BAA vs. Data Processing Agreement: What's the Difference?
By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ A BAA (HIPAA) and a DPA (GDPR) govern different data categories under different legal regimes
- ✓ Neither document can substitute for the other — organizations operating in both US healthcare and EU markets need both
- ✓ A single combined document can satisfy both requirements only if it contains all required provisions of each framework
- ✓ HIPAA applies to PHI regardless of the data subject's location; GDPR applies to EU resident data regardless of where the processor is located
As healthcare organizations increasingly serve international patient populations and use global SaaS vendors, the question of whether a BAA or a DPA is required — or both — comes up regularly. The answer requires understanding what each document is and what law creates the obligation. For the BAA side, see what a HIPAA BAA requires.
What Is a BAA?
A Business Associate Agreement (BAA) is a written contract required under HIPAA (45 CFR § 164.504(e)) between a HIPAA-covered entity and a business associate — any vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of the covered entity. A BAA governs the business associate's permitted uses of PHI, security obligations, breach notification requirements, and PHI disposition at termination.
The BAA requirement exists in U.S. federal law. It applies when PHI is involved, regardless of the data subject's nationality or location. A U.S. hospital treating a French patient still has HIPAA BAA obligations for vendors who handle that patient's PHI.
What Is a DPA?
A Data Processing Agreement (DPA) is a written contract required under GDPR Article 28 between a data controller (an organization that determines the purpose of processing personal data) and a data processor (an entity that processes data on the controller's behalf). A DPA governs what the processor may do with EU personal data, security obligations, sub-processor requirements, data subject rights assistance, and return/deletion of data upon contract termination.
The DPA requirement exists in EU law (and UK GDPR post-Brexit). It applies when personal data of EU or UK residents is processed, regardless of where the controller or processor is located. A U.S. telehealth company treating EU patients has GDPR DPA obligations for vendors who process those patients' data.
Side-by-Side Comparison
| Dimension | HIPAA BAA | GDPR DPA |
|---|---|---|
| Legal basis | 45 CFR § 164.504(e) (HIPAA Privacy Rule) | GDPR Article 28 |
| Applies to | Protected Health Information (PHI) processed by a business associate on behalf of a covered entity | Personal data of EU/UK residents processed by a processor on behalf of a controller |
| Who are the parties | Covered entity (CE) and business associate (BA) | Data controller and data processor |
| Geographic scope | U.S. federal law; applies to HIPAA-covered entities and their BAs regardless of location | EU/UK law; applies when processing data of EU/UK residents, regardless of processor location |
| Key provisions | Permitted uses of PHI, safeguards, breach notification to CE within 60 days, subcontractor BAAs, PHI return/destruction, HHS audit rights | Processing only on controller's instructions, data security measures, sub-processor requirements, data subject rights assistance, return/deletion on termination, DPA audit rights |
| Breach notification timeline | BA must notify CE within 60 days of discovering breach (45 CFR § 164.410) | Processor must notify controller without undue delay; controller then has 72 hours to notify supervisory authority (GDPR Article 33) |
| Penalty regime | OCR civil monetary penalties: $141–$1,919,173 per year; state AG actions | GDPR supervisory authority fines: up to €20 million or 4% of global annual turnover, whichever is higher |
| Data subject rights | Limited — HIPAA gives patients access and amendment rights through the CE, not directly | Extensive — GDPR gives data subjects access, rectification, erasure, portability, and objection rights enforced through the controller |
When You Need Both a BAA and a DPA
You need both documents when your organization processes both PHI under HIPAA and personal data of EU/UK residents under GDPR. This applies to:
- Telehealth companies serving both U.S. and EU patient populations
- U.S.-based healthcare organizations with EU-based employees whose HR data (including health information) falls under GDPR
- Healthcare SaaS vendors with EU and U.S. customers who process PHI for U.S. covered entities and personal health data for EU customers
- Research organizations processing both U.S. PHI and EU participant data
In these scenarios, a vendor agreement must include both the HIPAA BAA provisions and the GDPR DPA provisions — or you must execute two separate documents.
Can One Document Cover Both?
Yes — one document can satisfy both requirements, but only if it contains all required provisions of both frameworks. Many large cloud vendors (Google, Microsoft, AWS) offer a combined document: a Data Processing Addendum that includes both HIPAA BAA provisions and GDPR DPA provisions in a single agreement.
When evaluating whether a single combined document is sufficient, verify that it contains:
- All HIPAA BAA required elements under 45 CFR § 164.504(e)(2) — including breach notification to CE within 60 days, subcontractor BAA requirements, HHS audit rights, and PHI return/destruction on termination
- All GDPR Article 28 required elements — including processing only on controller instructions, security measures, sub-processor requirements, data subject rights assistance, and return/deletion on termination
The mere existence of a combined document does not guarantee it satisfies both requirements. Review it against both frameworks' checklists before relying on it.
Frequently Asked Questions
What's the difference between a BAA and a DPA?
A BAA is required under U.S. HIPAA for vendors who process PHI on behalf of covered entities. A DPA is required under EU GDPR for processors handling personal data of EU residents on behalf of controllers. They govern different data categories under different legal frameworks and serve different regulatory regimes.
Do I need both a BAA and a DPA?
Yes, if your organization handles both PHI under HIPAA and EU resident personal data under GDPR. A U.S. telehealth company serving EU patients, for example, needs both. A purely domestic U.S. practice with no EU patient population only needs a BAA. A purely EU data processor with no U.S. healthcare connections only needs a DPA.
Can a DPA substitute for a BAA?
No. A DPA does not contain the HIPAA-required BAA provisions — specifically, breach notification to the covered entity within 60 days, subcontractor BAA requirements (45 CFR § 164.308(b)(2)), HHS audit rights, and PHI return/destruction specifications. For PHI handled under HIPAA, a BAA is required regardless of whether a DPA is also in place.
Generate a HIPAA-compliant BAA for your U.S. vendor relationships
Cover your HIPAA BAA obligations in minutes — the GDPR side requires a separate DPA process.
Generate BAA for Free →