What Is a HIPAA Business Associate Agreement and Why It Matters

If your business handles or has access to protected health information (PHI) on behalf of a healthcare provider or health plan, federal law requires a Business Associate Agreement (BAA). This legal document ensures that everyone who touches PHI—beyond just the doctor’s office or hospital—is held to HIPAA’s strict privacy and security standards.

What Is a Business Associate?

Under 45 C.F.R. § 160.103, a “business associate” is any person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity (such as a medical provider or health plan). Common business associates include:

• Billing companies
• IT service providers with system access
• Remote medical scribes
• Cloud storage providers
• Consultants or contractors handling patient data

If you work with a healthcare provider and interact with PHI—even indirectly—you are likely a business associate.

What Is a Business Associate Agreement?

A Business Associate Agreement is a written contract that outlines the responsibilities of a business associate when handling PHI. HIPAA requires that covered entities obtain “satisfactory assurances” from business associates that PHI will be used only as permitted, safeguarded, and not further disclosed without proper authorization.

This requirement is outlined in 45 C.F.R. § 164.502(e) and § 164.504(e).

Key Elements Required in a BAA

Per 45 C.F.R. § 164.504(e)(2), a valid BAA must contain specific provisions. These include:

1. Permitted Uses and Disclosures

The BAA must describe how the business associate is allowed to use and disclose PHI.

2. Safeguards

The business associate must implement administrative, physical, and technical safeguards to protect PHI, per 45 C.F.R. §§ 164.308–164.312.

3. Reporting Breaches

The business associate must report any unauthorized use or disclosure of PHI or any security incident or breach of unsecured PHI to the covered entity.

4. Subcontractor Obligations

Any subcontractors who access PHI must also sign a BAA that meets the same HIPAA standards.

5. Access and Amendment

The business associate must assist the covered entity in responding to patient requests to access or amend their PHI.

6. Return or Destruction of PHI

At the end of the relationship, the business associate must either return or securely destroy all PHI.

7. HHS Access

The BAA must permit the Department of Health and Human Services (HHS) to inspect records related to PHI handling for compliance audits.

Who Needs a BAA?

• Covered entities (healthcare providers, health plans, clearinghouses) must obtain BAAs before sharing PHI.
• Business associates must obtain BAAs with their own subcontractors if they handle PHI.

Not having a valid BAA in place is a direct HIPAA violation—even if no breach occurs.

Penalties for Noncompliance

Under the HIPAA Enforcement Rule, HHS can impose civil monetary penalties ranging from $100 to $50,000 per violation, up to $1.5 million per year per violation type. Business associates are directly liable for HIPAA violations.

Conclusion

Every healthcare provider or vendor working with PHI needs a valid Business Associate Agreement in place. It’s not just a formality—it’s a federal requirement that protects patients and limits your legal exposure.

For more guidance, you can download the official Model Business Associate Agreement from HHS here: Download the HHS Model BAA (PDF)