Business Associate Agreements: What They Are and Why You Need One

Practical guidance for healthcare teams and business associates

Understanding Business Associate Agreements Under HIPAA

In June 2023, iHealth Solutions agreed to pay $75,000 to settle HIPAA violations after OCR found the business associate had exposed the ePHI of 267 individuals and had no BAA in place with its subcontractors [3]. The case is a clear example of what happens when organizations skip the paperwork that HIPAA requires.

A business associate agreement (BAA) is the contract between a covered entity and any vendor, third-party, or service provider that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity’s behalf. Under 45 CFR 164.504(e), covered entities are required to have a BAA in place before sharing PHI with any business associate [1].

It is really heavily in the covered entity’s interest to ensure a proper BAA is in place. It serves as insurance, provides peace of mind, and keeps the practice working with organizations that care about cybersecurity and protecting the information they are responsible for.

What Is a Business Associate?

A business associate is any person or organization that performs a function or activity involving the use or disclosure of PHI on behalf of a covered entity [2]. The definition is broad and covers more vendor relationships than most practices realize.

Common examples include:

  • IT service providers that host or manage systems containing patient records
  • Cloud storage providers used to store documents with PHI
  • Billing companies and claims processors
  • EHR vendors and practice management software companies
  • Shredding and document destruction services
  • Answering services that take patient calls
  • Accountants and attorneys who access PHI during their work

App developers are frequently caught off guard by this requirement. If a mobile app or software tool touches PHI in any way - even temporarily during data transmission - the developer qualifies as a business associate and is subject to HIPAA. Many developers do not realize this until an enforcement action forces the issue.

What Must a BAA Include?

The requirements for a BAA are spelled out in 45 CFR 164.504(e) [1]. A compliant BAA must address each of the following:

  • Permitted uses and disclosures of PHI. The agreement must specify exactly what the business associate is and is not allowed to do with the data. Vague language creates gaps that regulators will notice.

  • Requirement to implement appropriate safeguards. The business associate must agree to use administrative, physical, and technical safeguards to protect PHI, consistent with the HIPAA Security Rule.

  • Reporting obligations for breaches and security incidents. The BAA must require the business associate to notify the covered entity of any breach or security incident without unreasonable delay.

  • Return or destroy PHI at contract termination. When the relationship ends, the business associate must return all PHI or destroy it. If neither option is feasible, the agreement must explain why and extend protections indefinitely.

  • Make PHI available for individual access rights. The business associate must cooperate when patients exercise their right to access their own records.

  • Make practices available to HHS for compliance audits. The business associate must make its internal practices, books, and records available to the Department of Health and Human Services if HHS needs to determine compliance [2].

A BAA that omits any of these elements is not compliant, regardless of what else it covers. For a deeper look at provisions that get overlooked, see this breakdown of common BAA mistakes that create compliance gaps.

What Happens Without a BAA?

Without a BAA, a covered entity loses its contractual safety net. If a business associate suffers a breach, the covered entity has no legal recourse. That burden falls entirely on the covered entity’s shoulders - when contractually, with a BAA in place, that would not have been the case.

There is really no intelligent reason to skip having a business associate sign a BAA. It protects the practice.

Penalties for operating without a BAA vary. It could go any number of ways, depending on how non-compliant the covered entity was to start. OCR considers factors like the organization’s size, compliance history, and whether the lack of a BAA was an isolated oversight or part of a pattern [4]. For context on recent penalty trends, HIPAA fines increased significantly in 2026.

The iHealth Solutions case demonstrates that even a breach affecting a relatively small number of individuals can result in a five-figure settlement when BAA requirements are not met [3].

Common BAA Mistakes

Having a BAA on file is necessary, but not sufficient. Many practices make errors that weaken the agreement or leave compliance gaps.

Using a generic template without review. A template BAA can work as a starting point, but it must be reviewed and tailored to the specific vendor relationship. A BAA for a cloud hosting provider should look different from one for a billing service. The complete guide to business associate agreements covers this in detail.

Failing to track BAA expiration and renewal dates. BAAs are not one-and-done documents. When a BAA expires and is not renewed, the covered entity is operating without one - even if the vendor relationship continues unchanged.

Ignoring subcontractor requirements. Under HIPAA, business associates must have BAAs with their own subcontractors who handle PHI. The iHealth Solutions enforcement action specifically cited missing subcontractor BAAs [3].

Not verifying the vendor’s security practices. Signing a BAA does not guarantee the vendor is actually compliant. Covered entities should verify that business associates have completed a HIPAA risk assessment and have real safeguards in place.

No plan for a vendor breach. A BAA establishes reporting obligations, but the covered entity still needs a response plan. Knowing what to do after your vendor gets hacked is just as important as having the contract in place.

FAQs

Do I need a BAA with my cloud storage provider? Yes, if the cloud storage holds any PHI. This applies to services like Google Drive, Dropbox, and AWS. The provider must sign a BAA before any PHI is uploaded. Most major cloud providers offer a BAA, but the practice must request it - it is not automatic.

What happens if a business associate refuses to sign a BAA? You cannot share PHI with that vendor. HIPAA does not allow exceptions. If a vendor will not sign a BAA, the covered entity must find an alternative provider or restructure the workflow so that the vendor never accesses PHI.

Can I use a template BAA or does it need to be custom? A template can serve as a solid foundation, but it should be reviewed to make sure it reflects the specific services the vendor provides. HHS provides sample BAA language [2], though most practices benefit from having the agreement reviewed by someone familiar with HIPAA requirements before signing.

How often should BAAs be reviewed and updated? At minimum, BAAs should be reviewed annually and updated whenever there is a material change in the vendor relationship, the services provided, or the type of PHI being handled. Regulatory updates may also require revisions to existing agreements.

Sources

  1. 45 CFR 164.504(e)
  2. HHS Business Associate guidance
  3. iHealth Solutions settlement
  4. OCR enforcement results

One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. Learn more about One Guy Consulting