What Is a Business Associate Agreement (BAA)? HIPAA Guide (2026)
What Is a Business Associate Agreement?
A Business Associate Agreement (BAA) is a legally binding written contract between a HIPAA-covered entity and a business associate. The agreement establishes how the business associate may use, disclose, and safeguard protected health information (PHI) that it receives from or creates on behalf of the covered entity.
HIPAA regulations at 45 CFR 164.502(e) prohibit covered entities from disclosing PHI to a business associate unless the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. Those assurances take the form of a BAA that meets the requirements set out in 45 CFR 164.504(e).
Without a valid BAA in place, any disclosure of PHI to an outside vendor constitutes a HIPAA Privacy Rule violation, regardless of whether the vendor actually mishandles the data.
Who Qualifies as a Business Associate?
Under HIPAA, a business associate is any person or entity (other than a member of the covered entity's own workforce) that performs functions or activities on behalf of a covered entity involving the creation, receipt, maintenance, or transmission of PHI. The 2013 Omnibus Rule expanded this definition to include subcontractors of business associates who handle PHI.
Common Examples of Business Associates
The U.S. Department of Health and Human Services (HHS) identifies several categories of entities that typically qualify as business associates:
- IT service providers that store, process, or transmit electronic PHI (ePHI) on their servers
- Cloud service providers (CSPs) that host applications or data containing ePHI, even if the data is encrypted and the CSP holds no decryption key
- Medical billing and coding companies that process claims containing patient information
- Claims processing and clearinghouse services that handle PHI during payment transactions
- Practice management software vendors that access patient data during troubleshooting or maintenance
- Accounting firms that receive financial records containing PHI for tax preparation or auditing
- Law firms that access PHI while providing legal services to a covered entity
- Shredding and document destruction companies that handle physical records containing PHI
- Data analytics firms that perform quality assurance, utilization review, or population health studies using PHI
Who Is Not a Business Associate?
Certain entities fall outside the business associate definition. A covered entity's own employees are part of its workforce and are not business associates. Providers who treat patients and receive PHI for treatment purposes are also excluded. Conduit entities, such as the U.S. Postal Service or internet service providers that merely transport data without routine access to it, do not qualify as business associates under the HHS guidance.
What a BAA Must Contain Under Federal Law
The regulations at 45 CFR 164.504(e)(2) lay out specific provisions that every BAA must include. A contract missing any of these elements may be considered invalid, and an invalid BAA means the covered entity lacks the required satisfactory assurances to share PHI.
Required Provisions
Permitted and required uses and disclosures. The BAA must establish exactly what the business associate is allowed to do with PHI, and what uses or disclosures the covered entity requires. The business associate may not use or further disclose the information except as the contract permits or as required by law.
Appropriate safeguards. The business associate must agree to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI. This obligation incorporates compliance with the HIPAA Security Rule standards at 45 CFR Part 164, Subpart C.
Breach reporting. The contract must require the business associate to report any use or disclosure of PHI not authorized by the agreement, including any security incident or breach of unsecured PHI as defined in 45 CFR 164.402.
Subcontractor requirements. Under the Omnibus Rule, the BAA must require the business associate to ensure that any subcontractors who create, receive, maintain, or transmit PHI agree in writing to the same restrictions and conditions that apply to the business associate. This creates a chain of accountability that extends downstream from the covered entity.
Individual rights support. The business associate must agree to make PHI available to individuals who request access under 45 CFR 164.524, to support amendments to PHI under 45 CFR 164.526, and to provide an accounting of disclosures under 45 CFR 164.528.
Government access. The business associate must make its internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance verification purposes.
Return or destruction of PHI. Upon termination of the contract, the business associate must return or destroy all PHI received from, or created or received on behalf of, the covered entity. If return or destruction is not feasible, the contract must extend protections to the retained PHI and limit further uses and disclosures.
Termination authority. The contract must authorize the covered entity to terminate the agreement if the covered entity determines that the business associate has violated a material term.
Optional Provisions
Under 45 CFR 164.504(e)(4), a BAA may also permit the business associate to use PHI for its own proper management and administration, or to carry out its legal responsibilities. If the BAA permits disclosure for these purposes, the recipient must provide reasonable assurances that the information will remain confidential and must report any breaches.
History: How BAA Requirements Evolved
HIPAA (1996)
The Health Insurance Portability and Accountability Act of 1996 first introduced the concept of business associates. The original Privacy Rule, finalized in 2000 and amended in 2002, required covered entities to obtain satisfactory assurances from business associates through written contracts. However, only covered entities faced direct liability for HIPAA violations. Business associates had contractual obligations but were not subject to direct regulatory enforcement by HHS.
HITECH Act (2009)
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, fundamentally changed the enforcement landscape. HITECH made business associates directly liable for compliance with certain provisions of the HIPAA Security Rule and certain requirements of the Privacy Rule. The Act also introduced the Breach Notification Rule, requiring business associates to notify covered entities of breaches of unsecured PHI.
HITECH strengthened penalties significantly. The Act created a four-tier penalty structure and raised maximum civil monetary penalties to $1.5 million per violation category per calendar year. It also authorized state attorneys general to bring civil actions on behalf of their residents for HIPAA violations.
Omnibus Rule (2013)
The HIPAA Omnibus Rule, published on January 25, 2013 and effective September 23, 2013, finalized the HITECH Act's provisions and further expanded business associate obligations. Key changes included:
- Direct liability. Business associates became directly subject to HIPAA Security Rule requirements and certain Privacy Rule provisions, with HHS able to investigate and penalize them independently of any covered entity.
- Subcontractor accountability. The definition of "business associate" was expanded to include subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate. Each subcontractor relationship requires its own BAA.
- Breach notification duties. Business associates received explicit obligations to investigate potential breaches and notify the covered entity within 60 days of discovery.
- Compliance deadline. All existing BAAs had to be updated to comply with the Omnibus Rule by September 22, 2014.
Consequences of Not Having a BAA
Civil Monetary Penalties
The HHS Office for Civil Rights (OCR) enforces HIPAA through a four-tier penalty structure, with amounts adjusted annually for inflation. As of 2026, penalties range from $145 per violation at the lowest tier (where the entity was unaware of the violation) to $2,190,294 per violation at the highest tier (willful neglect with no corrective action). Annual caps apply, with Tier 4 violations carrying the steepest aggregate exposure.
| Tier | Knowledge Level | Minimum per Violation | Maximum per Violation |
|---|---|---|---|
| 1 | Did not know | $145 | $73,011 |
| 2 | Reasonable cause | $1,461 | $73,011 |
| 3 | Willful neglect (corrected within 30 days) | $14,602 | $73,011 |
| 4 | Willful neglect (not corrected) | $73,011 | $2,190,294 |
Criminal Penalties
Criminal violations of HIPAA carry penalties under 42 U.S.C. 1320d-6. Knowingly obtaining or disclosing PHI in violation of HIPAA can result in fines up to $50,000 and imprisonment up to one year. If the offense involves false pretenses, penalties increase to $100,000 and up to five years. Offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm carry fines up to $250,000 and imprisonment up to 10 years.
Corrective Action Plans
Most OCR settlements include a corrective action plan (CAP) in addition to financial penalties. A CAP typically requires the organization to revise policies and procedures, conduct workforce training, perform a comprehensive risk analysis, and submit to monitoring by OCR for one to three years.
Real Enforcement Actions Involving BAAs
Federal enforcement demonstrates that OCR treats missing or deficient BAAs as serious violations. Several notable settlements highlight the consequences.
North Memorial Health Care: $1.55 Million (2016)
North Memorial Health Care of Minneapolis agreed to pay $1.55 million and adopt a corrective action plan after OCR found that the organization failed to execute a BAA with a major contractor and failed to conduct an organization-wide risk analysis. The contractor had access to the ePHI of 289,904 individuals. This case underscored that both the absence of a BAA and the failure to perform a risk analysis can compound enforcement outcomes.
Raleigh Orthopaedic Clinic: $750,000 (2016)
Raleigh Orthopaedic Clinic in North Carolina agreed to pay $750,000 for releasing x-ray films and related PHI of 17,300 patients to a company that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. The arrangement was made over the telephone, and no BAA was ever executed. OCR cited a violation of 45 CFR 164.502(e). The corrective action plan required the clinic to designate at least one individual responsible for ensuring BAAs are obtained from all business associates.
CHSPSC LLC: $2.3 Million (2020)
CHSPSC LLC, a business associate providing IT and health information management services to hospitals owned by Community Health Systems, agreed to pay $2.3 million after a cyberattack by an advanced persistent threat group (APT18) resulted in the exfiltration of ePHI belonging to 6,121,158 individuals. Despite being notified by the FBI in April 2014 that its systems were compromised, the attackers maintained access for four months. OCR identified multiple HIPAA Security Rule failures. The settlement included a two-year corrective action plan with close OCR monitoring.
BST & Co. CPAs, LLP (2025)
BST & Co. CPAs, LLP, a New York accounting firm that served as a business associate to Community Care Physicians, reached a settlement with OCR after a ransomware attack in December 2019 compromised the PHI of its covered entity client. BST received financial records containing PHI for tax preparation purposes. This case illustrated that professional service firms, not just healthcare technology vendors, face enforcement as business associates.
How to Structure a Compliant BAA
HHS provides sample BAA provisions and a model BAA on its website. These templates cover HIPAA-specific requirements but are not complete contracts on their own. According to HHS, the sample language "alone may not be sufficient to result in a binding contract under State law" and does not include many formalities and substantive provisions typically found in valid contracts.
Key Drafting Considerations
Scope of services. Define the exact functions the business associate will perform and the categories of PHI involved. Vague descriptions create ambiguity about permitted uses.
Breach notification timelines. HIPAA requires business associates to report breaches within 60 days of discovery, but many covered entities negotiate shorter reporting windows (24 to 72 hours) in their BAAs.
Security standards. While the HIPAA Security Rule sets the floor, a BAA can specify additional security requirements such as encryption standards, access controls, or audit log retention periods.
Subcontractor flow-down. Since the Omnibus Rule, BAAs must address subcontractor obligations. The agreement should specify whether the business associate needs prior written approval before engaging subcontractors who will access PHI.
Indemnification and liability. These provisions go beyond HIPAA requirements but are standard in contract law. They allocate financial responsibility for breaches, investigations, and notification costs.
Term and termination. Beyond the HIPAA-required termination authority, the BAA should address automatic renewal, termination for convenience, and the transition process for returning or destroying PHI.
Governing law. State contract law governs enforceability. Some states have enacted additional data privacy or health information protection laws that may impose requirements beyond HIPAA.
Consult an attorney for advice specific to your situation when drafting, reviewing, or updating a BAA.
BAAs and Cloud Service Providers
Cloud computing raises distinct BAA considerations. HHS has issued guidance on HIPAA and cloud computing confirming that a cloud service provider (CSP) that creates, receives, maintains, or transmits ePHI on behalf of a covered entity is a business associate, even if the CSP processes only encrypted data and does not hold the decryption key.
This means that organizations using cloud-based electronic health record systems, cloud storage for patient records, cloud-hosted practice management software, or cloud-based communication platforms for discussing patient care all need BAAs with their CSP vendors.
Major cloud providers including Amazon Web Services, Microsoft Azure, and Google Cloud offer standard BAAs as part of their HIPAA-eligible service configurations. However, signing a cloud provider's BAA typically covers only specified "HIPAA-eligible" services within the platform, not every service the provider offers.
Related HIPAA Resources
For more on related topics, see:
- When Is a BAA Required? covers specific scenarios where a BAA is and is not necessary
- HIPAA Compliance for Companies discusses the broader compliance framework for organizations handling PHI
- HIPAA Overview provides the full hub for all HIPAA coverage areas
This article provides legal information, not legal advice. HIPAA regulations and enforcement priorities can change. Consult an attorney for advice specific to your situation.
Sources and References
- HHS Business Associates Guidance(hhs.gov).gov
- HHS Sample Business Associate Agreement Provisions(hhs.gov).gov
- HHS Direct Liability of Business Associates Fact Sheet(hhs.gov).gov
- 45 CFR 164.504 - Uses and Disclosures: Organizational Requirements(law.cornell.edu)
- HHS HIPAA Enforcement: North Memorial Health Care Settlement(hhs.gov).gov
- HHS HIPAA Enforcement: Raleigh Orthopaedic Clinic Settlement(hhs.gov).gov
- HHS HIPAA Enforcement: CHSPSC LLC Settlement(hhs.gov).gov
- HIPAA Omnibus Rule Final Rule (Federal Register)(govinfo.gov).gov
- HHS Guidance on HIPAA and Cloud Computing(hhs.gov).gov
- HHS HIPAA Enforcement: BST & Co. CPAs Settlement(hhs.gov).gov
- 42 U.S.C. 1320d-6 - Wrongful Disclosure of Health Information(law.cornell.edu)
- HHS Resolution Agreements and Civil Money Penalties(hhs.gov).gov