Healthcare GlossaryBAA
Regulatory & Compliance

BAA: Business Associate Agreement

A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA whenever a covered entity shares Protected Health Information (PHI) with a vendor or service provider who will access, use, or disclose that PHI in the course of providing services.

What is a BAA?

Under the HIPAA Privacy and Security Rules, a Business Associate (BA) is any person or organisation that performs functions or activities on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI. Common examples include: EHR vendors, cloud hosting providers, analytics platforms, billing companies, medical transcription services, and managed IT service providers. Before a covered entity shares PHI with a BA, a signed BAA must be in place.

Legal Basis: 45 CFR 164.308(b)

The BAA requirement is codified at 45 CFR 164.308(b) (Security Rule) and 45 CFR 164.502(e) and 164.504(e) (Privacy Rule). The HIPAA Omnibus Rule (2013) extended direct HIPAA obligations to Business Associates themselves — BAs are now directly liable for HIPAA violations and can be directly penalised by the Department of Health and Human Services Office for Civil Rights (OCR), even without covered entity involvement.

Required BAA Elements

A compliant BAA must specify:

  • Permitted uses and disclosures of PHI by the business associate
  • Requirement to use appropriate safeguards to prevent unauthorised use or disclosure
  • Requirement to report breaches of unsecured PHI and security incidents
  • Requirement to ensure downstream subcontractors also sign BAAs and comply with HIPAA
  • Patient rights provisions (right to access, amend, accounting of disclosures)
  • Return or destruction of PHI at contract termination

BAA and Analytics Vendors

Any analytics vendor that accesses identifiable patient data — encounter records, diagnosis codes, lab results, medication lists — is a Business Associate and requires a signed BAA. This is non-negotiable and not a formality. A BAA violation (sharing PHI with a vendor without a BAA) is a HIPAA breach that must be reported to OCR and may trigger patient notification requirements and civil penalties. Healthcare organisations should maintain a complete inventory of all vendors with whom they share PHI and confirm BAAs are current and appropriately scoped.