What Is a Business Associate Agreement?

5 min read · HIPAA Compliance

If you work in healthcare — whether as a provider, administrator, or technology vendor — you've likely encountered the term "Business Associate Agreement," or BAA. But what exactly is it, and why does HIPAA require one? This guide breaks it down in plain language.

The Basic Definition

A Business Associate Agreement is a legally binding contract required under the Health Insurance Portability and Accountability Act (HIPAA). It establishes the permitted and required uses and disclosures of protected health information (PHI) by a business associate — any vendor, contractor, or service provider that handles PHI on behalf of a covered entity.

In short: if your organization shares patient data with an outside party, you almost certainly need a BAA with that party.

Who Are the Parties?

Covered Entities

Covered entities are organizations directly subject to HIPAA. They include:

• Healthcare providers (hospitals, physician practices, dental offices, therapists)
• Health plans (insurance companies, HMOs, employer-sponsored health plans)
• Healthcare clearinghouses (entities that process health information)

Business Associates

A business associate is any person or entity that performs functions or activities that involve access to PHI on behalf of a covered entity. Common examples include:

• Electronic health record (EHR) vendors
• Medical billing and coding companies
• Cloud storage providers (if storing PHI)
• IT support firms with access to systems containing PHI
• Legal, accounting, or consulting firms that review records containing PHI
• Transcription services

What Does a BAA Actually Do?

The BAA serves three core functions:

• Defines permitted uses: It specifies exactly how the business associate is allowed to use or disclose PHI — and restricts all other uses.
• Allocates responsibility: It makes clear that the business associate — not just the covered entity — is responsible for safeguarding PHI under the HIPAA Security Rule.
• Establishes breach obligations: It requires the business associate to report breaches to the covered entity within a specified timeframe so the covered entity can meet its own HHS notification obligations.

What Happens Without a BAA?

Operating without a required BAA is a direct HIPAA violation. The consequences can be severe:

• Civil monetary penalties ranging from $100 to $50,000 per violation, up to $1.9 million per year for repeated violations of the same provision
• Federal audits and corrective action plans from the HHS Office for Civil Rights (OCR)
• Reputational damage — OCR publishes enforcement actions on its website
• Contractual liability — downstream partners and clients may hold you liable if a breach occurs without a BAA in place

Key Takeaways

• A BAA is required any time a covered entity shares PHI with an outside vendor or contractor
• The agreement must specify permitted uses, safeguard requirements, and breach notification timelines
• Both covered entities and business associates can face penalties for HIPAA violations
• A general NDA does not substitute for a HIPAA-compliant BAA — learn why

For a full list of what your BAA must contain, see our guide on HIPAA BAA requirements.