What Is Business Associate Agreement (BAA)?
A Business Associate Agreement is a HIPAA-required written contract under 45 CFR 164.504(e) between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf, establishing the vendor's permitted uses, safeguards, and breach notification obligations.
- When onboarding any new vendor, the question to ask first is 'will this vendor have access to PHI?' If yes, execute the BAA before transmitting any PHI.
- Maintain a BAA inventory log with execution date, vendor contact, and renewal/termination provisions to satisfy OCR audit requests.
Business Associate Agreement (BAA)
Also known as: BAA; Business Associate Contract; BA Agreement
A Business Associate Agreement is a HIPAA-required written contract under 45 CFR 164.504(e) between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf, establishing the vendor's permitted uses, safeguards, and breach notification obligations.
Definition
Required by 45 CFR 164.502(e) and 164.504(e), a BAA must specify permitted and required uses and disclosures of PHI, prohibit further disclosures except as permitted by the contract or required by law, require appropriate safeguards under the Security Rule, require reporting of breaches and security incidents, require subcontractor BAAs, and require return or destruction of PHI at contract termination. Following the 2013 HITECH Omnibus Rule, business associates are directly liable for many HIPAA Privacy and Security Rule provisions regardless of BAA contents. HHS publishes a sample BAA at hhs.gov/hipaa.
Example
A physician practice using a cloud-based EHR (e.g., DrChrono, athenahealth), a clearinghouse (e.g., Availity, Change Healthcare), a billing service, an answering service that takes appointment messages, and a shredding company that destroys PHI documents must each have a signed BAA. A janitorial service that does not access PHI does not require a BAA.
Common Misconceptions
A BAA is not optional — without one, any disclosure of PHI to the vendor is itself a HIPAA violation by the covered entity. Email providers that 'support HIPAA' (Google Workspace, Microsoft 365) require an explicit BAA execution, not just enterprise-tier subscriptions. AWS, Azure, and GCP require executing their specific BAAs and using only HIPAA-eligible services.
Practical Application
When onboarding any new vendor, the question to ask first is 'will this vendor have access to PHI?' If yes, execute the BAA before transmitting any PHI. Maintain a BAA inventory log with execution date, vendor contact, and renewal/termination provisions to satisfy OCR audit requests.
Related Terms
HIPAA
HIPAA is the 1996 federal law that establishes national standards for protecting the privacy and security of individually identifiable health information held by covered entities and their business associates.
Read definition arrow_forwardHITECH Act
HITECH is the 2009 federal law that strengthened HIPAA by extending direct liability to business associates, increasing breach notification requirements, and creating tiered civil monetary penalties for HIPAA violations.
Read definition arrow_forwardPHI (Protected Health Information)
PHI is any individually identifiable health information transmitted or maintained by a HIPAA covered entity or business associate, in any form or medium, that relates to a person's past, present, or future physical or mental health, treatment, or payment for care.
Read definition arrow_forwardWhere This Applies on MedPrecision
Need help with billing?
If this term is showing up in your denials, EOBs, or A/R aging, we can help. Get a free billing audit and we will trace the issue to its root cause.