If your organization handles protected health information (PHI), every vendor that touches that data needs a signed business associate agreement (BAA) before they receive a single record. Not after. Not “when legal gets around to it.” Before.
A HIPAA business associate agreement is a written contract between a covered entity and a business associate. It establishes the permitted uses and disclosures of PHI, requires the business associate to safeguard it, and spells out what happens when something goes wrong. It is a standalone regulatory requirement, and skipping it is one of the fastest ways to draw a six-figure fine from the HHS Office for Civil Rights (OCR).
Who Qualifies as a Business Associate?
Under 45 CFR 160.103, a business associate is any person or organization that performs a function or activity on behalf of a covered entity (or another business associate) involving the use or disclosure of PHI.
Common examples: IT vendors, medical billing companies, cloud providers (AWS, Azure, Google Cloud), document shredding companies, attorneys, EHR vendors, and answering services.
If they see it, store it, transmit it, or could reasonably access it, they probably need a BAA. For a deeper breakdown, see our complete guide to business associate agreements.
What a BAA Must Contain
The required provisions are spelled out in 45 CFR 164.504(e). A compliant BAA must include, at minimum:
- Permitted and required uses/disclosures. Specify exactly what the business associate can do with PHI. Prohibit everything else.
- Safeguard obligations. Require appropriate safeguards, including Security Rule compliance for electronic PHI (ePHI).
- Breach reporting. Require the business associate to report breaches of unsecured PHI without unreasonable delay.
- Subcontractor flow-down. Require that subcontractors with PHI access agree to the same restrictions.
- Support for individual rights. The business associate must support patient access requests (45 CFR 164.524), amendment requests (45 CFR 164.526), and accounting of disclosures (45 CFR 164.528).
- HHS access. Make internal practices and records available to the Secretary of HHS.
- Return or destruction of PHI at contract termination, if feasible.
- Termination provisions allowing the covered entity to end the agreement for material violations.
If your BAA is missing any of these, it does not meet the regulatory standard. We regularly find gaps during HIPAA consulting engagements, often in agreements organizations assumed were compliant for years.
Why a BAA Is Legally Required Before Sharing PHI
Under 45 CFR 164.502(e), a covered entity may not disclose PHI to a business associate unless the covered entity first obtains satisfactory assurances through a written BAA.
Sharing PHI without a signed BAA is itself a HIPAA violation, regardless of whether a breach occurs. OCR treats the absence of a BAA as a standalone violation during audits and investigations.
Real Enforcement: What Happens Without a BAA
Raleigh Orthopaedic Clinic in North Carolina handed over x-ray films containing PHI for approximately 17,300 patients to a third party that promised to convert the images to electronic media. The problem: no BAA was executed before the transfer. OCR settled the case for $750,000 plus a corrective action plan.
That was not a data breach. It was a paperwork failure that cost three quarters of a million dollars.
We have documented other common pitfalls in our post on business associate agreement mistakes you need to avoid.
A Signed BAA Does Not Transfer All Liability
A misconception we encounter frequently: “We have a signed BAA, so if the vendor causes a breach, it is their problem.” Wrong.
Under the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for their own HIPAA violations. But covered entities retain liability for oversight failures. If you knew (or should have known) a business associate was violating the BAA and failed to act, you share responsibility. A BAA is a risk management tool, not a liability shield.
This is why conducting a risk assessment that includes your business associates is critical.
Business Associates vs. Subcontractors
Under the 2013 Omnibus Rule, subcontractors who handle PHI on behalf of a business associate are themselves treated as business associates. The chain of BAAs must extend downstream. If your billing company uses a cloud provider to store claims data, that cloud provider needs a BAA with the billing company.
Verify that your business associates have subcontractor BAAs in place. If a subcontractor is compromised and no BAA exists, your organization is exposed. We cover incident response for these scenarios in our post on what to do when a vendor gets hacked.
When to Update Your BAAs
BAAs are not set-and-forget documents. You should review and update them when:
- The scope of services changes
- Regulations are updated (the proposed HIPAA Security Rule changes will likely require BAA revisions)
- A breach or security incident occurs involving the business associate
- The contract is up for renewal
- Subcontractors are added or removed
Our HIPAA training programs cover vendor management and BAA lifecycle management for the staff who handle these relationships day to day.
Get Your BAAs Right
If you are not sure whether your BAAs cover every vendor relationship, or if your existing agreements contain the required provisions under 45 CFR 164.504(e), it is time for a review. We help medical practices and healthcare organizations audit their vendor relationships, identify gaps, and build compliant agreements that actually protect the organization.