What Is a HIPAA Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a legally binding contract required under the Health Insurance Portability and Accountability Act (HIPAA) between a covered entity and a business associate.
Who Are the Parties?
A **covered entity** is any healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically. This includes hospitals, clinics, pharmacies, insurance companies, and Medicare/Medicaid programs.
A **business associate** is any person or organization — other than a member of the covered entity's workforce — that performs functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information (PHI).
What Does a BAA Contain?
A compliant BAA must include several key provisions required by 45 CFR §164.504(e):
1. **Permitted uses and disclosures** — Specifying exactly how the business associate may use PHI
2. **Safeguards** — Requiring appropriate administrative, physical, and technical safeguards
3. **Reporting obligations** — Mandating breach notification procedures
4. **Subcontractor requirements** — Ensuring downstream vendors also comply
5. **Access rights** — Supporting individuals' rights to access their PHI
6. **Termination provisions** — Defining what happens to PHI when the relationship ends
7. **Return or destruction of PHI** — Obligations upon contract termination
Why Are BAAs Required?
Before the HITECH Act of 2009, business associates weren't directly liable for HIPAA violations. The HITECH Act changed this — business associates are now directly subject to HIPAA's Security Rule and certain provisions of the Privacy Rule.
Without a BAA in place, both the covered entity and the business associate are in violation of HIPAA, even if no breach has occurred. The Office for Civil Rights (OCR) has imposed significant fines for missing or inadequate BAAs.
Real-World Example
A hospital uses a cloud-based EHR system. The cloud provider stores and processes patient records — making them a business associate. Before the hospital can share any patient data with this provider, they must execute a BAA that outlines how the provider will protect that data.
Key Takeaway
A BAA isn't just a formality — it's a critical compliance requirement that protects patients, covered entities, and business associates alike. Every organization that handles PHI should ensure proper BAAs are in place with all relevant vendors.