Healthcare organizations handle some of the most sensitive information out there, like patient names, medical histories, insurance details, and treatment records. Sharing that data is often necessary to run operations efficiently, but it also comes with serious privacy responsibilities.

That’s why the Health Insurance Portability and Accountability Act (HIPAA) requires strict safeguards anytime this data changes hands.

A business associate agreement (BAA) is one of those safeguards. It’s a written contract that outlines how third-party vendors (known as business associates) must handle protected health information (PHI).

If a covered entity (like a hospital or health insurer) works with another company that might access patient data, a signed BAA is required before any information is shared. Without it, both sides could face serious penalties for violating HIPAA rules.

In this guide, we’ll break down what a BAA is, who needs one, why it matters, and what must be included in a compliant agreement.

The Business Associate Agreement (BAA) Defined

A business associate agreement is a written contract required under HIPAA. It formalizes how protected health information is used, disclosed, and safeguarded when handled by outside vendors or partners.

The U.S. Department of Health and Human Services (HHS) requires that all covered entities and business associates sign such contracts before sharing any PHI.

To understand how a BAA fits into HIPAA regulations, it helps to define the key terms:

• Covered entity (CE): Any healthcare provider, insurer, or clearinghouse that collects, transmits, or stores PHI. Examples include hospitals, doctors, and health plans.
• Business associate (BA): A vendor or service provider that performs tasks involving PHI on behalf of a covered entity, such as IT support, billing, or legal services.
• Protected health information (PHI): Any patient data that can identify an individual, including names, medical history, billing details, and health records.
• Business associate contracts: Legal agreements that outline how PHI will be protected, reported, and handled between both parties.

In simple terms, a BAA ensures compliance with HIPAA’s privacy and security rules. It holds both the covered entity and its partners accountable for maintaining data confidentiality.

Who Can and Cannot Be a BA?

Not every vendor or partner qualifies as a business associate under HIPAA regulations. The key factor is access to protected health information.

If a company handles, processes, or stores PHI on behalf of a covered entity, it likely qualifies as a BA and must sign a BAA.

Common examples of business associates include:

• Cloud storage providers that store patient or medical data for healthcare organizations
• Billing and coding companies that process claims containing PHI
• Law firms that review or handle medical documents for clients in healthcare
• Email or document management vendors with access to health records
• IT service providers maintaining databases or electronic health record systems
• Data analytics companies that process healthcare statistics using identifiable patient data
• Consultants and auditors working with healthcare operations involving PHI

Who cannot be a business associate:

• Employees of a covered entity (they’re already bound by internal HIPAA policies)
• Vendors with no PHI access, such as janitorial or office supply companies
• Companies using only de-identified data, meaning all patient identifiers have been removed
• Financial institutions processing standard payments without seeing PHI

If a vendor might access PHI (even unintentionally), a signed BAA is required before any data exchange.

Why Would You Need a BAA?

A business associate agreement is required whenever a vendor or partner will have access to protected health information or electronic protected health information (ePHI).

The HIPAA Privacy Rule and HIPAA Security Rule both make it clear that covered entities must have a legally binding contract in place before sharing PHI with outside parties.

In many organizations, this process is part of broader healthcare contract management, which helps track, review, and maintain compliance across all vendor agreements.

HIPAA rules generally require that business associates enter into a written agreement that defines how PHI will be handled and protected.

Without one, both the covered entity and the vendor risk enforcement action by the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services.

Here’s why a BAA is necessary:

• To protect PHI and ePHI by defining permitted and required uses and disclosures
• To assign accountability for safeguarding patient information and reporting breaches
• To clarify responsibilities for compliance with HIPAA privacy and security standards
• To prevent liability if a vendor mishandles patient data
• To demonstrate due diligence during audits or investigations
• To maintain trust between healthcare organizations and their vendors

5 Key Elements of a BAA

Every BAA must meet specific HIPAA requirements to be valid. These clauses outline how both parties will handle, use, and protect patient data.

Below are the main elements that make a BAA HIPAA-compliant.

1. Permitted and Prohibited Uses of PHI

The agreement must clearly explain how the business associate may use or disclose PHI. These are called permissible uses, and they typically cover only what’s necessary to perform certain functions for the covered entity, such as:

• Billing services
• Data storage
• Claims processing
• Data analysis or reporting
• Data aggregation
• Customer support
• Legal contract review

Any other use of PHI outside those listed purposes is strictly prohibited. The BAA also requires the associate to prevent unauthorized sharing or sale of patient data and to comply with all privacy obligations defined in HIPAA.

2. Safeguards and Security Measures

Both parties must agree to apply appropriate security measures to protect PHI from misuse, theft, or unauthorized access. This includes administrative policies, employee training, physical security, and encryption for digital files.

The agreement should confirm that the associate will maintain firewalls, secure logins, and continuous monitoring for potential breaches.

Overall, the goal is to make sure every person handling PHI understands their responsibility in protecting personal health information under federal law.

3. Breach Notification and Reporting

If a data breach, security incident, or unauthorized disclosure occurs, the business associate must promptly report it to the covered entity.

The breach notification clause outlines how and when this must happen, often requiring notification within a specific time frame (for example, 30 days).

It should also specify what details to include in the report, such as the type of data exposed and the number of affected individuals.

Quick reporting helps healthcare providers respond, investigate, and notify patients as required by HIPAA’s Breach Notification Rule.

4. Access, Amendment, and Disclosure

Under HIPAA, patients have the right to access or request corrections to their health data. The BAA must state that the business associate will support this process by responding to an individual’s request to access or amend their PHI.

It should also allow the covered entity to disclose PHI for treatment, payment, or medical care operations when needed. This helps make sure that both parties comply with patient rights and maintain transparency in how data is managed.

5. Termination and Data Return

When a contract ends, the agreement should explain how PHI will be returned or destroyed. The termination section requires the business associate to delete or securely transfer all remaining data and confirm the process in writing.

If destroying PHI is not possible, the associate must continue to protect it according to HIPAA standards. This step helps close the contract responsibly and prevents lingering risks after the relationship ends.

How to Create a BAA

Here’s how to create a compliant and practical BAA:

1. Identify the parties. List the HIPAA-covered entity and the vendor with access to PHI, including their roles and contact information.
2. Define the scope. Explain all permitted uses and restrictions on the use or disclosure of health data.
3. Set safeguards. Require the associate to maintain appropriate safeguards such as encryption, monitoring, and staff training.
4. Include subcontractor terms. Make sure any business associate subcontractors follow the same restrictions when handling PHI.
5. Support patient rights. Describe how the associate will handle requests to access or amend PHI.
6. Add breach procedures. Specify how and when breaches must be reported to maintain HIPAA compliance.
7. Allow audits. Give the covered entity the right to review compliance practices.
8. Plan for termination. Detail how PHI will be returned or destroyed once the contract ends.

What Are the Risks of a Poorly Drafted BAA?

A poorly written business associate agreement can create serious legal and financial problems for both parties. When the terms are vague or incomplete, accountability breaks down, and the consequences can be severe.

Here are some common risks:

• Civil penalties: Fines can reach up to $50,000 per violation if the agreement fails to meet HIPAA standards.
• Criminal penalties: Willful neglect or intentional misuse of PHI can lead to prosecution and imprisonment.
• Data breaches: Weak or missing security clauses increase the risk of disclosure of protected health information.
• Loss of trust: Patients and partners may hesitate to work with organizations that fail compliance audits.
• Shared liability: Both the covered entity and the business associate can be held directly liable for mishandling PHI.

Example: In 2016, North Memorial Health Care of Minnesota agreed to pay $1.55 million to the U.S. HHS Office for Civil Rights after failing to sign a BAA with a vendor, Accretive Health, which had access to patient data.

The case showed how a missing contract outlining privacy and security duties can quickly lead to a HIPAA enforcement action and heavy penalties.

How Aline Can Help You Manage BAAs

Do you ever find yourself chasing down BAAs, trying to remember which ones are signed, expired, or missing details? That’s a common pain point for teams managing multiple vendors under HIPAA.

Aline was built to simplify that entire process.

The platform combines AI, automation, and secure contract collaboration to keep every BAA accurate, compliant, and easy to access. You can handle drafting, signing, and renewal tracking in one place with these top-notch tools:

• AI contract drafting: Create and review BAAs in minutes with built-in legal intelligence.
• AlineSign: Send, receive, and sign agreements through a secure e-signature process.
• AI contract repository: Organize, search, and monitor agreements from a centralized, encrypted system.
• Workflows and collaboration: Route approvals, assign reviewers, and track progress across teams.
• Enterprise-grade security: Aline’s SOC II certification and encryption standards keep every file protected.

If you’re ready to make BAA management faster, safer, and more transparent, start your free trial of Aline today and see the difference for yourself.

‍

FAQs About What is a BAA

What is a BAA under HIPAA?

A BAA is a legal contract under HIPAA that defines how a vendor or partner may use and protect patient information. It helps formalize the business relationship between a covered entity and a vendor that handles or stores PHI, making sure both sides follow the same privacy and security standards for safeguarding PHI.

Is a BAA needed with every vendor?

No. A BAA is only required when a vendor’s services involve access to protected health information. For example, IT providers, billing firms, and shredding companies that dispose of patient records must sign one. Vendors with no exposure to PHI, such as office cleaners or delivery services, do not need a BAA.

What does BAA stand for?

It stands for Business Associate Agreement, a written contract that defines responsibilities under HIPAA and helps manage data protection during risk analysis or HIPAA audits.

Do business associates follow the same requirements as covered entities under HIPAA?

Yes. Business associates must follow the same requirements for protecting and managing PHI as covered entities. This includes maintaining proper safeguards, reporting breaches, and keeping privacy policies up to date. Both parties share responsibility for compliance, and failure to meet these obligations can lead to penalties or loss of trust during audits.