What is a business associate agreement (BAA) under HIPAA?
Keeping data safe is a fundamental priority for everybody who works with data today. In healthcare, even more so. Not only are service providers dealing with patients' highly sensitive personal information, but any violations or non-compliance with applicable laws, such as the Health Insurance Portability and Accountability Act (HIPAA), can cost companies hefty fines.
Today, according to the 2025 IBM Cost of a Data Breach Report, the average cost of a data breach in the U.S. reached $10.22 million. Healthcare remains the most expensive industry. Globally, the average is $4.4 million, which clearly demonstrates the extreme financial risk healthcare providers in the U.S. face. This does not even account for the irreparable cost to a company's reputation.
To ensure that medical practices and all their external vendors understand these risks and follow best practices regarding data security, a contract called a business associate agreement (BAA) is put in place.
Key takeaways
- Data security in healthcare is essential for protecting patients' sensitive information and avoiding costly penalties due to data breaches.
- A business associate (BA) is a business that works with a healthcare provider and their protected health information (PHI). The BA is equally liable for the security of the PHI as the healthcare organization.
- A business associate agreement (BAA) is a contract between a healthcare provider and any business that handles their PHI.
- A BAA is crucial for maintaining HIPAA security compliance, as it legally mandates vendors to protect PHI. Anyone who works with PHI must sign a BAA, including contractors and subcontractors.
- To create a BAA, you'll need to review your vendors, gather the correct data, create the BAA, onboard the vendor, and review the BAA as necessary in the future.
What is a business associate agreement?
A business associate agreement, or BAA, is a contract between a HIPAA-covered entity and a business associate that lays out each party's responsibility for handling protected health information (PHI). Per HIPAA, covered entities should only work with business associates who can be trusted to manage protected health information safely, according to the terms agreed upon in the contract.
A BAA is required when a covered entity shares protected health information with third-party vendors that create, receive, maintain, or transmit that data on their behalf. This includes activities such as cloud storage, data processing, billing, analytics, or IT support.
The legal basis for this requirement comes from the HIPAA Privacy and Security Rules, which mandate that any entity handling PHI must ensure its proper use and protection. Without a signed HIPAA business associate agreement, both the covered entity and the vendor risk violating HIPAA compliance requirements.
A business associate agreement typically includes the following details to protect PHI:
- A description of how the business associate is required and permitted to use PHI
- The measures in place to ensure the data is only used as specified
- How the BA would handle and report a data breach, including one caused by the BA's subcontractors
- How the BA would respond to an official HIPAA investigation
Compliance specialists strongly advise covered entities to get their HIPAA business associate agreement vetted by a professional to ensure the contract covers everything necessary to mitigate a PHI security breach.
Another important note with these contracts is that business associates must sign a BAA with any of their subcontractors who work with sensitive medical information so that all parties are aware of the regulations and abide by them. If the whole ecosystem is not committed and mandated to keep the data secure, the risk of negligence or medical data errors increases.
Why are BAAs important?
Business associate agreements play a pivotal role in ensuring HIPAA compliance by clearly defining the responsibilities of business associates in safeguarding PHI. Without a BAA in place, healthcare organizations expose themselves to significant legal and financial risk.
The agreement legally binds both parties to follow HIPAA rules, which helps reduce the likelihood of data breaches and enforces accountability across third-party service providers. By setting expectations and processes for handling PHI, a BAA enhances transparency and strengthens the overall data protection strategy within the healthcare ecosystem.
Who needs a HIPAA business associate agreement?
The HIPAA business associate agreement is entered into between a covered entity and any business associate that interacts with PHI. A covered entity typically includes healthcare organizations such as hospitals, clinics, insurance providers, and other entities directly responsible for handling patient data.
Business associates are third-party vendors or service providers that process or access PHI on behalf of a covered entity. These may include cloud service providers, IT service companies, billing providers, SaaS platforms, consultants, and legal or accounting firms.
Importantly, subcontractors of business associates must also comply. If a business associate shares PHI with another vendor, that subcontractor must also sign a HIPAA business associate agreement. This creates a chain of responsibility that ensures HIPAA compliance across the entire ecosystem.
In practice, this means that every covered entity—including healthcare organizations—and all third-party vendors handling PHI must clearly define their responsibilities in protecting patient data and maintaining PHI security.
BAA exceptions
In some instances, there are exceptions to HIPAA business associate agreements. Companies that are merely a conduit for electronic PHI (ePHI), like the Postal Service or FedEx, are one of those exceptions. These companies don't have access to the data they're transmitting, nor do they store copies of that data.
Other BAA exceptions include:
- When a covered entity refers a patient to a specialist and shares the patient's medical records
- Laboratories that receive patients' medical info
- A group health plan's disclosure of PHI to a plan sponsor, such as an employer
HIPAA BAA requirements
A compliant HIPAA business associate agreement must include several elements to ensure proper handling of PHI and support HIPAA compliance. Those are:
- Permitted and required uses of PHI. Clearly define how the business associate can use and disclose patient data
- Safeguards for PHI security. Require administrative, physical, and technical safeguards to ensure PHI protection.
- Breach reporting obligations. Establish timelines and procedures for notifying the covered entity of any data breaches
- Subcontractor compliance. Ensure that all third-party vendors and subcontractors also sign a HIPAA business associate agreement
- Termination conditions. Outline what happens if the agreement is violated or ends
- Access and audit rights. Allow the covered entity to monitor compliance and request audits if necessary
In this way, both the covered entity and business associate maintain accountability and protect patient data across all systems and processes.
How to create a business associate agreement
Here are a few basic steps you can follow to create a business associate agreement for the organizations or individuals you share protected health information with.
1. Review potential vendors
Healthcare providers need to vet potential vendors to ensure they have the right policies, procedures, and technology in place to safeguard all medical and medical-related data they handle. A technical review of their systems and security controls is a key component, such as whether they have a security officer, what PHI training employees receive, and whether they have an incident response plan
This is an important step for health plans and other covered entities, as they're putting highly sensitive data in the hands of their chosen vendor. They need to trust that the business associate will securely handle PHI to prevent any security risks or liability backlash.
2. Gather data for the contract
Include basic information, such as the names of all parties, the date, and their role in the business associate agreement.
Typically, a BAA also states what information the agreement will cover, what type of data cannot be modified or copied, the procedure for destroying or returning PHI, and the consequences of any breach of confidential data.
3. Create the business associate agreement
After you've gathered all the info for the BAA, then your team can draft the contract. Some companies choose to use business associate agreement templates to fast-track the process. However, this may not be suitable for all BA relationships as some may be more complex and require additional specifications and rules.
Once the agreement is ready, HSS recommends having the contract reviewed by a lawyer or consulting firm that specializes in healthcare security and understands HIPAA thoroughly.
4. Onboard the vendor
Next, make sure that vendor or contractor training is in place to facilitate onboarding. All stakeholders should know the HIPAA rules, how to manage PHI, and the consequences of non-compliance. Onboarding also includes checking that everyone has appropriate access and that the necessary access controls are set up for business associates to work securely with the data.
Consider using a cross-functional team, including information security, compliance, and legal teams, for instance, to develop and streamline your vendor onboarding process.
5. Reassess vendors regularly
It's important for covered entities to continually reassess the security of their vendors in relation to PHI, reconfirming their HIPAA compliance. For example, a technical review would be a good idea if their business associate has recently merged with another company or changed their infrastructure model from on-premise to cloud.
While reassessing vendors' security annually is highly recommended, renewing the actual BAA each time may not be necessary, as these agreements remain valid indefinitely (if no termination date is stipulated).
Penalties for HIPAA violations by business associates
Violating HIPAA regulations, such as the HIPAA Security Rule, can result in big fines of up to $1 million in some cases. Basically, any instance where a covered entity or business associate doesn't safeguard protected health information is considered a violation.
For example, if a covered entity fails to create a business associate agreement when onboarding a new consultant who handles PHI, the organization risks being fined by the U.S. Department of Health and Human Services (HHS).
In addition to civil penalties, business associates may also face criminal charges in severe cases, especially if the violation involves intentional misuse or the selling of PHI. A damaged reputation, contract terminations, and even loss of business licenses can also occur.
These consequences highlight why signing a business associate agreement and maintaining HIPAA compliance are crucial not just for healthcare organizations but for every business associate that handles PHI.
Additionally, NordLayer can support organizations working toward HIPAA compliance by offering a HIPAA BAA for its services. This can be particularly valuable for healthcare organizations and other covered entities working with third-party vendors that require secure handling of PHI.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.