Who Needs a Business Associate Agreement (BAA) Under HIPAA?

Covered Entities Under HIPAA

Covered entities are the organizations directly regulated by HIPAA: health plans, health care clearinghouses, and health care providers who transmit health information in connection with standard Covered Transactions (for example, electronic claims, eligibility checks, or remittance advice). If you are in one of these categories, you handle Protected Health Information (PHI) under the HIPAA Privacy Rule.

Being a covered entity means you may disclose PHI to outside vendors only when a Business Associate Agreement (BAA) is in place, unless an exception applies. This includes modern workflows that move PHI through Electronic Health Records, patient portals, and billing systems.

Examples

• Hospitals, clinics, and physician practices that submit electronic claims or check benefits.
• Telehealth providers that process scheduling, referrals, or e-prescribing electronically.
• Insurers, employer group health plans, and government programs paying for care.
• Clearinghouses that translate nonstandard data into standard transactions.

Definition of Business Associates

A business associate is any person or entity—outside your workforce—that creates, receives, maintains, or transmits PHI to perform services or functions for a covered entity. Typical services include claims processing, data analysis, quality management, legal, accounting, accreditation, health IT hosting, and more.

Common business associates include Electronic Health Records vendors, cloud storage providers maintaining ePHI, billing companies, call centers, analytics firms, and law firms that review PHI. A health care provider acting in its own capacity to treat patients is a covered entity, not a business associate; however, that same provider can be a business associate when performing non-treatment services for another covered entity.

Required Functions Involving PHI

You need a BAA when a vendor will create, receive, maintain, or transmit PHI to support your operations. This covers hosting backups of ePHI, managing Electronic Health Records or patient portals, printing and mailing statements containing PHI, claims and payment support, utilization review, and data conversion performed for Covered Transactions.

• Operations support: billing, collections, claims edits, risk adjustment, and reporting with PHI.
• Technology services: cloud hosting, data warehousing, disaster recovery, and software support that accesses ePHI.
• Professional services: legal, actuarial, or consulting work that includes PHI review.

De-identified information is not PHI, so a BAA is not required when data are properly de-identified. If a use requires patient permission beyond routine operations, a Disclosure Authorization from the individual may be needed in addition to, or instead of, a BAA.

Roles of Subcontractors

Subcontractors engaged by a business associate who create, receive, maintain, or transmit PHI are themselves business associates. They must meet the same HIPAA Privacy Rule and Security Rule standards as the primary vendor.

The business associate must execute a Subcontractor Agreement that mirrors the BAA’s protections, flowing down all relevant obligations. Effective vendor governance includes documented risk assessments, security questionnaires, right-to-audit clauses, breach reporting expectations, and ongoing Compliance Monitoring.

Timing for Executing a BAA

Execute the BAA before any PHI is disclosed, accessed, migrated, or otherwise handled by the vendor—including pilots, sandboxes, data mapping, and go-live cutovers. Do not provision accounts or enable integrations that expose ePHI until signatures are complete.

When a BAA is typically not required

• Covered entity to covered entity disclosures for treatment purposes.
• Disclosures made pursuant to a valid patient Disclosure Authorization directing PHI to a third party.
• Sharing of data that have been properly de-identified so they no longer constitute PHI.

Key Provisions of a BAA

• Permitted uses and disclosures: clearly define what PHI the business associate may use or disclose and for what purposes, applying the minimum necessary standard.
• Safeguards: administrative, physical, and technical controls consistent with the HIPAA Security Rule, such as access controls, encryption, audit logging, and workforce training.
• Breach notification: report security incidents and breaches to the covered entity without unreasonable delay and no later than 60 calendar days after discovery, with required details.
• Subcontractors: require written Subcontractor Agreements that impose identical restrictions and safeguards on downstream vendors.
• Individual rights support: assist with access, amendments, and accounting of disclosures, including capabilities within Electronic Health Records and related systems.
• Return or destruction of PHI: upon termination, return or securely destroy PHI, or document why destruction is infeasible and continue protections.
• Restrictions on marketing and sale of PHI: prohibit uses not allowed by the HIPAA Privacy Rule unless specifically authorized by the individual.
• Documentation, retention, and Compliance Monitoring: maintain policies, risk analyses, training records, and logs, and make them available to the covered entity or regulators as required.
• Recommended business terms: cybersecurity insurance, indemnification, incident response collaboration, and audit cooperation (while not mandated, they strengthen accountability).

Compliance Responsibilities of Business Associates

Business associates are directly liable for complying with the HIPAA Security Rule and applicable parts of the Privacy Rule. Core duties include conducting risk analyses, implementing encryption for ePHI in transit and at rest, enforcing role-based access, auditing activity, training staff, and maintaining incident response and breach notification procedures.

Strong governance requires proactive Compliance Monitoring: periodic technical assessments, policy reviews, vulnerability remediation, tabletop exercises, subcontractor oversight, and documentation that demonstrates continuous adherence. Keep BAAs and Subcontractor Agreements current as services, systems, or data flows change.

Conclusion

If you are a covered entity—or a vendor handling PHI for one—you need a Business Associate Agreement before PHI moves. Define permitted uses, demand robust safeguards, manage subcontractors with equivalent contracts, and verify compliance continuously. Done well, your BAA program enables secure, lawful data sharing that supports care, payment, and operations.

FAQs

Who qualifies as a covered entity under HIPAA?

Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard Covered Transactions. If you electronically submit claims, verify eligibility, receive remittances, or similar activities, you likely qualify and must safeguard Protected Health Information accordingly.

When is a BAA required between entities?

A BAA is required when a covered entity engages a vendor to create, receive, maintain, or transmit PHI on its behalf, and when a business associate uses subcontractors for the same. It must be executed before any PHI is shared. It is generally not required for covered entity to covered entity treatment disclosures, for properly de-identified data, or when an individual directs a disclosure via a valid Disclosure Authorization.

What are the consequences of not having a BAA?

Disclosing PHI to a vendor without a BAA is an impermissible disclosure that can trigger breach notification obligations, regulatory investigations, civil monetary penalties, corrective action plans, contract termination, and reputational harm. Operationally, it can also disrupt claims or Electronic Health Records integrations until compliant agreements are in place.

How should BAAs be managed with subcontractors?

Require a written Subcontractor Agreement that mirrors your BAA, perform due diligence before onboarding, and maintain ongoing Compliance Monitoring. Verify security controls, define incident reporting timelines, reserve audit rights, inventory PHI data flows, and update agreements promptly when services or systems change.