What Is a BAA Under HIPAA? Business Associate Agreement Definition and Requirements

A Business Associate Agreement (BAA) is the contract that makes HIPAA Compliance operational between a covered entity and a vendor that handles Protected Health Information (PHI). It defines what a business associate may do with PHI, how it must safeguard it, and what happens if something goes wrong.

If you create, receive, maintain, or transmit PHI on behalf of a Covered Entity—or you hire subcontractors who do—you need a BAA that clearly allocates responsibilities, limits risk, and enables compliant operations.

Definition of Business Associate Agreements

A BAA is a legally binding contract between a Covered Entity (such as a health plan, provider, or clearinghouse) and a Business Associate (any vendor or partner performing services that involve PHI). It sets the permissible uses and disclosures of PHI and requires PHI safeguards aligned with HIPAA rules.

Typical business associates include EHR vendors, billing services, cloud hosts, data analytics firms, eFax providers, and consultants who access PHI. The BAA ensures these parties handle PHI responsibly and support the covered entity’s HIPAA Compliance obligations.

HIPAA Requirements for BAAs

HIPAA specifies core clauses a BAA must include. Strong agreements go beyond the minimum, but at a baseline your BAA should require the business associate to:

• Use and disclose PHI only as permitted by the BAA or as required by law, and apply the minimum necessary standard.
• Implement administrative, physical, and technical PHI Safeguards and comply with the Security Rule for electronic PHI.
• Report to the covered entity any breaches, security incidents, or unauthorized disclosures, following defined Incident Reporting timelines.
• Ensure any subcontractor that handles PHI signs a Subcontractor Agreement with the same restrictions and safeguards.
• Provide access to PHI to support individual rights (access, amendment, and accounting of disclosures) when requested by the covered entity.
• Make internal practices and records related to PHI available to the Secretary of Health and Human Services upon request.
• Return or securely destroy PHI at termination if feasible, or extend protections if destruction is infeasible.
• Authorize termination of the BAA by the covered entity if the business associate materially breaches the agreement.

Permitted Uses and Disclosures of PHI

A business associate may use or disclose PHI only for the purposes stated in the BAA and consistent with HIPAA. Common permitted uses include performing contracted services for the covered entity’s treatment, payment, and health care operations.

Additional permitted purposes often include: (1) data aggregation to support the covered entity’s operations, (2) de-identification of PHI, and (3) the business associate’s internal management and administration when required by law or with reasonable assurances the recipient will safeguard the information.

BAAs should explicitly prohibit selling PHI, marketing uses that need authorization, or any use beyond the minimum necessary. Clear, purpose-limited language reduces ambiguity and lowers compliance risk.

Safeguarding Protected Health Information

Effective PHI Safeguards combine policy, people, and technology. Your BAA should require a risk analysis and documented controls aligned to HIPAA’s administrative, physical, and technical standards.

Administrative safeguards

• Risk assessment, risk management, and vendor oversight.
• Written policies, workforce training, and sanctions for violations.
• Contingency planning, backup and recovery, and incident response.

Physical safeguards

• Facility access controls, secure workstations, and media handling.
• Device management and secure disposal of hardware and paper records.

Technical safeguards

• Unique user IDs, role-based access, and multi-factor authentication.
• Encryption in transit and at rest (addressable but strongly recommended).
• Audit logging, monitoring, and timely patching to reduce vulnerabilities.

Requiring documented evidence of safeguards—such as policies, logs, and test results—helps you verify that controls exist and work as intended.

Reporting Breaches and Unauthorized Disclosures

Incident Reporting obligations must be clear and prompt. The business associate should notify the covered entity without unreasonable delay—and no later than 60 days after discovery—of a breach of unsecured PHI.

Define what constitutes a reportable “security incident,” unauthorized access, or improper disclosure, and specify how to report (channels, contacts) and what to include. Helpful details include incident date, discovery date, systems affected, types of PHI involved, number of individuals impacted, mitigation steps taken, and corrective actions to prevent recurrence.

BAAs often set shorter contractual deadlines (for example, initial notice within a few days) while preserving the HIPAA outer limit. Clear timelines enable timely patient notifications and regulatory reporting when required.

Subcontractor Obligations under BAAs

Business associates frequently rely on downstream vendors. Your BAA must require a written Subcontractor Agreement whenever a subcontractor will create, receive, maintain, or transmit PHI on the business associate’s behalf.

These “flow-down” contracts must impose the same privacy and security restrictions, PHI Safeguards, Incident Reporting duties, and termination rights. Due diligence—such as security questionnaires, audits, and right-to-inspect provisions—helps ensure subcontractors actually meet these obligations.

The business associate remains accountable for subcontractors. Strong oversight, least-privilege access, and documented approvals reduce risk across the extended supply chain.

Termination Clauses in BAAs

Termination terms protect both parties when obligations are not met. The covered entity should be able to terminate for cause if the business associate fails to cure a material breach within a defined period.

On termination, the business associate must return or destroy PHI if feasible. If destruction is infeasible—such as where retention is required by law—the BAA should limit further uses and disclosures and maintain safeguards until the PHI is securely destroyed.

Consider adding transition assistance, data return formats, and verification of destruction to minimize operational disruption while preserving HIPAA Compliance.

Conclusion

A well-drafted BAA turns legal requirements into day-to-day practices. By defining permitted uses, mandating robust safeguards, clarifying Incident Reporting, flowing obligations to subcontractors, and planning for termination, you create a clear, auditable framework that protects PHI and supports compliant, resilient operations.

FAQs.

What is the purpose of a BAA under HIPAA?

The purpose is to ensure any Business Associate that handles PHI for a Covered Entity uses it only for defined purposes, safeguards it appropriately, reports incidents promptly, and helps the covered entity meet HIPAA obligations. The BAA makes these expectations enforceable.

Who is considered a business associate?

A business associate is any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. Examples include IT and cloud providers, billing companies, consultants, eFax and messaging services, data analytics firms, and shredding or scanning vendors.

What are the key provisions required in a BAA?

Key provisions include permitted uses/disclosures, PHI Safeguards, Incident Reporting, subcontractor “flow-down” terms, support for individual rights, HHS access to records, return or destruction of PHI at termination, and the right to terminate for material breach.

How does a BAA protect PHI?

A BAA protects PHI by limiting how it may be used and shared, requiring administrative, physical, and technical safeguards, mandating rapid reporting and mitigation of incidents, and extending the same protections to subcontractors—creating a consistent security and privacy standard across all handlers of PHI.