HIPAA Authorization vs. Business Associate Agreement: Key Differences

By BAA Generator Editorial  ·  Published Apr 20, 2026  ·  Last reviewed Apr 20, 2026  ·  5 min read

What Is a HIPAA Authorization?

A HIPAA Authorization (governed by 45 CFR § 164.508) is a document signed by an individual — or their personal representative — that gives a covered entity permission to use or disclose the individual's PHI for a purpose that would not otherwise be permitted under the Privacy Rule. Authorizations are required for uses and disclosures outside of treatment, payment, and healthcare operations (TPO).

Common situations requiring a HIPAA Authorization include:

• Using PHI for marketing communications (other than face-to-face communications or promotional gifts of nominal value)
• Using PHI for research that is not covered by a waiver of authorization
• Disclosing PHI to a life insurance company for underwriting purposes
• Disclosing psychotherapy notes (which have heightened protections)

A valid HIPAA Authorization must include specific core elements: a description of the PHI to be used/disclosed, the identity of who may use/disclose and who may receive it, the purpose, an expiration date or event, the patient's signature and date, and statements about the right to revoke and the consequences of not signing.

What Is a HIPAA BAA?

A Business Associate Agreement (governed by 45 CFR § 164.504(e)) is a contract between a covered entity and a business associate — a vendor, contractor, or service provider who creates, receives, maintains, or transmits PHI on the covered entity's behalf. The BAA restricts how the BA may use the PHI it receives and obligates the BA to HIPAA compliance. For a full breakdown, see what is a business associate agreement.

A BAA does not authorize anything — it restricts. It defines the limited, specified purposes for which the BA may use PHI and prohibits all other uses. It is a compliance contract, not a permission grant.

When Each Is Required

These two instruments answer entirely different questions:

• Need patient consent for a specific use of their data? You need an Authorization.
• Sharing PHI with a vendor who performs services for you? You need a BAA.

The treatment/payment/operations (TPO) exception means that authorizations are not needed for most routine healthcare activities — a hospital doesn't need patient authorization to share records with a billing company. However, that billing company still needs a BAA with the hospital. The TPO exception eliminates the need for patient authorization; it does not eliminate the need for a BAA with the vendor.

Common Confusion Scenarios

Understanding when each instrument is required is easier with examples:

• Research institution wanting PHI: The research institution needs an Authorization from each patient (or a waiver from an IRB) AND a BAA with the covered entity providing the PHI if the institution will access identifiable data as part of services for the covered entity.
• Marketing vendor: The covered entity needs patient Authorizations before sharing PHI for marketing purposes, AND a BAA with the marketing vendor because the vendor will receive PHI.
• Cloud storage provider: No patient Authorization needed (storage is a healthcare operation), but a BAA is required before any PHI is stored in the cloud.

This is also distinct from a Data Use Agreement, which governs Limited Data Sets. See HIPAA Data Use Agreement vs. BAA for that comparison.

HIPAA Authorization vs. BAA: Side-by-Side

Frequently Asked Questions

What is the difference between a HIPAA authorization and a BAA?

A HIPAA Authorization (45 CFR § 164.508) is a document signed by a patient that permits a covered entity to use or disclose their PHI for a purpose beyond treatment, payment, or operations — such as marketing or research. A BAA (45 CFR § 164.504(e)) is a contract between a covered entity and a business associate that restricts how the BA may use PHI it receives while performing services. They serve completely different purposes and neither can substitute for the other.

When do I need a HIPAA authorization vs. a BAA?

You need a HIPAA Authorization when you want to use or disclose a patient's PHI for purposes beyond treatment, payment, or healthcare operations — such as marketing, research, or sale of PHI. You need a BAA when a vendor or service provider will access, create, receive, or transmit PHI on your behalf as part of services they perform for you. These requirements are often both present simultaneously (e.g., a research vendor needs both a patient Authorization for the data and a BAA with the covered entity).

Does a patient authorization replace the need for a BAA?

No. A patient authorization and a BAA serve entirely different purposes. A patient authorization is consent from the individual for a specific use of their PHI. A BAA is a contract with the vendor performing services. Even if a patient has authorized a specific use of their PHI, the vendor handling that PHI must still sign a BAA with the covered entity. The authorization addresses the patient relationship; the BAA addresses the vendor relationship.

Can a vendor use a HIPAA authorization to avoid signing a BAA?

No. A HIPAA Authorization from patients does not relieve a vendor of the obligation to sign a BAA with the covered entity. These are separate and independent requirements. A vendor who performs services involving PHI access is a business associate and must sign a BAA regardless of what patient authorizations exist. Any vendor that claims patient authorizations substitute for a BAA is either mistaken or attempting to avoid HIPAA obligations.