
Business Associate Agreement: Complete Guide
\\nA business associate agreement (BAA) is one of the most key\\nrecords in any HIPAA rule-keeping program. Whenever a covered group engages a third party to handle protected health information, a BAA must be in place. No PHI should be shared before that agreement is signed. Failing to\\nexecute a proper BAA is one of the most common BAA mistakes.
And most costly ---\\nHIPAA breaches identified in enforcement actions.
\\nThis guide covers everything groups need to know about business associate agreements. It explains who qualifies as a business associate and what a BAA must contain. It also covers how to track ongoing compliance with a BAA management platform and what happens when a breach occurs. Whether you are a covered group managing vendors or a\\nbusiness associate working with healthcare clients, understanding BAA\\nrules is non-negotiable for HIPAA rule-keeping. HHS enforcement data shows that business associate incidents now account for a significant share of all reported healthcare data breaches, with single incidents like Change Healthcare affecting over 190 million patients.
\\nWhat Is a Business Associate?
\\nDefinition and Scope
\\nUnder HIPAA, a business associate is any person or group that is paid to perform a specific task. If that task will foreseeably involve access to PHI, a business associate relationship exists.
\\nThe relationship is defined by the nature of the work, not by the size of\\nthe group or the volume of PHI involved. Even a single\\ninteraction involving PHI can set up a business associate\\nrelationship.
\\nCommon examples of business associates include:
\\n- \\n
- IT service providers/Managed Service Providers --- Companies that host, maintain, or access systems containing ePHI. This includes cloud service providers, managed security services, and EHR vendors. See our guide on BAA management for vendors and MSPs for specific scenarios \\n
- Billing and coding companies --- Third-party billing services\\n that process claims containing PHI \\n
- Legal and accounting firms --- When they access PHI in the\\n course of providing professional services. For example, an Attorney who specializes in medical malpractice will likely come into contact with PHI while doing their job. \\n
- Consultants --- Compliance consultants, practice management\\n consultants, and other advisors who access PHI directly as part of the reason for why you hired them initially. \\n
- Shredding and disposal companies --- Firms that handle the\\n destruction of PHI-containing media and records \\n
- Transcription services --- Medical transcription companies that\\n process dictated records \\n
- Claims processing groups --- Entities that handle health\\n insurance claims on behalf of a covered group \\n
Who Is NOT a Business Associate?
\\nNot every vendor relationship triggers BAA rules. The following\\nare usually not business associates:
\\n- \\n
- Janitorial services --- Unless they are specifically hired to handle PHI-containing waste, they are considered regular vendors. Regular vendors should sign a data privacy agreement. \\n
- Electrical and plumbing contractors --- upkeep providers\\n without access to PHI \\n
- Conduit groups --- groups that merely transport PHI - A good example of this group is someone like your ISP. They can't ALWAYS know what's traveling across their networks so they can't be responsible for bad actors in most cases. \\n
- Members of a covered group's team --- Employees,\\n volunteers, and trainees under direct control are not business\\n associates \\n
- Patients and personal representatives --- people acting on\\n theirS, OR ON behalf OF A LOVED ONE. \\n
The distinction between a team member and a business associate depends on how much control the covered group exercises. Independent contractors who work under their own judgment are often business associates. People under the covered group's direct supervision are team members.
\\nBAA rules Under HIPAA
\\nRegulatory Basis
\\nThe HIPAA Privacy Rule requires\\ncovered groups to obtain satisfactory assurances from business\\nassociates that they will properly safeguard PHI. These assurances\\nmust be written down in a written agreement.
The BAA. The HITECH Act\\nexpanded these rules by making business associates directly\\nliable for rule-keeping with certain HIPAA terms and extending the\\nrule to subcontractor relationships.
\\nA covered group that discovers a business associate is violating the BAA must take reasonable steps to fix the problem. If that fails, the covered group must end the agreement. If such steps\\nare unsuccessful, the covered group must end the agreement if\\nfeasible. Failure to act on known breaches exposes the covered group\\nto its own enforcement liability. In a worst case scenario, where ending the agreement would cause harm, contact HHS to explain the situation. This helps clear up any concerns about your organization's role.
\\nWhen a BAA Must Be in Place
\\nA BAA must be executed before any PHI is shared with the business\\nassociate. This timing rule is absolute. groups that begin\\nsharing PHI before a BAA is signed face possible breaches no matter what\\nof whether a breach occurs. During vendor onboarding, the BAA should be\\npart of the contracting process alongside service level agreements and\\nother standard business records.
\\nKey terms Every BAA Must Include
\\nRequired Elements
\\nThe Privacy Rule specifies that a BAA must include terms that:
\\n- \\n
- Define allowed uses and disclosures --- Specify what the business associate may and may not do with PHI. Uses must be limited to those needed to perform the contracted services or as required by law \\n
- Prohibit unapproved use or sharing --- Explicitly bar the business associate from using or disclosing PHI in ways that would violate the Privacy Rule \\n
- Require right protections --- Mandate that the business\\n associate implement admin, physical, and tech\\n protections as required by the Security\\n Rule \\n
- Require breach reporting --- Obligate the business associate to\\n report any use or sharing not provided for by the agreement,\\n including breaches of unsecured PHI \\n
- Ensure subcontractor rule-keeping --- Require the business\\n associate to obtain satisfactory assurances from any subcontractors\\n that create, receive, keep, or transmit PHI \\n
- Support person rights --- Require the business associate to\\n make PHI available to people exercising their right of access\\n and to support amendment requests \\n
- Provide access for HHS --- Make the business associate's\\n internal habits, books, and records available to the Secretary of\\n HHS for rule-keeping decision \\n
- Require return or destruction --- Upon termination, the business associate must return or destroy all PHI it handled for the covered group, where feasible \\n
Recommended Additional Terms
\\nBeyond the minimum rules, well-drafted BAAs often include:
\\n- \\n
- Specific security rules --- data scrambling standards, access\\n control rules, and security review duties \\n
- Breach notice timelines --- Set timeframes shorter than the regulatory maximum. For example, require notice within 24 or 48 hours rather than the 60-day deadline \\n
- Indemnification clauses --- Financial duty for costs\\n arising from the business associate's rule-breaking or breach \\n
- Insurance rules --- Minimum cyber liability insurance\\n coverage amounts \\n
- Audit rights --- The covered group's right to audit the\\n business associate's rule-keeping with the BAA \\n
- Data location restrictions --- rules regarding where PHI\\n may be stored and processed, including restrictions on offshore data\\n processing \\n
- Incident response coordination --- steps for coordinating\\n breach response actions between the parties \\n
- ending triggers --- Specific conditions that count as\\n real breach and trigger ending rights \\n
Managing Subcontractors
\\nThe Subcontractor Chain
\\nThe HITECH Act created a downstream chain of duty for PHI\\nprotection. When a business associate engages a subcontractor that will\\nhave DIRECT access to PHI, the business associate must enter into a BAA with\\nthat subcontractor. This rule extends through every level of the\\nsubcontracting chain.
A subcontractor that engages its own\\nsubcontractor must also execute a BAA.
\\nThis chain of agreements ensures that PHI remains protected no matter what\\nof how many groups handle it. Practically, this means\\ngroups must:
\\n- \\n
- Identify all subcontractors with access to PHI \\n
- Execute BAAs with each subcontractor before sharing PHI \\n
- Monitor subcontractor rule-keeping regularly \\n
- Include flow-down terms in BAAs that require subcontractors\\n to impose equivalent rules on their own subcontractors \\n
Common Subcontractor Scenarios
\\nCloud systems providers represent one of the most common\\nsubcontractor relationships in modern healthcare. If a business\\nassociate hosts ePHI on a cloud platform, that cloud provider is a\\nsubcontractor and requires a BAA. Major cloud providers including AWS, Microsoft Azure.
Google Cloud offer standard BAAs for healthcare customers. Groups must verify that these agreements meet their specific compliance requirements.
\\nOther common subcontractor scenarios include offshore development teams,\\nthird-party data analytics providers, backup and disaster recovery\\nservices, and managed security operations centers.
\\nMonitoring Business Associate Compliance
\\nDue Diligence Before Engagement
\\nBefore executing a BAA, covered groups should conduct due diligence to\\ncheck a possible business associate's ability to protect PHI. This\\nreview should include:
\\n- \\n
- Security posture review --- Request and check the business\\n associate's security policies, risk review results, and\\n rule-keeping certifications (SOC 2, HITRUST, ISO 27001) \\n
- Reference checks --- Contact other healthcare clients to\\n understand the business associate's rule-keeping track record \\n
- Incident history --- Review the HHS Breach Portal and other\\n public sources for past breach notices involving the business\\n associate \\n
- Financial stability --- Assess the business associate's ability\\n to keep enough security measures and respond to incidents \\n
Ongoing Monitoring
\\nExecuting a BAA is not a one-time event. Covered groups must track\\nbusiness associate rule-keeping throughout the relationship:
\\n- \\n
- Annual rule-keeping attestations --- Require business associates\\n to certify their ongoing rule-keeping with BAA terms and HIPAA\\n rules \\n
- Periodic security reviews --- Conduct or request updated\\n risk reviews and security audit results \\n
- Incident tracking --- keep records of any security incidents\\n or near-misses reported by the business associate \\n
- Contract reviews --- Revisit BAA terms at least annually to\\n ensure they remain current with rule-based rules and\\n team-level changes \\n
- Performance metrics --- Track response times for access\\n requests, breach notices, and other BAA duties \\n
groups should build these tracking actions into their\\nbroader rule-keeping calendar and assign clear clear ownership for vendor\\noversight. A complete HIPAA risk\\nreview should include\\ncheck of business associate risks. Business associates must also conduct their own separate risk assessments under the Omnibus Rule.
\\nBreach Responsibilities
\\nBusiness Associate Duties
\\nWhen a business associate discovers a breach of unsecured PHI, it must notify the covered group without unreasonable delay. Notice must be given no later than 60 days after discovery. The notice must include:
\\n- \\n
- finding of each person whose PHI has been or is\\n reasonably believed to have been affected \\n
- A description of what happened, including the date of the breach and\\n date of discovery \\n
- A description of the types of PHI involved \\n
- Any steps the business associate recommends people take to\\n protect themselves \\n
- A description of what the business associate is doing to look into\\n the breach, reduce harm, and prevent future breaches \\n
Covered Entity Duties
\\nThe covered group retains duty for notifying affected\\npeople, HHS, and (for breaches affecting 500 or more people)\\nthe media. However, the covered group relies on timely and accurate\\ninformation from the business associate to meet its own notice\\nduties. This is especially critical for smaller practices like dental offices that depend heavily on outside vendors. This link makes tight breach reporting timelines in\\nthe BAA in key ways important.
\\nShared Liability
\\nUnder HITECH, business associates face direct liability for HIPAA\\nbreaches. Both the covered group and the business associate may face\\nenforcement actions arising from a single incident. OCR reviews\\nfrequently examine both parties. The range of HIPAA violation examples and their associated penalties shows that BAA-related failures regularly appear among the costliest enforcement outcomes.
Settlement agreements often include\\ncorrective action plans for both the covered group and the business\\nassociate.
\\nGroups on both sides of the BAA relationship should maintain coordinated incident response plans. They should also conduct joint tabletop exercises and set up clear communication channels for breach response. Waiting\\nuntil a breach occurs to define roles and duties leads to\\ndelayed notices, rule-based scrutiny, and increased harm to\\naffected people.
\\nBAA Frequently Asked Questions
\\nCan we use a vendor's standard BAA template?
\\nYou can, but you should review it carefully. Vendor-provided BAA\\ntemplates often favor the vendor's interests and may not include all\\nterms your rule-keeping program requires. Common gaps include weak\\nbreach notice timelines, limited audit rights.
Insufficient\\nsubcontractor flow-down rules. Have your legal and rule-keeping\\nteam review any vendor-provided BAA against your group's\\nrules before signing.
\\nWhat happens if a business associate refuses to sign a BAA?
\\nIf a vendor that will have access to PHI refuses to sign a BAA, the\\ncovered group cannot share PHI with that vendor. Period. There is\\nno exception or workaround. If the vendor's services are essential, the covered group must find an alternative vendor willing to sign a BAA. Another option is to restructure the engagement so the vendor has no access to PHI.
\\nHow often should BAAs be updated?
\\nBAAs should be reviewed at least annually. They should also be updated when major changes occur. This includes changes in services provided, the types of PHI accessed, applicable regulations, or the business associate's subcontractor relationships. Many groups\\nalign BAA reviews with their annual HIPAA rule-keeping\\nchecklist actions.
\\nDoes a cloud storage provider need a BAA?
\\nYes. If a cloud storage provider stores, processes, or has access to ePHI, it is a business associate and requires a BAA. This is true regardless of the relationship structure. This applies even if the\\nprovider does not view or analyze the data. The fact that the provider\\nhas the tech ability to access ePHI is enough to set up the\\nbusiness associate relationship. data scrambling does not eliminate the need\\nfor a BAA unless the covered group retains exclusive control of the\\ndecryption keys.
\\nWhat is the difference between a business associate and a covered group?
\\nA covered group is a healthcare provider that conducts digital transactions, a health plan, or a healthcare clearinghouse. These are the entities directly subject to HIPAA. A business associate is a\\nperson or group that performs functions involving PHI on behalf of a\\ncovered group. The key distinction is that business associates handle\\nPHI through a service relationship with a covered group rather than\\nthrough a direct relationship with patients. For a broader overview, see\\nour What is HIPAA article.
\\nBAA Compliance Conclusion
\\nBusiness associate agreements are the contractual backbone of HIPAA's\\nthird-party rule-keeping framework. A well-drafted BAA protects covered\\ngroups, business associates.
Ultimately the patients whose\\ninformation flows through the healthcare ecosystem. groups must\\napproach BAAs not as admin formalities but as enforceable\\ninstruments that define real clear ownership for PHI protection.
\\nEvery phase of the vendor management lifecycle demands attention. This includes identifying business associate relationships, performing due diligence, executing contracts, tracking compliance.
Coordinating breach response. Groups that invest in robust BAA programs are best positioned to withstand regulatory scrutiny. They are also more likely to keep the trust of their patients and partners.
\\nOne Guy Consulting provides BAA templates, vendor management\\nframeworks, and rule-keeping guidance that simplify business associate\\noversight. Explore our HIPAA compliance guide for the full picture. Contact us to strengthen your business associate management program with proven tools and expert support. Manage your BAAs HIPAA compliance for business associates
Required BAA Provisions Under 45 CFR 164.314(a)(2)
Every BAA must include these provisions. Missing any one creates enforcement exposure.
| Required Provision | CFR Reference | What It Must State |
|---|---|---|
| Permitted uses and disclosures | 164.314(a)(2)(i) | BA may only use or disclose PHI as permitted by the agreement or required by law |
| Safeguards requirement | 164.314(a)(2)(i)(A) | BA must use appropriate safeguards to prevent unauthorized use or disclosure |
| Breach reporting | 164.314(a)(2)(i)(C) | BA must report any security incident or breach to the covered entity |
| Subcontractor obligations | 164.314(a)(2)(i)(B) | BA must ensure subcontractors agree to the same restrictions and conditions |
| Access to PHI | 164.314(a)(2)(ii)(A) | BA must make PHI available to satisfy patient right-of-access requests |
| Amendment of PHI | 164.314(a)(2)(ii)(B) | BA must make PHI available for amendment and incorporate amendments |
| Accounting of disclosures | 164.314(a)(2)(ii)(C) | BA must make information available to provide an accounting of disclosures |
| HHS access | 164.314(a)(2)(ii)(D) | BA must make practices and records available to HHS for compliance determination |
| Return or destroy PHI | 164.314(a)(2)(ii)(E) | BA must return or destroy all PHI at termination if feasible |
Key stat: BAA failures appear in over 30% of OCR enforcement actions. In the Anthem settlement ($16 million), the largest HIPAA fine in history, inadequate vendor oversight was a primary finding. OCR consistently treats missing or incomplete BAAs as evidence of systemic compliance failure.
Sources
- 45 CFR 164.504(e) — BAA Required Provisions
- 45 CFR 160.103 — Business Associate Definition
- HHS Business Associate Guidance
- HHS Resolution Agreements and Civil Money Penalties
Related: Vendor management
\n