# Business associate agreement: a HIPAA guide

Source: https://contracko.com/blog/business-associate-agreement-guide

[Blog](https://contracko.com/blog)

[Business associate agreement: a HIPAA guide](https://contracko.com/blog/business-associate-agreement-guide)

# Business associate agreement: a HIPAA guide

Lou Van Reemst Jun 27, 2026

Copy for LLM

Organizations that touch protected health information (PHI) usually need a business associate agreement, sometimes several. The BAA is the contract that makes a healthcare data relationship lawful under HIPAA, and a missing one is among the most common and most expensive compliance gaps regulators find.

This guide covers what a BAA is in plain language, who needs one, what HIPAA requires inside the document, the clauses worth fighting over, and a checklist to run before signing.

> This article is general information, not legal advice. Consult qualified counsel about your specific situation.

## What is a business associate agreement?

A business associate agreement (BAA), sometimes called a business associate contract, is a written contract between a HIPAA covered entity (or another business associate) and a vendor that will create, receive, maintain, or transmit protected health information on its behalf.

It functions as the legal bridge between two parties:

- The covered entity is the healthcare provider, health plan, or healthcare clearinghouse that holds the underlying relationship with patients and their data.
- The business associate is the outside vendor doing work that involves PHI: hosting it, processing it, analyzing it, billing against it, or otherwise handling it.

HIPAA lets a covered entity share PHI with a vendor only if that vendor contractually agrees to protect the data and use it only for permitted purposes. The BAA is where those promises live. It transfers a defined set of HIPAA obligations onto the vendor and gives the covered entity a contractual remedy if the vendor mishandles the data.

Without a BAA, there is no lawful sharing of PHI with that vendor. This contract sits alongside the rest of a healthcare team's paperwork, which is why many teams centralize it inside [healthcare contract management software](https://contracko.com/blog/healthcare-contract-management-software) rather than tracking it in spreadsheets.

## Who needs a BAA?

The simplest way to answer this is to identify which role each party plays.

### Covered entities

A covered entity is one of three things under HIPAA:

- A healthcare provider that transmits health information electronically in connection with covered transactions (most clinics, hospitals, dentists, therapists, labs).
- A health plan (insurers, HMOs, employer group health plans, government programs).
- A healthcare clearinghouse (entities that process health data between formats).

Covered entities must put a BAA in place with every business associate before any PHI changes hands.

### Business associates

A business associate is any person or organization, other than a member of the covered entity's workforce, that performs functions or services involving PHI on the covered entity's behalf. Common examples:

- Cloud hosting and storage providers that store PHI (for example a HIPAA-eligible cloud platform).
- Medical billing and coding companies and revenue-cycle vendors.
- Medical transcription services.
- Analytics and reporting vendors that process PHI to produce insights.
- E-signature platforms used to sign documents containing PHI.
- Contract management and contract review software that ingests agreements or records containing PHI.
- IT support, EHR vendors, practice-management software, shredding companies, and accountants or lawyers who handle PHI.

Physician practices and group employers face the same obligation with their own vendors, which is covered in more detail in our guide to [physician contract management software](https://contracko.com/blog/physician-contract-management-software).

### Subcontractors

A business associate that hands PHI to its own downstream vendor must sign a BAA with that subcontractor. The subcontractor is itself a business associate under HIPAA, and the chain of obligations must flow all the way down. A cloud analytics vendor that uses a separate data-warehouse provider, for instance, needs a BAA with that warehouse provider. This flow-down mirrors how GDPR handles processors, which we cover in [subprocessor management under GDPR](https://contracko.com/blog/subprocessor-management-under-gdpr).

### The conduit exception

Not every vendor that comes near PHI needs a BAA. The conduit exception covers organizations that merely transport data without routinely accessing it, such as the postal service, couriers, or an internet service provider acting purely as a transmission pipe. The test is transient transmission versus persistent access or storage. A courier delivering sealed records is a conduit. A cloud provider that stores those records is a business associate, even if it never reads them, because it maintains the data.

When in doubt, assume you need a BAA. The exception is narrow.

## What HIPAA requires in a BAA

The HIPAA Privacy Rule at 45 CFR §164.504(e) sets out the provisions a compliant BAA must contain. The Security Rule and the HITECH Act add obligations for electronic PHI (ePHI) and breach notification. Here is what each required element means in practice.

| Required provision | What it actually means |
| --- | --- |
| Permitted and required uses & disclosures | The contract must define exactly how the business associate may use or disclose PHI, and limit it to what the agreement and law allow. |
| No further use or disclosure | The business associate may not use PHI beyond the contract terms or in any way that would violate the Privacy Rule if the covered entity did it. |
| Appropriate safeguards | The business associate must implement safeguards to prevent unauthorized use or disclosure, including Security Rule administrative, physical, and technical safeguards for ePHI. |
| Breach and incident reporting | The business associate must report security incidents, breaches of unsecured PHI, and any unauthorized use or disclosure to the covered entity, within defined timelines. |
| Subcontractor flow-down | The business associate must ensure any subcontractor that handles PHI agrees to the same restrictions and conditions, via its own BAA. |
| Individuals' rights | The business associate must support the covered entity's obligations to provide individuals access to their PHI, make amendments, and supply an accounting of disclosures. |
| Return or destroy at termination | On termination, the business associate must return or destroy all PHI where feasible, and extend protections to any PHI it cannot return or destroy. |
| Availability of records to HHS | The business associate must make its internal practices, books, and records available to the Department of Health and Human Services for compliance review. |
| Termination for breach | The covered entity must be able to terminate the contract if the business associate materially violates it. |

A few of these deserve extra attention.

Safeguards and the Security Rule. For ePHI, "appropriate safeguards" is not vague. The business associate is directly obligated to comply with the Security Rule's administrative, physical, and technical safeguard requirements. The BAA should reference this rather than leaving it implied.

Breach notification. Under HITECH, breaches of unsecured PHI trigger notification duties. The business associate must notify the covered entity so the covered entity can meet its own deadlines (notification to affected individuals without unreasonable delay and no later than 60 days from discovery). The BAA should pin down how quickly the business associate must tell the covered entity, because that clock starts the covered entity's clock.

Return or destroy. This is frequently missing or watered down. The contract should be explicit about what happens to PHI when the relationship ends, including backups and archives.

## Key clauses to scrutinize before signing

The §164.504(e) requirements are the floor. The business terms around them decide how much risk you actually carry. Read these closely.

- Breach-notification clock. A compliant BAA must require reporting, but "without unreasonable delay" is not a deadline. Push for a concrete number. Many well-drafted BAAs require notice within 24 to 72 hours of discovery for confirmed breaches. The longer the window, the less time there is to meet the 60-day obligation.
- Indemnification. Does the vendor indemnify you for losses caused by its breach, including regulatory penalties, notification costs, and credit monitoring? One-sided or absent indemnification shifts the financial fallout onto the covered entity.
- Liability caps versus HIPAA risk. Watch for a liability cap set at, say, the last 12 months of fees. A single multi-record breach can cost far more than that in fines, notification, and remediation. The cap should be sized to the data risk, not just the contract value, and breach-related liability is often carved out of the cap entirely.
- Audit and assessment rights. Can you request the vendor's SOC 2 report, security questionnaire responses, or evidence of safeguards? Strong BAAs grant audit or assessment rights so trust is verifiable, not assumed.
- Data location and sub-processors. Where is PHI stored and processed, and which downstream sub-processors touch it? Cross-border storage and an undisclosed sub-processor list are real risks. Require notice and approval rights for new sub-processors.
- Insurance. Does the vendor carry cyber liability insurance with adequate limits? A robust indemnity is only as good as the vendor's ability to pay it.

These clauses overlap with the data-processing terms many vendors already maintain. Our [data processing clause library](https://contracko.com/clause-library/data-processing) shows how the same protections get drafted on the GDPR side.

## Common BAA mistakes and red flags

- No BAA with subcontractors. A business associate that shares PHI downstream without a BAA breaks the chain and is exposed directly.
- Vague or missing breach timelines. "Promptly" or "as soon as practicable" with no number leaves both parties unable to plan around their own deadlines.
- No return-or-destroy clause. PHI lingering in a former vendor's systems indefinitely is a standing liability.
- Treating a conduit as a business associate, or vice versa. Forcing a BAA on a pure conduit wastes effort. The more dangerous error is the reverse: assuming a cloud storage or software vendor is a conduit when it actually maintains PHI and needs a BAA.
- Relying on a click-through with no signed BAA. Some vendors process PHI under standard terms with no executed BAA at all. If they handle PHI, that is a gap.
- Stale BAAs. Agreements signed years ago may predate HITECH and the Omnibus Rule. Old templates can be missing required provisions. A [healthcare contract reminder](https://contracko.com/contract-reminder-tools/healthcare-contract-reminder) on each BAA's review date keeps this from going unnoticed.
- Assuming the BAA is enough. A signed BAA is necessary, but it does not by itself make either party HIPAA compliant. The safeguards still have to be real.

## BAA review checklist

Before signing, confirm the agreement covers each of these. You can also [run your BAA through our free AI BAA review tool](https://contracko.com/tools/business-associate-agreement-review) to flag missing provisions and weak clauses automatically.

- Parties and roles are correctly identified (covered entity, business associate, subcontractor).
- Permitted and required uses and disclosures of PHI are clearly defined and limited.
- A "no further use or disclosure" restriction is present.
- Appropriate safeguards are required, with an explicit reference to Security Rule compliance for ePHI.
- Breach and security-incident reporting is required, with a concrete timeline (ideally 24 to 72 hours).
- Subcontractor flow-down obligations require downstream BAAs.
- Support for individuals' rights of access, amendment, and accounting of disclosures is addressed.
- Return or destruction of PHI at termination is specified, including backups.
- Records are made available to HHS for compliance review.
- Termination for material breach is available to the covered entity.
- Indemnification covers the vendor's breaches, including penalties and notification costs.
- Liability caps are sized to the data risk, with breach liability carved out where appropriate.
- Audit or assessment rights are granted (SOC 2, security evidence).
- Data location and sub-processor disclosure, with approval rights for new sub-processors.
- Cyber liability insurance requirements are stated.
- A renewal or review reminder is set so the BAA does not go stale.

## Frequently asked questions

### Is a BAA legally required?

Yes. If a covered entity shares PHI with a vendor that qualifies as a business associate, HIPAA requires a written BAA before any PHI is disclosed. The same applies between a business associate and its subcontractors.

### What happens without a BAA?

Sharing PHI without a required BAA is a HIPAA violation in itself, separate from any breach. The Office for Civil Rights has settled cases for hundreds of thousands to millions of dollars where the core failing was a missing or inadequate BAA. Both parties can face enforcement.

### Does a BAA make us HIPAA compliant?

No. A signed BAA is a required piece of compliance, but it is a contract, not a control. The safeguards still have to be implemented, staff trained, a risk analysis conducted, and the agreement's promises actually carried out. The BAA is the commitment; the security program is what keeps it.

### BAA versus DPA: what is the difference?

A BAA is specific to HIPAA and PHI in the United States. A data processing agreement (DPA) is the equivalent instrument under the EU and UK GDPR, governing how a processor handles personal data on a controller's behalf. They serve a similar bridging function but answer to different laws, define different roles (covered entity and business associate versus controller and processor), and carry different required terms. An organization operating across both regimes may need both. For the GDPR side, see [what a data processing agreement is](https://contracko.com/blog/what-is-a-data-processing-agreement), and set [DPA renewal reminders](https://contracko.com/contract-reminder-tools/data-processing-agreement-reminder) so the counterpart agreement does not lapse either.

### Do we need a BAA with our cloud or software vendor?

If the vendor creates, receives, maintains, or transmits PHI on your behalf, yes, even if it never views the data. A HIPAA-eligible cloud provider, EHR, billing system, e-signature tool, or contract platform that stores PHI is a business associate. A pure transmission conduit that never persistently stores the data may fall under the conduit exception, but treat that as the rare case.

### How often should we review our BAAs?

Review BAAs at renewal, whenever a vendor materially changes how it handles PHI, and after any regulatory update. Maintaining a current inventory of every BAA, with renewal dates and reminders, is one of the most effective ways to avoid a stale or missing agreement.

## Get your BAAs reviewed

A business associate agreement is only protective if it actually contains the required provisions and the business terms hold up. Missing clauses, vague breach timelines, and liability caps that ignore the real cost of a breach are easy to overlook in a busy review cycle.

Contracko helps healthcare teams catch these gaps. Run any agreement through our free [AI BAA review tool](https://contracko.com/tools/business-associate-agreement-review) to surface missing §164.504(e) provisions and weak clauses, use the broader [healthcare contract review tool](https://contracko.com/tools/healthcare-contract-review) for vendor and clinical agreements, and set [renewal and DPA reminders](https://contracko.com/contract-reminder-tools/data-processing-agreement-reminder) so nothing expires unnoticed. See how it fits the rest of your stack on our [healthcare industry page](https://contracko.com/industries/healthcare).

> Reminder: this guide is general information, not legal advice. Consult qualified counsel for your specific circumstances.

Images in this article were generated with the assistance of AI.

## Get started with Contracko

Take the hassle out of contract and subscription management. Contracko empowers you to stay organized, on time, and in control. Start simplifying today.

[Start 7-day free trial](https://app.contracko.com/register?appLanguage=en)

Book demo
