If your BAA is missing any of these, it does not meet the regulatory standard. We regularly find gaps during HIPAA consulting engagements, often in agreements organizations assumed were compliant for years.

Why a BAA Is Legally Required Before Sharing PHI

Under 45 CFR 164.502(e), a covered entity may not disclose PHI to a business associate unless the covered entity first obtains satisfactory assurances through a written BAA.

Sharing PHI without a signed BAA is itself a HIPAA violation, regardless of whether a breach occurs. OCR treats the absence of a BAA as a standalone violation during audits and investigations.

HIPAA Penalty Tiers for BAA Violations (2026)

OCR adjusts HIPAA penalty amounts annually for inflation. These are the current tiers as of 2026:

Tier Knowledge Level Min per Violation Max per Violation Annual Cap
1 Did not know 45 3,011 6,506
2 Reasonable cause ,461 3,011 46,053
3 Willful neglect (corrected) 4,602 3,011 65,052
4 Willful neglect (not corrected) 3,011 ,190,294 ,190,294

Missing a BAA entirely typically falls under Tier 3 or Tier 4 because the requirement is well established. For a full breakdown of recent settlements, see 2026 HIPAA penalty amounts.

Real Enforcement: What Happens Without a BAA

Raleigh Orthopaedic Clinic in North Carolina handed over x-ray films containing PHI for approximately 17,300 patients to a third party that promised to convert the images to electronic media. The problem: no BAA was executed before the transfer. OCR settled the case for $750,000 plus a corrective action plan.

That was not a data breach. It was a paperwork failure that cost three quarters of a million dollars.

We have documented other common pitfalls in our post on business associate agreement mistakes you need to avoid.

A Signed BAA Does Not Transfer All Liability

A misconception we encounter frequently: “We have a signed BAA, so if the vendor causes a breach, it is their problem.” Wrong.

Under the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for their own HIPAA violations. But covered entities retain liability for oversight failures. If you knew (or should have known) a business associate was violating the BAA and failed to act, you share responsibility. A BAA is a risk management tool, not a liability shield.

This is why conducting a risk assessment that includes your business associates is critical.

Business Associates vs. Subcontractors

Under the 2013 Omnibus Rule, subcontractors who handle PHI on behalf of a business associate are themselves treated as business associates. The chain of BAAs must extend downstream. If your billing company uses a cloud provider to store claims data, that cloud provider needs a BAA with the billing company.

Verify that your business associates have subcontractor BAAs in place. If a subcontractor is compromised and no BAA exists, your organization is exposed. We cover incident response for these scenarios in our post on what to do when a vendor gets hacked.

When to Update Your BAAs

BAAs are not set-and-forget documents. You should review and update them when:

  • The scope of services changes
  • Regulations are updated (the proposed HIPAA Security Rule changes will likely require BAA revisions)
  • A breach or security incident occurs involving the business associate
  • The contract is up for renewal
  • Subcontractors are added or removed

Our HIPAA training programs cover vendor management and BAA lifecycle management for the staff who handle these relationships day to day.

How BAA Requirements Evolved

Business associate agreements did not exist when HIPAA was first signed into law. The requirements developed over three major regulatory milestones:

  • HIPAA (1996) — Introduced the concept of business associates and required covered entities to obtain satisfactory assurances before sharing PHI with third parties. However, business associates themselves had no direct HIPAA liability.
  • HITECH Act (2009) — Made business associates directly liable for HIPAA Security Rule compliance and breach notification. Before HITECH, OCR could only penalize the covered entity when a business associate mishandled PHI. After HITECH, both parties face independent enforcement.
  • Omnibus Rule (2013) — Finalized the HITECH changes and extended the BAA chain to subcontractors. Any downstream entity handling PHI on behalf of a business associate must also have a BAA in place. The Omnibus Rule also closed the “agent” loophole that some vendors had used to avoid business associate classification.

The practical result: every organization in the PHI supply chain now carries its own compliance obligations. A signed BAA does not shift responsibility — it documents shared responsibility.

Common BAA Exemptions

Not every vendor relationship requires a BAA. The following are generally not business associates:

  • Janitorial and maintenance companies that do not interact with PHI as part of their services.
  • Conduit entities such as the U.S. Postal Service, UPS, or internet service providers that merely transport information without accessing it.
  • Employees, volunteers, and trainees under the covered entity’s direct control. These individuals are part of the covered entity’s workforce, not business associates.
  • A patient’s personal representative acting on behalf of the patient.
  • A covered entity disclosing PHI for treatment purposes to another covered entity. Treatment disclosures between providers do not require a BAA.

The test is functional: does the person or organization perform a service on behalf of the covered entity that involves PHI? If the answer is no, a BAA is not required. When the answer is unclear, document your reasoning. OCR looks at the actual relationship, not what either party calls it.

BAAs and Cloud/SaaS Providers

Cloud platforms are among the most frequently misunderstood BAA relationships. If a cloud provider stores, processes, or transmits ePHI, it is a business associate and needs a BAA regardless of whether it accesses patient records.

The major cloud platforms handle BAAs differently:

  • Amazon Web Services (AWS) — Offers a standard BAA through the AWS Artifact console. Customers accept it electronically. AWS designates specific HIPAA-eligible services, and PHI may only be processed on those services.
  • Microsoft Azure / Microsoft 365 — Provides a BAA as part of the Online Services Terms. It covers Azure, Dynamics 365, and Microsoft 365 business-tier plans. Personal and free-tier accounts are not covered.
  • Google Cloud / Google Workspace — Offers a BAA through the admin console for Workspace business and enterprise plans. Google Cloud Platform customers request a BAA through their account settings. Free Gmail and personal Google accounts do not qualify.

Two common traps with cloud BAAs:

  1. Assuming the BAA covers everything. Cloud BAAs typically cover only designated HIPAA-eligible services. If your team uses a non-eligible service to store or process PHI, the BAA does not protect that usage.
  2. Shared responsibility confusion. A cloud BAA establishes the provider’s infrastructure obligations, but the customer remains responsible for access controls, encryption settings, audit logging, and workforce training. The BAA does not shift those duties to the cloud provider.

For a deeper look at cloud storage requirements, see our guide on cloud storage compliance for healthcare data.

How to Execute and Track BAAs

A signed BAA is only useful if it covers the current relationship and someone knows where to find it. In practice, BAA management breaks down because no one owns the process.

A repeatable approach:

  1. Inventory every vendor that creates, receives, maintains, or transmits PHI on your behalf. Include cloud platforms, SaaS tools, IT support providers, billing companies, and anyone with system access.
  2. Check each vendor for a signed, current BAA. If the agreement is missing or outdated, escalate immediately.
  3. Execute before sharing PHI. This is absolute. Do not share PHI with any vendor that has not signed a BAA, regardless of how established the relationship is.
  4. Store agreements centrally with the vendor name, execution date, renewal or review date, and a link to the signed document.
  5. Review at least annually. Align BAA reviews with contract renewal dates. When services change, update the agreement to match.

Assign one person to own this process. In small organizations, that is usually the privacy officer or practice manager. The title does not matter. What matters is that one person can answer the question: which vendors have current BAAs, and which do not?

Get Your BAAs Right

If you are not sure whether your BAAs cover every vendor relationship, or if your existing agreements contain the required provisions under 45 CFR 164.504(e), it is time for a review. We help medical practices and healthcare organizations audit their vendor relationships, identify gaps, and build compliant agreements that actually protect the organization.

Contact us for a BAA and vendor compliance review.

Key stat: Under 45 CFR 164.504(e), a covered entity that knows of a pattern of activity or practice of a business associate that constitutes a material breach must take reasonable steps to cure the breach or end the violation. If those steps are unsuccessful, the covered entity must terminate the contract. Failure to act on known BAA violations is itself a violation - and OCR has enforced this provision in multiple settlements.

Sources