A Business Associate Agreement (BAA) — also called a Business Associate Contract — is a legally required written agreement under HIPAA that must exist between a covered entity and any vendor, contractor, or service provider (called a "business associate") that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity's behalf. The BAA requirement is codified at 45 CFR § 164.504(e) and enforced by the HHS Office for Civil Rights.
Operating without a signed BAA where one is required is a direct HIPAA Privacy and Security Rule violation. It is not a technicality or a documentation gap — it is a substantive failure to establish the legally mandated contract protections for PHI. OCR treats missing BAAs as significant enforcement findings, and multiple settlements have been based entirely or primarily on the failure to execute BAAs.
A covered entity may permit a business associate to create, receive, maintain, or transmit electronic PHI on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. Satisfactory assurances must be documented through a written contract or other arrangement that meets the requirements of § 164.314(a)(2).
Who Is a "Business Associate" Under HIPAA?
Under 45 CFR § 160.103, a business associate is a person or organization (other than a member of the covered entity's workforce) that performs functions or activities on behalf of or provides services to a covered entity involving the use or disclosure of PHI. The definition was expanded by the HITECH Act (Pub. L. 111-5) and the 2013 Omnibus Rule (78 Fed. Reg. 5566) to include:
- Health information organizations that facilitate data exchange among covered entities
- E-prescribing gateways and pharmacy benefit managers
- Patient safety organizations (PSOs) as defined by the Patient Safety Act
- Subcontractors of business associates who create, receive, maintain, or transmit PHI
- Cloud service providers (CSPs) that store ePHI — even if data is encrypted and the CSP cannot read it
- EHR vendors, billing companies, transcription services, legal firms, accounting firms, and IT support providers with PHI access
Workforce members of the covered entity are explicitly not business associates — they are covered by the covered entity's internal workforce policies. However, a staffing agency that places workers who access PHI may be a business associate if the agency, as an organization, has access to PHI.
Required Elements of a BAA — 45 CFR § 164.504(e)(2)
The Privacy Rule specifies the minimum required elements that every BAA must contain. A BAA that is missing any of the following provisions is legally deficient and does not satisfy the HIPAA requirement — even if it is signed and dated:
-
Permitted and Required Uses and Disclosures The BAA must establish the permitted and required uses and disclosures of PHI by the business associate. The business associate may not use or further disclose PHI beyond what is permitted or required by the contract, or as required by law. 45 CFR § 164.504(e)(2)(i)
-
No Unauthorized Use or Disclosure The business associate must agree not to use or disclose PHI except as permitted or required by the contract or as required by law. This is the foundational anti-disclosure provision of the BAA. 45 CFR § 164.504(e)(2)(ii)(A)
-
Appropriate Safeguards The business associate must agree to use appropriate safeguards to prevent use or disclosure of PHI not permitted by the contract. For ePHI, the business associate must implement the safeguards required by 45 CFR Part 164, Subpart C (the Security Rule) — including administrative, physical, and technical safeguards. 45 CFR § 164.504(e)(2)(ii)(B); 45 CFR § 164.314(a)(2)(i)(A)
-
Reporting of Unauthorized Disclosures and Breaches The business associate must report to the covered entity any use or disclosure of PHI not provided for by the contract, including breaches of unsecured PHI as required by 45 CFR § 164.410, within 60 days of the business associate's discovery of the breach. 45 CFR § 164.504(e)(2)(ii)(C); 45 CFR § 164.410
-
Subcontractor BAAs The business associate must agree to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information, through a separate written BAA with each subcontractor. 45 CFR § 164.504(e)(2)(ii)(D); 45 CFR § 164.308(b)(2)
-
Access to PHI for Individual Rights The business associate must make available PHI in accordance with individual rights provisions — specifically, the right of access (§ 164.524), the right to amend (§ 164.526), and the right to an accounting of disclosures (§ 164.528) — as directed by the covered entity. 45 CFR § 164.504(e)(2)(ii)(E)–(G)
-
Internal Records and Compliance Documentation The business associate must make internal practices, books, and records relating to the use and disclosure of PHI available to HHS for purposes of determining covered entity compliance with the Privacy Rule. This includes audit access for OCR investigations. 45 CFR § 164.504(e)(2)(ii)(H)
-
Return or Destruction of PHI Upon Termination At termination of the contract, the business associate must, if feasible, return or destroy all PHI received from or created or received by the business associate on behalf of the covered entity. If not feasible, the protections of the contract must extend to the PHI that cannot be destroyed. 45 CFR § 164.504(e)(2)(ii)(I)
-
Authorization to Terminate Upon Material Breach The covered entity must retain the right to terminate the contract if the covered entity determines that the business associate has violated a material term of the contract and cure is not feasible. If termination is not feasible, the covered entity must report the violation to HHS. 45 CFR § 164.504(e)(2)(iii); 45 CFR § 164.504(e)(1)(ii)
Permitted Uses and Disclosures — What a Business Associate Can Do With PHI
Under 45 CFR § 164.504(e)(3), a BAA may permit a business associate to use or disclose PHI only for the following purposes:
- For the business associate's own management and administration, provided the disclosure is required by law or the business associate obtains reasonable assurances from the recipient that the information will remain confidential
- To provide data aggregation services to the covered entity (combining PHI from multiple covered entities to analyze data relating to the health care operations of those covered entities)
- To carry out the legal responsibilities of the business associate, provided certain conditions are met
A business associate may never use PHI for its own marketing purposes, sell PHI to third parties, or use PHI for any purpose not specified in the BAA. These restrictions were significantly strengthened by the 2013 Omnibus Rule, which made selling PHI without authorization a per se HIPAA violation regardless of what a BAA might say — BAAs cannot override HIPAA statutory prohibitions.
A covered entity or business associate may not sell PHI without a valid authorization from the individual, except in limited circumstances (public health activities, research, treatment). A BAA cannot authorize the sale of PHI — any provision in a BAA purporting to allow a business associate to sell PHI is void and unenforceable, and would constitute a HIPAA violation by both parties.
The Subcontractor Chain — Downstream BAA Obligations
One of the most significant expansions in the 2013 Omnibus Rule was the extension of direct HIPAA liability to subcontractors of business associates. Before the Omnibus Rule, only covered entities and their direct business associates were subject to HIPAA enforcement. After the Omnibus Rule, subcontractors of business associates are themselves business associates under 45 CFR § 160.103 and are directly subject to HIPAA and OCR enforcement.
This creates a chain of BAA obligations:
- The covered entity must have a BAA with each direct business associate (§ 164.504(e))
- Each business associate must have a BAA with each of its own subcontractors that touch PHI (§ 164.308(b)(2))
- Each subcontractor must have BAAs with its own downstream subcontractors — and so on, to as many tiers as exist in the data processing chain
In practice, this means that a covered entity using a SaaS EHR platform must obtain a BAA with the EHR vendor. That EHR vendor must have BAAs with its cloud infrastructure provider (e.g., AWS, Azure), its subprocessors (analytics tools, logging services, email notification systems), and any other vendor with PHI access. The covered entity has a responsibility to ensure this downstream chain exists — it cannot claim ignorance of its business associate's subcontractors.
Breach Notification Obligations Under the BAA
When a business associate discovers a security incident that constitutes a breach of unsecured PHI, it must notify the covered entity without unreasonable delay and no later than 60 days after discovery under 45 CFR § 164.410. The business associate notification must include, to the extent possible:
- The identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed
- A brief description of what happened, including the date of the breach and the date of discovery
- A description of the types of unsecured PHI involved
- The steps individuals should take to protect themselves from potential harm
- A brief description of the business associate's investigation and steps taken to mitigate harm and protect against future breaches
The BAA should specify the exact timeline and format for breach notifications from the business associate to the covered entity. Best practice is to require written notification within 10 business days of the business associate's discovery — far shorter than the 60-day statutory maximum — to give the covered entity adequate time to investigate, determine notification obligations, and meet the 60-day HHS reporting deadline of § 164.408.
What Happens When There Is No BAA?
A covered entity that permits a business associate to create, receive, maintain, or transmit PHI without an executed BAA is in violation of 45 CFR § 164.504(e). This is not a technical or paperwork violation — it is a substantive failure to implement the Privacy Rule's core protection mechanism for PHI shared with third parties.
OCR has assessed civil money penalties for missing BAAs in numerous enforcement actions. In the 2016 Oregon Health & Science University settlement ($2.7M), the absence of BAAs with a major cloud storage provider was a central finding. In the 2017 CardioNet settlement ($2.5M), lack of BAAs with business associates was cited alongside a laptop theft. The 2019 Texas Health Resources settlement ($2.1M) included multiple missing BAAs as a primary violation.
Under 45 CFR § 160.404, a missing BAA is subject to civil money penalties ranging from $137 to $68,928 per violation (2025 inflation-adjusted figures), with an annual cap of $2,067,813 per violation category. Each instance of sharing PHI with a vendor without a BAA may constitute a separate violation.
HHS Model BAA Language
HHS publishes sample BAA language on its website (available at hhs.gov/hipaa). The HHS model language is a starting point, not a complete BAA — it must be supplemented with operational provisions specific to the relationship, including:
- Service description and specific PHI functions the business associate will perform
- Data security standards the business associate must meet (encryption specifications, MFA requirements, penetration testing frequency)
- Incident response timeline requirements and format for breach notification
- Subcontractor notification requirements and approval process
- Audit rights — the covered entity's right to audit the business associate's HIPAA compliance practices
- Indemnification provisions for breach-related costs
- Data retention and destruction schedules with certificate of destruction requirements
- Governing law and jurisdiction for dispute resolution
A covered entity may not permit a business associate to create, receive, maintain, or transmit PHI on its behalf without first entering into a contract or other arrangement with the business associate that meets the requirements of § 164.504(e)(2) through (e)(5) as applicable. The agreement must be in writing. Oral arrangements do not satisfy the HIPAA requirement. Clickthrough agreements and online terms of service that do not incorporate the required BAA provisions do not satisfy the requirement — a specific, executed BAA is necessary.
The BAA Is Not a Compliance Certificate
Perhaps the most common misunderstanding in healthcare compliance is treating a signed BAA as proof that a vendor is HIPAA-compliant. It is not. A BAA is a contractual commitment that the business associate will protect PHI as required by HIPAA — it is not evidence that the business associate has actually done so. A covered entity that relies on a BAA alone, without conducting any due diligence on the business associate's actual security posture, cannot claim the BAA as a defense in an OCR investigation.
HHS has stated clearly that covered entities are expected to select business associates that provide reasonable assurances of their ability to safeguard PHI and to periodically monitor and oversee business associate compliance. A covered entity that had reason to know a business associate was not safeguarding PHI and failed to act — even with a BAA in place — may be held liable for the business associate's actions.
For verified HIPAA-compliant vendors that support BAA execution across all major compliance categories, see the HipaaDirectory.com Compliance Tool Listings. All 25 listed vendors offer BAAs satisfying the requirements of 45 CFR § 164.504(e).