Every time a hospital uses a cloud provider, hires a billing company, contracts a software vendor, or engages a consulting firm that touches patient data — a BAA is required before a single record changes hands. It’s the legal contract that extends HIPAA’s privacy and security obligations to every third party in the healthcare data chain. Without it, sharing PHI with that vendor is a HIPAA violation — regardless of how secure their systems are.
Our experts are ready to understand your business goals.
HIPAA BAA, which stands for Business Associate Agreement, is a legally required contract between a HIPAA-covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and a business associate — any person or organization that creates, receives, maintains, or transmits protected health information (PHI) on behalf of the covered entity.
The BAA establishes the permitted uses and disclosures of PHI by the business associate, requires the business associate to implement appropriate safeguards, and defines breach notification responsibilities. It is not optional — HIPAA mandates that covered entities execute a BAA with every business associate before sharing PHI.
The concept was established by the original HIPAA Privacy Rule (2003) and significantly strengthened by the HITECH Act (2009) and the HIPAA Omnibus Rule (2013). Under the Omnibus Rule, business associates are directly liable for HIPAA compliance — not just contractually obligated through the BAA. Business associates can be independently investigated, fined, and penalized by HHS for HIPAA violations.
The BAA requirement extends through the entire chain: if a business associate engages a subcontractor that also handles PHI, the business associate must execute a BAA with that subcontractor. This creates a contractual chain of custody for PHI from the covered entity through every downstream handler.
In simple terms: A BAA is the contract that says “you’re handling our patient data, so HIPAA applies to you too” — required for every vendor, contractor, and cloud provider that touches PHI.
BAAs govern the relationship between covered entities and the extensive network of vendors and partners that handle PHI in modern healthcare.
Who is a business associate? Any entity that performs a function or activity involving the use or disclosure of PHI on behalf of a covered entity. Common business associates include:
Cloud infrastructure providers (AWS, Azure, GCP) hosting EHR systems or clinical data, software vendors providing EHR, billing, RPM, telehealth, or mHealth platforms, medical billing and coding companies processing claims, clearinghouses routing EDI transactions, health information exchanges facilitating data sharing, IT consultants and managed service providers with system access, data analytics firms processing clinical or claims data, document storage and shredding companies, and even attorneys and accountants who receive PHI in the course of providing services.
Who is NOT a business associate? Members of a covered entity’s workforce (employees, volunteers, trainees), other covered entities receiving PHI for treatment purposes, and entities that act as mere conduits for PHI (like the postal service or internet service providers) — though the conduit exception is narrow.
What the BAA must include. HIPAA specifies required provisions:
The permitted and required uses of PHI by the business associate. A prohibition on uses or disclosures beyond what the contract or law permits. A requirement to implement appropriate safeguards (administrative, physical, and technical) to prevent unauthorized use or disclosure. A requirement to report security incidents and breaches to the covered entity. A requirement to ensure subcontractors agree to the same restrictions. A requirement to make PHI available to the covered entity for patient access requests. A requirement to make internal practices available to HHS for compliance audits. A requirement to return or destroy PHI at contract termination.
BAA execution timing. The BAA must be executed before PHI is shared — not after. A covered entity that shares PHI with a vendor and then “plans to get a BAA signed” has already violated HIPAA. In practice, BAA execution is part of the vendor onboarding process, alongside security assessments and procurement review.
The Privacy Rule establishes the requirement for BAAs and defines the provisions that must be included. It specifies that a covered entity may not disclose PHI to a business associate and may not allow a business associate to create, receive, maintain, or transmit PHI unless the covered entity obtains satisfactory assurances through a written BAA.
The Security Rule requires business associates to comply with the same administrative, physical, and technical safeguards as covered entities — encryption, access controls, audit logging, risk assessments, and contingency planning. The BAA is the contractual mechanism that obligates the business associate to meet these requirements.
Business associates must notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery. The BAA must specify the breach notification procedures — how the business associate notifies the covered entity, what information is included in the notification, and what cooperation the business associate provides during breach response.
The HITECH Act made business associates directly subject to HIPAA enforcement — meaning HHS can investigate and impose civil monetary penalties on business associates independently of the covered entity. Penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category and potential criminal penalties for knowing violations.
Some states impose additional requirements on business associate relationships — stricter breach notification timelines, expanded definitions of protected information, or additional contractual provisions. Organizations operating in multiple states should ensure BAAs address the most restrictive applicable requirements.
BAA management is an ongoing operational responsibility — not a one-time procurement step.
Inventory all business associate relationships. Most healthcare organizations underestimate how many business associates they have. Beyond the obvious ones (EHR vendor, cloud provider, billing company), consider: transcription services, answering services, IT support contractors, document scanning vendors, email hosting providers, video conferencing platforms used for telehealth, background check services that receive employee health data, and benefits administrators. Conduct a comprehensive inventory and verify BAA status for each.
Cloud provider BAAs require careful review. AWS, Azure, and GCP all offer BAAs — but the BAA only covers services designated as HIPAA-eligible. Not every service within the cloud platform is covered. Your architecture must use only BAA-covered services, and the BAA should be executed before deploying any workload that handles PHI. Review the cloud provider’s shared responsibility model to understand where their obligations end and yours begin.
BAAs don’t replace security due diligence. A signed BAA does not mean the business associate is actually secure. The covered entity should conduct or request evidence of the business associate’s security posture — SOC 2 reports, HITRUST certification, penetration test results, risk assessment documentation, and security questionnaire responses. The BAA creates legal obligation; security assessment verifies actual capability.
Subcontractor BAA chains. If your business associate uses subcontractors that handle PHI (a software vendor hosting on AWS, a billing company using a clearinghouse), the business associate must have BAAs with those subcontractors. Ask your business associates about their subcontractor BAA compliance — your risk extends through the entire chain.
BAA lifecycle management. BAAs should be reviewed and updated when contracts renew, when the scope of PHI handling changes, when HIPAA regulations are updated, or when the business associate’s subcontractor relationships change. Expired or outdated BAAs create compliance gaps. Build BAA tracking into your contract management system.
Breach response coordination. When a business associate experiences a breach, coordinated response between the covered entity and business associate is critical — incident investigation, breach scope determination, individual notification, HHS reporting, and media notification (for large breaches). The BAA should define clear communication channels, response timelines, and cooperation requirements. Don’t wait for a breach to test your incident response coordination.
At Taction, we operate as a HIPAA-compliant business associate for every healthcare client we serve — and we help organizations build the technical infrastructure and operational processes that BAA compliance requires.
What we do:
Explore related glossary terms:
Your email address will not be published. Required fields are marked *
Our expert reaches out shortly after receiving your request and analyzing your requirements.
If needed, we sign an NDA to protect your privacy.
We request additional information to better understand and analyze your project.
We schedule a call to discuss your project, goals. and priorities, and provide preliminary feedback.
If you're satisfied, we finalize the agreement and start your project.