HIPAA Agreement for Contractors (BAA): Do You Need One? Requirements + Template

Definition of Business Associate

A Business Associate is any person or organization that is not part of a Covered Entity’s workforce but creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of that Covered Entity or another Business Associate. The term also includes entities that provide services where access to PHI is required—whether that access is direct, routine, or reasonably foreseeable.

Common Business Associates include billing companies, claims processors, IT service providers with system admin rights, cloud or data center hosts storing ePHI, email and fax services used for PHI, document destruction vendors, transcription services, and consultants performing utilization review, quality improvement, or data analytics using PHI.

If an entity touches PHI as part of a contracted service—even if it never opens the files—HIPAA generally treats it as a Business Associate. In these cases, a Business Associate Agreement is the contract that binds the parties to HIPAA obligations.

Requirement for Business Associate Agreement

A Business Associate Agreement (BAA) is required before a Covered Entity or Business Associate shares PHI with a contractor that will create, receive, maintain, or transmit PHI. The BAA documents permitted uses and disclosures, mandates PHI Safeguards, requires Unauthorized Disclosure Reporting, and flows down compliance duties to any downstream subcontractors.

BAAs are needed when services involve handling PHI for operations, payment, or support functions (for example, claims management, data hosting, help desk with database access, or records storage). The agreement should be executed before work begins and before any PHI is exchanged, and it should remain in effect for as long as the contractor retains PHI, including during termination and data return or destruction.

Covered Entities must ensure a signed BAA exists with each Business Associate. Business Associates must likewise execute BAAs with their subcontractors that handle PHI, creating a chain of accountability.

Exemptions from BAA Requirement

Some relationships do not require a BAA:

• Conduits that merely transmit PHI without persistent storage or routine access (for example, certain telecom carriers or the postal service), provided they do not maintain PHI beyond transient passage.
• Vendors that never create, receive, maintain, or transmit PHI and whose services do not involve PHI (for example, office supply vendors or facilities maintenance).
• Workforce members of the Covered Entity (employees, volunteers, trainees) are covered by internal policies, not BAAs.
• Disclosures for treatment between providers do not require a BAA, nor do disclosures to individuals about their own PHI.
• Use of de-identified data; when PHI is properly de-identified, the recipient is not a Business Associate. For limited data sets, a Data Use Agreement—not a BAA—applies.

If incidental exposure to PHI could happen but is not necessary for the task and not reasonably foreseeable, a BAA is typically not required. However, you should minimize exposure through facility, privacy, and confidentiality controls.

Subcontractors of Business Associates

Business Associates must ensure Subcontractor Compliance. Any subcontractor that creates, receives, maintains, or transmits PHI on a Business Associate’s behalf is itself a Business Associate and must sign a BAA with the contracting BA. Obligations must be at least as stringent as those in the upstream agreement, including PHI Safeguards, minimum necessary use, breach and security incident reporting, and termination provisions.

Practically, you should inventory all downstream vendors, document whether they touch PHI, execute BAAs where required, and verify security controls. The chain-of-trust must be demonstrable to auditors and regulators.

Essential Components of a BAA

While BAAs can vary, an effective agreement addresses the following:

• Definitions and scope: Clarify PHI, ePHI, Covered Entity, Business Associate, breach, and security incident.
• Permitted and required uses/disclosures: Describe what the Business Associate may and may not do with PHI; reinforce the minimum necessary standard.
• PHI Safeguards: Require administrative, physical, and technical safeguards; risk analysis and risk management; access controls; encryption at rest and in transit; audit logging; and workforce training.
• Unauthorized Disclosure Reporting: Obligate prompt reporting of breaches and security incidents to the Covered Entity without unreasonable delay and within a defined timeframe; require cooperation on investigation and notifications.
• Individual rights support: Provide for access, amendment, and accounting of disclosures when requested by the Covered Entity.
• Subcontractor Compliance: Flow down all relevant obligations to subcontractors that handle PHI.
• Compliance and oversight: Allow reasonable auditing or documentation review; require continued compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
• Data retention, return, and destruction: On termination, require return or destruction of PHI, including backups, unless infeasible; impose ongoing protections if retention is necessary.
• Incident and breach management: Define processes for mitigation, documentation, and cooperation with regulators.
• Term, termination, and cure: Permit termination for material breach and outline cure periods.
• Allocation of risk: Indemnification, insurance, and limits of liability (contractual choices, not HIPAA mandates).
• Recordkeeping: Maintain documentation for required periods to demonstrate compliance.

Sample BAA Template

BUSINESS ASSOCIATE AGREEMENT
Effective Date: [Month Day, Year]

Between:
Covered Entity: [Full Legal Name], ("Covered Entity")
and
Business Associate: [Full Legal Name], ("Business Associate")

1. Purpose and Scope
This Agreement governs Business Associate’s creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") on behalf of Covered Entity.

2. Permitted Uses and Disclosures
Business Associate may use and disclose PHI solely to perform the Services described in [Master Services Agreement/Statement of Work] and as required by law, subject to the minimum necessary standard. No other use or disclosure is permitted.

3. Safeguards
Business Associate will implement administrative, physical, and technical PHI Safeguards, conduct risk assessments, maintain access controls, encryption, audit logging, workforce training, and vendor oversight.

4. Reporting
Business Associate will report any breach of unsecured PHI or security incident to Covered Entity without unreasonable delay and no later than [X] days after discovery, and will cooperate in investigation and mitigation.

5. Subcontractors
Business Associate will ensure Subcontractor Compliance by executing written agreements imposing the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

6. Individual Rights and Access
Upon request from Covered Entity, Business Associate will support access, amendment, and accounting of disclosures within the timeframes required by HIPAA.

7. Books and Records
Business Associate will make its internal practices, books, and records relating to PHI available to Covered Entity and to regulators as required by law.

8. Termination; Return/Destruction
Upon termination, Business Associate will return or destroy all PHI, including backups. If return or destruction is infeasible, protections under this Agreement will continue for as long as PHI is retained.

9. Compliance
Business Associate will comply with applicable provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

10. Miscellaneous
Include: indemnification, insurance, dispute resolution, governing law, notices, and counterparts.

Authorized Signatures:
[Covered Entity Signatory, Title, Date]
[Business Associate Signatory, Title, Date]

How to use this template

• Customize scope and services to reflect actual PHI flows and system access.
• Fill in timeframes for Unauthorized Disclosure Reporting and cooperation steps.
• Align security requirements with your risk analysis and specific technical controls.
• Flow down terms to subcontractors that will handle PHI.

Penalties for Non-Compliance

HIPAA Civil Penalties can be significant, with tiered fines assessed per violation and annual caps per identical violation type. The Office for Civil Rights can also impose corrective action plans and monitoring. State attorneys general may bring actions, and contractual remedies (for example, indemnity or termination) can apply under the BAA.

Criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of HIPAA, with enhanced penalties for false pretenses or intent to sell or use PHI for malicious gain. In addition to fines and potential imprisonment, organizations face reputational harm, remediation costs, and mandated reporting to affected individuals and regulators.

Applicability to Contractors

To determine whether a contractor needs a HIPAA Agreement for Contractors (BAA), ask these questions:

• Will the contractor create, receive, maintain, or transmit PHI on your behalf?
• Is PHI access required for the service, or reasonably foreseeable (for example, admin-level system access)?
• Will PHI be stored—even encrypted—on the contractor’s infrastructure or devices?
• Will the contractor engage subcontractors that could handle PHI?

Examples that typically require a BAA

• Managed service providers and IT consultants with server, database, or EHR admin rights.
• Cloud hosting, backup, email, e-fax, or file-sharing services used for PHI storage or transmission.
• Billing, collections, claims clearinghouses, coding, and utilization review vendors.
• Shredding and records storage companies handling paper or electronic PHI.
• Contact centers, transcription, and analytics firms processing PHI.

Examples that are commonly exempt

• Janitorial, building maintenance, pest control, and office supply vendors with no need to access PHI.
• Telecom carriers or couriers that only transmit information as conduits without storage beyond transient passage.
• Situations where only de-identified data is shared, or disclosures for treatment between providers.

Do not rely on non-disclosure agreements alone; an NDA does not substitute for a Business Associate Agreement. Document your analysis, execute BAAs before PHI exchange, and review them when services or systems change.

Conclusion

If a contractor handles PHI for you—or could reasonably access it—you likely need a Business Associate Agreement that defines permitted uses, mandates PHI Safeguards, requires Unauthorized Disclosure Reporting, and ensures Subcontractor Compliance. Use the template to accelerate contracting, but tailor terms to your risk profile and services.

FAQs

What is a Business Associate Agreement?

A Business Associate Agreement is a contract that requires a contractor (the Business Associate) to protect Protected Health Information, limit its use and disclosure, report incidents, support individual rights, and flow down protections to subcontractors when working for a Covered Entity or another Business Associate.

When is a BAA required for contractors?

A BAA is required when a contractor will create, receive, maintain, or transmit PHI on your behalf, or when access to PHI is necessary or reasonably foreseeable to perform the contracted services. It must be signed before any PHI is shared.

What are the main components of a HIPAA BAA?

Core components include permitted uses/disclosures, PHI Safeguards, Unauthorized Disclosure Reporting, support for access/amendment/accounting, Subcontractor Compliance, audit and documentation provisions, data return or destruction at termination, and terms for breach handling, cure, and termination.

What are the penalties for non-compliance with HIPAA?

Non-compliance can trigger HIPAA Civil Penalties calculated per violation with tiered levels and annual caps, corrective action plans, and state enforcement. Serious violations can also lead to criminal penalties, plus contractual damages, remediation costs, and reputational harm.