How to Get a Signed BAA (HIPAA Business Associate Agreement)

Definition of BAA

A Business Associate Agreement (BAA) is a legally binding contract that governs how a Business Associate handles, protects, and discloses Protected Health Information (PHI) on behalf of a Covered Entity. It exists to ensure HIPAA Compliance when PHI is created, received, maintained, or transmitted by a third party.

A Covered Entity is typically a health care provider, health plan, or health care clearinghouse. A Business Associate is any vendor or partner that performs services for the Covered Entity and needs access to PHI to do so (for example, cloud hosting, billing, EHR support, analytics, or shredding services). The BAA sets the rules for PHI Safeguarding, breach notification, and permitted uses and disclosures.

Core purpose

• Allocate privacy and security responsibilities for PHI and ePHI.
• Require administrative, physical, and technical safeguards that align with HIPAA Compliance expectations.
• Define incident and breach reporting duties and timelines.
• Flow down obligations to subcontractors that also handle PHI.

When a BAA Is Required

You need a signed BAA before any PHI flows to a vendor that will create, receive, maintain, or transmit PHI on your behalf. Common triggers include hosting ePHI, claims processing, document management, call center support, email or texting services that store messages containing PHI, data backup, and destruction of media containing PHI.

Typical scenarios requiring a BAA

• IT and cloud providers storing or processing ePHI (including backups and logs).
• Revenue cycle, billing, coding, and transcription services.
• EHR/PM vendors, integration platforms, and analytics tools using PHI.
• Mailing, scanning, shredding, or storage vendors handling PHI artifacts.

Situations that may not require a BAA

• Pure “conduit” services with no routine access to PHI (e.g., traditional postal delivery or certain utilities) where PHI is only transmitted incidentally.
• Workforce members under your direct control (employment agreements and policies apply instead).
• Disclosures for treatment between Covered Entities where the recipient is not performing a service on your behalf.

When in doubt, assess whether the vendor’s role involves PHI on your behalf and whether they can actually view or retain PHI; if yes, a BAA is usually appropriate. Remember that an NDA does not replace a BAA.

Obtaining a BAA

Start by mapping the data flows so you know exactly what PHI is involved, who will access it, and for what purpose. Decide whether you will use the vendor’s standard BAA or furnish your own. Ensure your procurement, privacy, security, and legal stakeholders review the draft before any PHI exchange.

Practical steps

• Confirm roles: Are you the Covered Entity, a Business Associate, or a subcontractor BA? The answer drives your obligations.
• Define the minimum necessary PHI and limit scope to what’s actually needed.
• Request documentation of security controls (risk analysis, access controls, encryption, training records) to validate PHI Safeguarding.
• Align the BAA with your HIPAA Compliance program and internal policies.
• Address Accreditation Requirements (e.g., survey readiness) by keeping executed BAAs, inventories of vendors, and review logs readily accessible.
• Negotiate key terms: breach notification timing, subcontractor flow-down, auditing rights, data return or destruction, and cyber insurance.

Signing a BAA

BAAs should be executed by authorized signers with clear identification of legal entities. Verify legal names, addresses, and effective dates, and ensure exhibits or security addenda are included. Keep version control tight so you can prove which language was operative at any given time.

Execution checklist

• Confirm signer authority and the correct legal entity (including any “doing business as” names).
• Capture effective date and duration; clarify survival of obligations after termination.
• Document countersignature and retain a fully executed copy in a controlled repository.
• Schedule periodic reviews and refreshes when services, systems, or regulations change.

Electronic Signatures for BAAs

In the United States, BAAs can be executed using electronic signatures if you follow applicable Electronic Signature Law, such as the ESIGN Act and state UETA frameworks. Your process should capture identity, intent to sign, consent to transact electronically, and an audit trail.

What a compliant e-sign workflow looks like

• Authenticate signers (e.g., verified email, SMS codes, or identity checks).
• Present the full BAA, record explicit consent to e-sign, and capture intent.
• Generate tamper-evident records with timestamps and IP metadata.
• Store the executed BAA securely with retention policies and access controls.

Because BAAs often reference PHI-handling practices, ensure your e-signature platform and storage meet your PHI Safeguarding standards, including encryption in transit and at rest.

Sample BAA Provisions

Common clauses to include

• Definitions of PHI, ePHI, Covered Entity, Business Associate, breach, and security incident.
• Permitted and required uses/disclosures; “minimum necessary” standard.
• Administrative, physical, and technical safeguards (access control, encryption, device security, workforce training, incident response).
• Risk analysis, ongoing monitoring, and reporting of security incidents and breaches without unreasonable delay and within required timeframes.
• Subcontractor requirements to sign downstream BAAs with equivalent protections.
• Access, amendment, and accounting of disclosures to support individual rights.
• Audit and inspection rights (including cooperation with regulators).
• Data retention limits; secure return or destruction of PHI upon termination.
• Indemnification, insurance expectations, and limitation of liability.
• Change management for new systems, locations, or use cases involving PHI.
• Governing law, dispute resolution, notice addresses, and signatures.

Using BAA Templates

Templates accelerate execution, but you should tailor them to the services and real data flows. A generic form rarely captures all operational realities, especially around access methods, subcontractors, and breach handling.

Template best practices

• Start from a reputable baseline and align terms to your HIPAA Compliance posture.
• Insert service-specific details: systems touched, data types, and PHI Safeguarding controls.
• Map subcontractors and require equivalent protections contractually.
• Define breach reporting channels, timelines, and investigation expectations.
• Run a legal and security review; do not rely solely on copy-paste language.
• Maintain a vendor BAA register to satisfy internal governance and Accreditation Requirements.

Key takeaways

• Determine early whether PHI will be created, received, maintained, or transmitted by a vendor.
• Execute a BAA before any PHI exchange, and right-size safeguards to actual risks.
• Use electronic signatures that comply with Electronic Signature Law and preserve robust audit trails.
• Keep executed BAAs organized, review them periodically, and align them with evolving services.

FAQs

What is a Business Associate Agreement?

A Business Associate Agreement is a contract that sets the privacy, security, and breach-notification obligations for a vendor (the Business Associate) that handles Protected Health Information on behalf of a Covered Entity, ensuring HIPAA Compliance and PHI Safeguarding.

When do I need a signed BAA?

You need a signed BAA before any vendor creates, receives, maintains, or transmits PHI for you—such as cloud hosting of ePHI, billing services, analytics, or media destruction. If the vendor can view or retain PHI on your behalf, a BAA is typically required.

Can electronic signatures be used for BAAs?

Yes. BAAs can be executed with electronic signatures when your process follows Electronic Signature Law (e.g., ESIGN and UETA), capturing identity, consent, intent to sign, and an auditable, tamper-evident record.

How do I obtain a standard BAA template?

Request the vendor’s standard BAA or provide your own template that reflects your HIPAA Compliance program. Customize it to the services, system access, subcontractors, and breach processes, and have legal and security stakeholders review it before execution.