What Is a Business Associate Agreement (BAA)? A Plain-English Guide
A Business Associate Agreement (BAA) is a legally required written contract under HIPAA that governs how a Business Associate — any vendor, service provider, or contractor that handles Protected Health Information (PHI) on behalf of a Covered Entity — will safeguard, use, and disclose that information. Put simply: if you are a healthcare technology company, SaaS platform, cloud provider, or service vendor that touches patient health data on behalf of a hospital, health plan, physician practice, or other healthcare entity, you need a signed BAA with that entity before a single byte of PHI changes hands, and that client needs a signed BAA with you. Operating without one is a direct HIPAA violation — for both parties.
TL;DR — Key Takeaways
- A BAA is a legally mandatory HIPAA contract — not optional documentation — required whenever a Covered Entity shares PHI with a Business Associate
- Both parties bear liability under a BAA: the Covered Entity for selecting and managing Business Associates; the Business Associate for protecting PHI per their agreement
- Required BAA elements are defined by the HIPAA Privacy Rule and Security Rule (45 CFR Part 164)
- Operating without a BAA when one is required is a direct HIPAA violation for both the Covered Entity and the Business Associate
- Major cloud and SaaS providers (AWS, Google Cloud, Microsoft Azure, Salesforce, Zoom) offer standard BAAs — but signing their BAA does not make your overall environment HIPAA compliant
- The GDPR equivalent to a BAA is a Data Processing Agreement (DPA) — required for all EU personal data processors
Who Is a Business Associate?
Under HIPAA, a Business Associate is any person or organization — other than a member of the Covered Entity's workforce — that:
- Creates, receives, maintains, or transmits PHI on behalf of a Covered Entity, OR
- Provides services to a Covered Entity where the provision of services involves the disclosure of PHI
Common Business Associates in Healthcare Technology:
| Business Associate Type | Examples |
|---|---|
| EHR/EMR software vendors | Any clinical software storing or accessing patient records |
| Cloud infrastructure providers | AWS, Azure, GCP (when hosting PHI) |
| Telehealth platforms | Video visit, remote monitoring, messaging platforms |
| Revenue Cycle Management (RCM) companies | Medical billing, coding, claims processing |
| Healthcare data analytics | Any analytics platform processing patient-level data |
| Transcription services | Clinical documentation and transcription |
| IT managed service providers | Managed IT support with access to systems containing PHI |
| Data backup and storage | Any backup service handling ePHI |
| Email service providers | If clinical communication containing PHI passes through their systems |
| Legal and accounting firms | When they access PHI in the course of their services |
Subcontractors: Business Associates must also execute BAAs with their own subcontractors who receive PHI in the course of providing services. This creates a chain of BAAs flowing down through the service provider ecosystem.
What Must a BAA Include?
HIPAA's Privacy Rule (45 CFR §164.504(e)) and Security Rule (45 CFR §164.314(a)) specify the required elements of a BAA:
Required Provisions for the Business Associate
| Requirement | What It Means |
|---|---|
| Permitted uses and disclosures | The BAA must specify the purposes for which the Business Associate may use and disclose PHI — limiting it to what is necessary for providing the contracted services |
| Prohibition on unauthorized uses | Business Associate may not use or disclose PHI in ways not permitted by the BAA or required by law |
| Appropriate safeguards | Business Associate must implement appropriate administrative, physical, and technical safeguards to protect ePHI (i.e., comply with HIPAA Security Rule requirements) |
| Breach and security incident reporting | Business Associate must report any breach or security incident to the Covered Entity |
| Subcontractor obligations | Business Associate must ensure any subcontractors it uses also agree to the same restrictions and conditions through their own BAA |
| Access for HHS | Business Associate must make internal practices, books, and records available to HHS for audits |
| Return or destruction of PHI | Upon termination of the agreement, Business Associate must return or destroy all PHI, or if retention is necessary, extend protections indefinitely |
| Data subject rights support | Business Associate must support the Covered Entity in honoring patient rights (access, amendment, accounting of disclosures) |
Required Provisions for the Covered Entity
The Covered Entity must also make certain representations in the BAA:
- It will notify the Business Associate of any restrictions on PHI use or disclosure that affect the Business Associate's activities
- It will not request the Business Associate use or disclose PHI in ways that would violate HIPAA
- It will obtain patient authorizations when required
Termination Provisions
BAAs must include provisions for:
- Termination when material terms are violated
- Required actions upon termination (return/destruction of PHI)
- Circumstances under which the Covered Entity must terminate if it learns of a pattern of HIPAA violations
What Happens If You Operate Without a BAA?
Operating without a required BAA is itself a HIPAA violation — separate from any breach or misuse of PHI. Penalties:
| Violation Type | Penalty Range |
|---|---|
| Unknowing (didn't know, couldn't have known) | $100–$50,000 per violation |
| Reasonable cause (should have known with reasonable diligence) | $1,000–$50,000 per violation |
| Willful neglect, corrected | $10,000–$50,000 per violation |
| Willful neglect, uncorrected | $50,000 per violation (up to $1.9M annual cap per category) |
Beyond regulatory penalties: if a breach occurs and you do not have a BAA in place, your liability exposure is dramatically higher. Courts have found that the absence of a BAA is evidence of willful neglect — triggering the highest penalty tiers.
For healthcare technology companies specifically: No BAA means you cannot legally provide services to Covered Entities. Any contract you have with a healthcare organization is at risk of being voided, and the Covered Entity faces its own violations for failing to execute required agreements.
Common BAA Scenarios and Mistakes
Scenario 1: Cloud Provider BAA ≠ HIPAA Compliance
AWS, Azure, and Google Cloud all offer HIPAA BAAs — and you should sign them if you are hosting PHI. However, the cloud provider's BAA only covers their portion of the infrastructure. You are still responsible for configuring your workloads securely, enforcing access controls, enabling appropriate logging, and meeting all other Security Rule requirements within your environment. A signed AWS BAA does not make your application HIPAA compliant.
Scenario 2: Blanket BAAs vs. Specific Service Scope
BAAs should reflect the actual PHI you share and the services being performed. Broad, catch-all BAAs that do not specify permitted uses and disclosures create compliance ambiguity. Use BAAs that are specific about what PHI is shared, for what purpose, and under what conditions.
Scenario 3: BAA Inventory Management
Most healthcare technology companies manage dozens of vendors — cloud providers, databases, analytics tools, email services, support platforms — and many of them receive PHI. Maintaining a current, complete inventory of all Business Associates and their signed BAAs is a HIPAA administrative safeguard requirement. Without it, you cannot demonstrate that you have executed required agreements with all vendors.
Scenario 4: Forgetting Subcontractors
If you use a subcontractor that receives PHI in the course of providing services to you, you must execute a BAA with that subcontractor. This includes offshore development teams, contracted support providers, and any third-party service that is integrated into your PHI-handling systems.
BAA vs. GDPR Data Processing Agreement (DPA)
| HIPAA Business Associate Agreement (BAA) | GDPR Data Processing Agreement (DPA) | |
|---|---|---|
| Required by | HIPAA (US federal law) | GDPR (EU regulation) |
| Data covered | Protected Health Information (PHI) | EU residents' personal data |
| Who needs it | Covered Entities and Business Associates handling PHI | Data Controllers and Data Processors handling EU personal data |
| Key obligations | Security safeguards, PHI use restrictions, breach reporting, subcontractor requirements | Processing instructions, security measures, sub-processor controls, breach reporting, data subject rights support |
| Penalty for non-compliance | Up to $1.9M/year per violation category | Up to 4% of global annual revenue |
| Standard forms available | HHS provides model contract language | EU Commission provides Standard Contractual Clauses |
| Termination requirements | Must return/destroy PHI | Must delete/return personal data; certify deletion |
Companies operating in both healthcare (HIPAA) and handling EU personal data (GDPR) may need both a BAA and a DPA with certain vendors.
Key Clauses to Scrutinize in Any BAA You Sign
When reviewing a BAA presented by a vendor or service provider, pay particular attention to:
-
Breach notification timeline: HIPAA requires Business Associates to notify Covered Entities of breaches "without unreasonable delay and in no case later than 60 days." Some vendor BAAs attempt to set longer notification periods or add ambiguous triggers — push back on any language that weakens the 60-day requirement.
-
Permitted uses and disclosures: Vendors sometimes insert broad language permitting them to use your PHI for their own product improvement, analytics, or research purposes. Scrutinize any permitted use beyond what is strictly necessary to provide the contracted service.
-
Subprocessor notification: Your BAA should require the vendor to notify you before adding new subcontractors that will receive PHI, giving you the opportunity to object.
-
Audit rights: Your BAA should give you the right to audit the vendor's HIPAA compliance practices — not just require them to comply. This is critical for your own vendor risk management obligations.
-
Termination and data deletion: Confirm the specific timeline and method for PHI destruction upon contract termination, and require written certification of destruction.
How QuickTrust Helps With BAA Management
Executing and managing BAAs is part of a functioning HIPAA compliance program — but it is only the legal layer. QuickTrust's compliance engineers also ensure the technical controls that BAAs require are actually implemented:
What QuickTrust delivers for BAA management and HIPAA vendor compliance:
- Complete BAA inventory — Identify all vendors and service providers in your environment that receive PHI; determine which require a BAA
- BAA execution support — Review vendor-provided BAAs for HIPAA compliance; assist with negotiation of key provisions
- Subcontractor BAA chain — Ensure your own BAA obligations to your Covered Entity clients are met, including subcontractor flow-down requirements
- Vendor risk management program — Build the ongoing process for reviewing, re-assessing, and maintaining your Business Associate relationships
- Technical safeguard implementation — Ensure each Business Associate relationship has corresponding technical controls: access restrictions, encryption, logging, and data minimization in your systems
- Free BAA template — Download QuickTrust's attorney-reviewed BAA template as a starting point for your vendor agreements
Result: A complete, managed Business Associate program — legal agreements and technical controls, fully integrated.
BAA FAQ
Do we need a BAA with our HIPAA-compliant cloud provider if we're already paying for their HIPAA tier?
Yes. Paying for a HIPAA-compliant service tier does not automatically create a BAA. You must affirmatively execute a BAA with any cloud provider on whose infrastructure you host PHI. Most major providers (AWS, Azure, GCP) offer self-service BAA execution through their web consoles or procurement portals.
How long should we retain signed BAAs?
HIPAA requires that BAAs be retained for 6 years from the date of creation or the date it was last in effect — whichever is later. Store signed BAAs in a secure, organized location with your other compliance documentation.
What if a vendor refuses to sign a BAA?
If a vendor refuses to sign a BAA and you need to share PHI with them to use their service, you cannot use that vendor for PHI-related purposes. Using a vendor without a required BAA is a HIPAA violation regardless of how good their security practices may be. If the vendor is important to your operations, escalate to their legal or compliance team — many enterprise vendors have standard BAAs available but don't advertise them.
Is a BAA the same thing as a HIPAA Business Associate Contract?
Yes — HIPAA regulations use the term "business associate contract" in the regulatory text (45 CFR §164.504(e)), but "Business Associate Agreement" or "BAA" is the common industry usage. They are functionally synonymous.
Can we use a template BAA or do we need a lawyer?
Template BAAs (including HHS's model business associate contract language) are a useful starting point, but should be reviewed by healthcare legal counsel before use. The specific services, PHI types, and risk allocations in your relationships may require tailored provisions. QuickTrust provides a template BAA as a resource, but always recommends legal review for final execution.
Download Our Free BAA Template
A missing BAA is a HIPAA violation waiting to become a headline. QuickTrust provides a free, attorney-reviewed Business Associate Agreement template to help healthcare technology companies establish the required legal framework for PHI-handling relationships — backed by engineering implementation that ensures the underlying security controls actually protect the data the BAA covers.
Get your free BAA template and HIPAA compliance assessment at trust.quickintell.com
Engineering-included. Policy-complete. 100% audit pass rate.