Are Business Associate Agreements Legally Required Under HIPAA?

Check out the new compliance progress tracker

Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA Are Business Associate Agreements Legally Required Under HIPAA?

Are Business Associate Agreements Legally Required Under HIPAA?

Kevin Henry

HIPAA

April 01, 2024

7 minutes read
Share this article
Are Business Associate Agreements Legally Required Under HIPAA?

Yes. A Business Associate Agreement (BAA) is legally required under the HIPAA Privacy Rule whenever a covered entity—or another business associate—shares Protected Health Information (PHI) with a vendor or subcontractor that will create, receive, maintain, or transmit that PHI on its behalf. The BAA contractually binds the vendor to HIPAA’s standards, including the HIPAA Security Rule for electronic PHI, and sets accountability for preventing unauthorized disclosure.

Definition of Business Associate

A business associate is any person or organization, other than a workforce member, that performs functions or provides services for a covered entity involving PHI. Common examples include billing companies, claims and practice management vendors, cloud hosting and data storage providers, EHR and analytics providers, transcription services, legal and actuarial firms, and shredding or disposal vendors.

Subcontractors of a business associate are also business associates when they handle PHI. By contrast, covered entities are health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Workforce members (employees, trainees, volunteers) are not business associates.

HIPAA Requirements for BAAs

You must execute a written Business Associate Agreement before any PHI flows to the vendor. A compliant BAA typically includes the following commitments and controls:

  • Define permitted and required uses and disclosures of PHI, applying the minimum necessary standard.
  • Require implementation of administrative, physical, and technical PHI safeguards consistent with the HIPAA Security Rule for ePHI.
  • Mandate reporting of security incidents and any breach of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days after discovery, with sufficient details to support notification and mitigation.
  • Flow down obligations to subcontractors by requiring them to sign BAAs and follow the same restrictions and PHI safeguards.
  • Enable the covered entity (and individuals, via the entity) to access, obtain copies of, and amend PHI in designated record sets within required time frames.
  • Require an accounting of certain disclosures and the maintenance of documentation needed to demonstrate compliance.
  • Provide that books and records relating to PHI practices will be available to regulators for compliance review.
  • Address return or destruction of PHI at contract termination, or continued protections if destruction is infeasible.
  • Prohibit selling PHI or using it for marketing or other purposes that require individual authorization, unless such authorization is obtained and documented.
  • Grant the covered entity the right to terminate the agreement for material breach.

Permitted Uses and Disclosures of PHI

A business associate may use or disclose PHI only as expressly permitted by the BAA or as required by law. Typical allowances include:

  • Using PHI to perform contracted services for the covered entity.
  • Disclosing PHI for the associate’s proper management and administration when required by law or when recipients give reasonable assurances of confidentiality and breach reporting.
  • Providing data aggregation services to the covered entity and creating de-identified information, which is not PHI.
  • Meeting legal obligations (for example, responding to valid subpoenas or court orders consistent with HIPAA).

Any other use or disclosure is prohibited and may constitute an unauthorized disclosure. The minimum necessary standard applies to most uses and disclosures, limiting PHI to what is reasonably needed for the purpose.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Safeguards and Reporting Obligations

Business associates must implement PHI safeguards that are reasonable and appropriate to their risks and operations. Effective programs typically include:

  • Administrative safeguards: risk analysis and risk management, written policies and procedures, workforce training and sanctions, vendor oversight, and contingency planning.
  • Physical safeguards: secure facilities, device and media controls, workstation security, and protected disposal of PHI.
  • Technical safeguards: access controls with unique IDs and MFA, encryption in transit and at rest, audit logging and monitoring, patching, and network segmentation.

Upon discovering a breach of unsecured PHI, a business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery, supplying details such as the nature of the incident, types of PHI involved, the number of individuals affected, steps taken to mitigate harm, and corrective actions. Security incidents that do not rise to a breach should still be tracked and reported as the BAA requires. Documentation should be retained for at least six years.

Exceptions to BAA Requirements

You do not need a BAA in the following common scenarios because the recipient is not acting on your behalf or is not a business associate:

  • Disclosures to another covered entity for treatment, or certain health care operations when conditions are met.
  • Disclosures to individuals (or their personal representatives) regarding their own PHI.
  • True “mere conduit” services—such as postal mail, certain couriers, or telecommunications carriers—that transmit information without routine access to PHI. (Cloud storage providers that maintain ePHI are typically business associates, not conduits.)
  • Disclosures required by law or to public health and oversight authorities, where the recipient is acting under its own legal mandate.
  • Research recipients who are not performing functions for the covered entity; these disclosures follow HIPAA research rules (e.g., authorization, waiver, or a data use agreement for a limited data set) rather than a BAA.
  • Workforce members of the covered entity, since they are not separate business associates.

Compliance with Privacy and Security Rules

Business associates are directly liable for complying with applicable parts of the HIPAA Privacy Rule and the HIPAA Security Rule. This includes implementing ePHI safeguards, honoring minimum necessary, providing breach notifications, enabling access and amendment, and ensuring subcontractor compliance. Noncompliance can lead to significant civil penalties and corrective action plans, in addition to contractual remedies under the Business Associate Agreement.

Bottom line: If a vendor or subcontractor will handle PHI for you or on your behalf, execute a BAA before sharing any PHI, limit uses to what is necessary, and verify that effective PHI safeguards are in place to prevent unauthorized disclosure.

FAQs.

When is a Business Associate Agreement required under HIPAA?

A BAA is required whenever a covered entity—or a business associate—engages a vendor or subcontractor to create, receive, maintain, or transmit PHI on its behalf. Execute the BAA before any PHI is shared. You do not need a BAA for workforce members, true conduits, disclosures to individuals, or certain disclosures to other covered entities for treatment or qualifying operations.

What are the key provisions of a BAA?

Core provisions set permitted uses/disclosures; require PHI safeguards aligned to the HIPAA Security Rule; mandate prompt incident and breach reporting (no later than 60 days after discovery); flow down obligations to subcontractors; support access, amendment, and accounting; allow regulatory review; control PHI at termination (return or destroy); prohibit marketing/sale without authorization; and allow termination for material breach.

Are there exceptions to the BAA requirement?

Yes. No BAA is needed for disclosures to another covered entity for treatment, for certain operations when conditions are met, to the individual or personal representative, to true conduits that merely transmit information without routine access, to public health or oversight authorities acting under their own authority, or to researchers not acting on your behalf (where research rules apply).

How must PHI be safeguarded under HIPAA?

You must implement reasonable and appropriate administrative, physical, and technical safeguards tailored to your risks, including risk analysis, policies and training, access controls with MFA, encryption in transit and at rest, logging and monitoring, contingency planning, secure disposal, and vendor oversight. These PHI safeguards reduce breach likelihood and support compliance with the HIPAA Privacy Rule and HIPAA Security Rule.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Examples of Physical Safeguards in HIPAA-Compliant Clinics
HIPAA Oct 03, 2025

Examples of Physical Safeguards in HIPAA-Compliant Clinics

Facility Access Controls. To protect Electronic Protected Health Information (ePHI), you need la...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...