Who Must Sign a Business Associate Agreement Under HIPAA? Requirements and Examples

Covered Entities Defined

Under HIPAA, a covered entity is the starting point for deciding who must sign a Business Associate Agreement. If you are a covered entity, you are responsible for ensuring HIPAA Compliance when you share Protected Health Information (PHI) with outside parties.

What counts as a covered entity?

• Health care providers that transmit health information electronically in standard transactions (for example, electronic claims or eligibility checks).
• Health plans, including employer group health plans, insurers, and HMOs.
• Health care clearinghouses that translate or standardize health information between entities.

What is PHI?

Protected Health Information is any individually identifiable health information related to a person’s health, care, or payment for care that is created, received, maintained, or transmitted by a covered entity or its business associate. Any PHI disclosure by a covered entity to an outside party triggers the BAA analysis.

Business Associates Explained

A business associate is any person or organization—other than your workforce—that performs functions or provides services for you that involve creating, receiving, maintaining, or transmitting PHI. A covered entity can also act as a business associate to another covered entity if it performs such services on the other’s behalf.

Common business associate roles

• Billing, coding, revenue cycle, and claims administration services.
• IT vendors that store or host PHI (e.g., cloud backup, data centers, email archiving) even if the data is encrypted.
• Analytics, quality improvement, and population health services using PHI.
• Document management, scanning, shredding, and transcription vendors.
• Legal, audit, consulting, and collection agencies requiring access to PHI.
• Health information exchanges and e-prescribing gateways with routine PHI access.

If an outside party needs more than incidental access to PHI to do its job, it is likely a business associate and must sign a Business Associate Agreement before work begins.

BAA Requirement and Scope

A Business Associate Agreement is mandatory whenever a business associate will create, receive, maintain, or transmit PHI for or on behalf of your organization. The BAA must be executed before any PHI disclosure occurs.

Core elements your BAA should address

• Permitted and required uses and disclosures of PHI by the business associate, aligned with the “minimum necessary” standard.
• Safeguards: administrative, physical, and technical protections consistent with the HIPAA Security Rule.
• Incident and breach reporting timelines and cooperation duties.
• Flow-down obligations: the business associate must obtain a Subcontractor BAA from any downstream vendor that handles PHI.
• Individual rights support: making PHI available for access, amendment, and accounting of disclosures when requested by you.
• Return or destruction of PHI at contract termination, where feasible.
• Right of access by regulators to relevant records for compliance purposes.
• Restrictions on uses such as marketing or sale of PHI unless expressly permitted by law and authorization.

Think of the BAA as your PHI risk contract: it sets the boundaries for use and disclosure, embeds safeguards, and documents responsibilities that enable HIPAA Compliance across your vendor ecosystem.

Exceptions to BAA Necessity

Not every relationship involving health information requires a BAA. You do not need a Business Associate Agreement when the party is not acting “on behalf of” your organization with respect to PHI or has only incidental contact.

Key exceptions

• Conduits: entities that merely transmit information as a courier or telecommunications carrier and do not routinely access the data (e.g., postal services, standard telecom carriers).
• Treatment disclosures between covered entities: a provider may share PHI with another provider for treatment without a BAA.
• Disclosures to individuals: providing PHI directly to the patient does not require a BAA.
• Public health, oversight, or law enforcement disclosures permitted by HIPAA: these are not “on behalf of” the covered entity.
• De-identified data: if information is properly de-identified under HIPAA, it is no longer PHI and a BAA is not required.
• Limited data sets shared under a data use agreement, where the recipient is not acting for or on behalf of the covered entity.
• Vendors with no PHI access: equipment suppliers or maintenance vendors who do not create, receive, maintain, or transmit PHI.

When in doubt, map the data flow. If the service requires more than incidental access to PHI or the vendor will store PHI, a BAA is usually required.

Subcontractor Obligations

Business associates must ensure that any subcontractor that creates, receives, maintains, or transmits PHI on their behalf also signs a Subcontractor BAA and complies with HIPAA. Subcontractors are directly liable for Security Rule compliance and certain Privacy Rule provisions.

What to include in a Subcontractor BAA

• Equivalent restrictions and conditions on PHI as in the upstream BAA.
• Security controls appropriate to the services (encryption, access controls, audit logging, secure disposal).
• Prompt security incident and breach notification to the upstream party.
• Right to assess or obtain assurance of controls (e.g., audit reports or assessments).
• Clear data return/destruction terms and continuity plans at termination.

As a covered entity, you should require your business associate to know and manage its vendor chain and to attest that all necessary Subcontractor BAAs are in place before any PHI flows downstream.

Enforcement and Penalties

Both covered entities and business associates (including subcontractors) face enforcement if they mishandle PHI or fail to have required agreements. Regulators can impose civil penalties that scale with the level of culpability, mandate corrective action plans, and publicize settlements. In egregious cases, criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of the law.

Common BAA-related enforcement triggers

• Failure to execute a required Business Associate Agreement before PHI disclosure.
• Permitting a vendor to maintain PHI without adequate safeguards.
• Insufficient oversight of subcontractors handling PHI.
• Delayed or incomplete breach notifications.

Maintaining current BAAs, enforcing security requirements, and documenting oversight are essential to reduce risk and potential civil penalties.

Practical Examples of BAA Use

BAA required

• Cloud backup or data hosting for your EHR where PHI is stored or maintained.
• Billing company, coding contractor, or revenue cycle vendor handling claim data.
• Analytics or quality improvement firm using PHI to produce reports for your operations.
• Law firm representing you that needs access to patient records to provide legal services.
• Document scanning, transcription, or secure shredding vendor processing records with PHI.
• Messaging or appointment reminder service that stores or routinely accesses PHI.

No BAA needed

• Standard postal or courier services transporting sealed records as a conduit without routine access.
• Pure equipment vendors (e.g., delivering gloves or devices) with no PHI access.
• Provider-to-provider PHI sharing strictly for treatment purposes.
• Sharing de-identified data that meets HIPAA de-identification standards.

Quick decision guide

• Will the vendor create, receive, maintain, or transmit PHI for you? If yes, a Business Associate Agreement is required.
• Is PHI access only incidental or as a mere conduit? If yes, a BAA is generally not required.
• Is the vendor using a subcontractor with PHI access? Ensure a Subcontractor BAA is in place.

Conclusion

To decide who must sign a Business Associate Agreement under HIPAA, identify whether the service involves PHI and whether it is performed on your behalf. When PHI is created, received, maintained, or transmitted for your operations, a BAA—and often a Subcontractor BAA—anchors HIPAA Compliance, reduces breach risk, and helps avoid civil penalties.

FAQs.

Who qualifies as a covered entity under HIPAA?

A covered entity is a health care provider that conducts standard electronic transactions, a health plan (including employer group health plans and insurers), or a health care clearinghouse. These organizations are directly regulated by HIPAA and are accountable for protecting PHI.

When is a BAA mandatory between parties?

A BAA is mandatory when a person or organization will create, receive, maintain, or transmit PHI for or on behalf of a covered entity (or another business associate). The agreement should be executed before any PHI disclosure and must define permitted uses, safeguards, breach reporting, and flow-down obligations.

What are the consequences of not having a required BAA?

Failing to have a required BAA can lead to investigations, corrective action plans, and civil penalties. It also increases the likelihood of unmanaged risks, security incidents, and noncompliance findings tied to improper PHI disclosure or inadequate safeguards.

How are subcontractors regulated under HIPAA BAAs?

Subcontractors that handle PHI for a business associate are themselves business associates. They must sign a Subcontractor BAA with equivalent restrictions and are directly responsible for HIPAA Security Rule compliance and certain Privacy Rule duties, including safeguarding PHI and reporting incidents.