HIPAA Business Associate Agreements Explained
Quick Answer
A Business Associate Agreement (BAA) is a legally required contract between a HIPAA covered entity and a business associate that establishes permitted uses and disclosures of PHI, security requirements, and breach notification obligations.
What Is a Business Associate Agreement?
A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA whenever a covered entity shares PHI with a business associate. It defines how the business associate may use and disclose PHI, what safeguards they must implement, and what happens in the event of a breach.
Key Takeaways
- BAAs are legally required before any PHI is shared with a business associate
- Both parties are liable if there's no BAA in place — fines apply to both
- BAAs must include specific HIPAA-mandated provisions (not just any contract language)
- Cloud providers (AWS, GCP, Azure) offer standard BAAs at no additional cost
- BAAs should be reviewed annually and updated when regulations or services change
Required BAA Provisions
HIPAA-Mandated BAA Provisions
- Establish permitted and required uses/disclosures of PHI
- Prohibit use or disclosure of PHI beyond what the contract permits or HIPAA requires
- Require appropriate safeguards to prevent unauthorized use or disclosure
- Require reporting of any security incident or breach to the covered entity
- Require business associate to ensure subcontractors agree to the same restrictions
- Make PHI available to the covered entity to fulfill patient access requests
- Make PHI available for amendment requests
- Make information available to HHS for compliance investigations
- Require return or destruction of PHI at contract termination
- Authorize termination if the business associate violates the agreement
Who Needs a BAA?
| Vendor Type | BAA Required? | Notes |
|---|---|---|
| Cloud hosting (AWS, GCP, Azure) | Yes | All major providers offer standard BAAs |
| EHR / health software vendor | Yes | Core business associate relationship |
| IT support / MSP | Yes, if they access PHI | Even remote access to systems with PHI triggers BAA |
| Billing / coding company | Yes | They process PHI for payment purposes |
| Shredding / destruction company | Yes | They handle PHI during disposal |
| Email service (business plan) | Yes, if used for PHI | Must have BAA before sending PHI via email |
| Phone/internet provider | No (conduit exception) | Merely transmitting data, not accessing content |
| Janitorial / maintenance | No (typically) | Unless they regularly access areas with unsecured PHI |
Common BAA Mistakes
- No BAA at all: Operating without a BAA is a HIPAA violation for both parties. This is the most common and most easily avoidable mistake.
- Using a generic contract: A standard services agreement or NDA is NOT a BAA. BAAs must include specific HIPAA-required provisions.
- Not covering subcontractors: If your business associate uses subcontractors who access PHI, they need downstream BAAs too.
- Never reviewing/updating: BAAs should be reviewed annually and updated when services change, regulations update, or breaches occur.
- No termination provisions: BAAs must address what happens to PHI when the relationship ends (return or destroy).
$0
AWS/GCP/Azure BAA Cost
Major cloud providers offer free BAAs
Annual
Review Frequency
Recommended BAA review cycle
$100K-$1.9M
Penalty Without BAA
Fines for operating without required BAAs
6 years
Retention Period
Keep BAAs for 6 years from termination
✅ Template BAA Sources
HHS provides a sample BAA template on their website. Compliance tools (Vanta, Compliancy Group) include customizable BAA templates. For complex relationships, consider having a healthcare attorney review your BAA. Standard BAAs from major cloud providers (AWS, Google, Azure, Microsoft) are generally well-drafted and accepted by most covered entities.
Can a covered entity be fined for not having BAAs?
Yes. Both the covered entity and the business associate can be fined for operating without a BAA. OCR has issued multiple penalties specifically for failure to execute BAAs — even when no breach occurred.
Does a BAA make a vendor HIPAA compliant?
No. A BAA is a contract that establishes obligations. The vendor must actually implement the safeguards described in the BAA. A BAA without actual compliance is just a piece of paper — and won't protect either party in an OCR investigation.
What happens to PHI when a BAA terminates?
The BAA must specify that the business associate will return or destroy all PHI at termination. If return or destruction isn't feasible, the BA must extend the BAA protections to the retained PHI and limit further uses and disclosures.
Do I need a BAA with every SaaS tool I use?
Only if the tool accesses, stores, or processes PHI. A project management tool that never touches PHI doesn't need a BAA. But if you're storing patient data in a cloud tool, a BAA is required — even if the tool provider doesn't offer one (in which case, you can't use that tool for PHI).
Manage Your BAAs Efficiently
Find compliance tools that help you track, manage, and renew Business Associate Agreements.
Browse HIPAA Tools