Business Associate Agreement Requirements Under HIPAA: Who Signs and When

Understanding Business Associate Agreement requirements under HIPAA helps you share Protected Health Information (PHI) responsibly while maintaining HIPAA Compliance. This guide explains who must sign a Business Associate Agreement, when it is required, and how Legal Authority and Contractual Obligations apply across vendors, subcontractors, and PHI disclosures.

Covered Entities Under HIPAA

Covered entities are the organizations primarily responsible for safeguarding PHI. They include health plans, most healthcare providers that transmit health information electronically in standard transactions, and healthcare clearinghouses. If you are a covered entity, you must ensure that any vendor or partner handling PHI on your behalf signs an appropriate Business Associate Agreement before access is granted.

Typical covered entities include hospitals, physician practices, dental offices, pharmacies, and health systems, as well as employer-sponsored health plans. Your obligation is to limit PHI disclosures to the minimum necessary, implement security safeguards, and contractually bind third parties that create, receive, maintain, or transmit PHI for you.

Defining Business Associates

A business associate is any person or organization, outside your workforce, that performs functions or services for a covered entity involving PHI. Common examples include billing companies, claims processors, EHR and cloud service providers, data analytics firms, transcriptionists, shredding vendors, consultants, attorneys, and accreditation bodies that require access to PHI.

Access can be direct or potential. If a vendor could reasonably view or handle PHI in delivering services, they are a business associate. Workforce members (employees) are not business associates, and mere conduits (for example, postal services or standard telecom carriers) generally are not, because they do not routinely access PHI.

Role of Subcontractors

Business associates often rely on subcontractors. If a subcontractor will create, receive, maintain, or transmit PHI on behalf of the business associate, the same rules apply to that subcontractor. The business associate must establish written terms that mirror the BAA—these are the Subcontractor BAA Requirements—and flow down all privacy and security obligations.

In practice, that means each link in the chain must implement safeguards, restrict permitted uses and disclosures, notify of breaches, and support access, amendments, and accounting requests as required. Cloud storage providers, data hosts, and specialized service firms engaged by your primary vendor are typical subcontractors that require BAAs.

Conditions Requiring a BAA

You need a BAA whenever a vendor or partner will create, receive, maintain, or transmit PHI for functions or activities on your behalf, or in providing services to you. Sign the agreement before any PHI disclosures or system access occur, including test data or “read‑only” scenarios. Storing encrypted PHI with a cloud provider still requires a BAA, even if the vendor cannot decrypt the information.

Essential BAA Terms

• Permitted uses and disclosures: precisely define how the business associate may use PHI and prohibit unauthorized sharing.
• Safeguards and compliance: require administrative, physical, and technical controls aligned with HIPAA’s Security Rule.
• Breach and incident notification: mandate prompt notice to the covered entity without unreasonable delay and specify timelines; never exceed HIPAA’s outer limits.
• Subcontractor BAA Requirements: flow down all obligations to any subcontractor handling PHI.
• Access, amendments, and accounting: support individual rights and necessary reporting.
• HHS access and audits: allow regulatory review of relevant records.
• Termination and data disposition: return or securely destroy PHI, or document why destruction is not feasible.
• Documentation retention: keep executed BAAs and related records for at least six years from the last effective date.

These terms convert regulatory duties into enforceable Contractual Obligations, clarifying responsibilities and remedies for both parties.

Authorized Signatories for BAAs

Because a BAA is a binding contract, it must be signed by someone with clear Legal Authority to obligate the organization. For covered entities and business associates, typical authorized signatories include executives (CEO, COO, CFO), the privacy or compliance officer if duly delegated, general counsel, or another officer with documented contracting authority.

Project managers or department leads should not sign unless they have written authority. For small practices or sole proprietors, the owner usually signs. Verify authority through corporate resolutions, policy documents, or a delegation letter to ensure the BAA is enforceable.

Use of Electronic Signatures

Electronic signatures are generally valid for BAAs when they meet applicable federal and state e‑signature laws and reflect the signer’s intent to be bound. HIPAA does not require wet ink. To strengthen enforceability, use an e‑signature platform that verifies identity, records consent, timestamps signatures, and preserves an audit trail.

Maintain version control and store fully executed copies with the certificate of completion. Retain these records for at least six years, and ensure access controls protect the integrity and confidentiality of the signed agreement.

Exceptions to BAA Requirements

Not every disclosure of PHI creates a business associate relationship. Key exceptions include:

• Disclosures between covered entities for treatment purposes (for example, provider‑to‑provider coordination).
• Disclosures required by law or to health oversight agencies, law enforcement, or public health authorities, when permitted under HIPAA.
• Disclosures to the individual who is the subject of the PHI or to a personal representative.
• Mere conduit services (for example, postal services or common carriers) that do not routinely access PHI.
• Employees and other workforce members, who are covered under internal policies rather than a BAA.

If a vendor’s role evolves from incidental contact to routine access or custody of PHI, reassess and execute a BAA before continuing the engagement.

Conclusion

BAA requirements under HIPAA hinge on whether a third party will create, receive, maintain, or transmit PHI for you. Identify covered entities and business associates accurately, flow down obligations to subcontractors, sign before any PHI disclosures, and ensure an authorized representative executes the agreement. Electronic signatures are acceptable when legally valid and properly documented, helping you maintain HIPAA Compliance without sacrificing efficiency.