HIPAA Business Associate Agreement: What You Need to Know

A Business Associate Agreement (BAA), also called a Business Associate Contract, is a written contract between a HIPAA covered entity and a business associate (or between two business associates) that establishes the permitted uses and disclosures of PHI and the BA's obligations to protect it. Under 45 CFR § 164.308(b), covered entities are required to have BAAs with all of their business associates before sharing PHI.

The BAA is not just a formality — it is a foundational legal document that allocates compliance responsibility and provides a contractual framework for breach response, termination, and liability. A covered entity that shares PHI with a vendor without a BAA is in direct violation of HIPAA, even if no breach occurs.

HIPAA regulations at 45 CFR § 164.504(e) specify what a BAA must include:

• Description of permitted and required uses of PHI by the BA
• Prohibition on using or disclosing PHI other than as permitted by the agreement or required by law
• Requirement to implement appropriate administrative, physical, and technical safeguards
• Requirement to report any unauthorized use or disclosure of PHI, including security incidents
• Requirement to ensure that subcontractors also agree to the same restrictions
• Obligation to make PHI available for patients' right of access
• Obligation to make internal practices and records available to HHS for compliance review
• Requirement to return or destroy PHI at termination of the agreement

For healthcare websites, the list of vendors requiring BAAs is longer than most organizations realize. Evaluate every vendor that may touch ePHI:

• Cloud hosting providers (AWS, Azure, GCP — if ePHI is stored or processed)
• Email service providers (if health-related communications are sent)
• Form and survey platforms (if they collect health information)
• CRM and marketing automation (if they store patient records)
• Scheduling and appointment systems
• Analytics platforms (if deployed on authenticated patient pages)
• Live chat and support tools (if patients discuss health information)
• EHR and practice management software
• Backup and storage services storing ePHI

Organizations routinely fail compliance reviews not because they refused to get BAAs, but because they lost track of which vendors have BAAs, when they expire, or whether the vendor still has access to ePHI. Establish a BAA inventory management system:

• Maintain a spreadsheet or document listing every BA, BAA status, execution date, and renewal date
• Store executed BAA copies in a central, access-controlled repository
• Review the BAA inventory quarterly and whenever new vendors are added
• Establish a process for reviewing and signing new BAAs before any new vendor is given access to ePHI
• When a vendor relationship ends, follow the BAA's termination provisions regarding data return or destruction

The consequences of missing BAAs are well-documented in OCR enforcement actions. In 2019, OCR reached a $2.175 million settlement with a healthcare organization that disclosed PHI to a business associate without a proper BAA. Multiple settlements have addressed BAA failures specifically.

Beyond the direct penalty risk, a missing BAA also means you lack the contractual protections that a BAA provides. If a vendor misuses patient data or suffers a breach, you have limited legal recourse without a BAA. The BAA is both a compliance requirement and a risk management tool that protects your organization in vendor relationships involving ePHI.