What is a Business Associate Agreement (BAA)? And Why Should You Care?

By the end of this journey, you'll see why comprehending the BAA is essential in orchestrating a successful HIPAA compliance plan. Let's plunge into the world of BAAs, shall we?


In the intricate landscape of HIPAA compliance, two acronyms often stand out: PHI (Protected Health Information) and BAA (Business Associate Agreement). While PHI gets much of the attention, understanding the BAA is of equal significance. Like the second string on a violin, it plays a crucial role in harmonizing the HIPAA compliance symphony. Today, we're setting our sights on this pivotal concept, the BAA, to shed light on its importance and intricacies. By the end of this journey, you'll see why comprehending the BAA is essential in orchestrating a successful HIPAA compliance plan. Let's plunge into the world of BAAs, shall we?

So What on Earth is a Business Associate Agreement (BAA)?

The inception of a BAA can be traced back to the vital piece of legislation—the Health Insurance Portability and Accountability Act (HIPAA). This landmark act was established in the United States in 1996. One of the primary objectives of HIPAA was to tighten the grip around identifiable health information, ensuring its protection from misuse. It's from this robust fortress of privacy protection that the concept of a BAA emerged.

So, what's the crux of a BAA? Let's put it in simple terms. A BAA creates a legal obligation for  Business Associates of a Covered Entity to protect PHI with the same level of care as a Covered Entity. It sets stringent boundaries around what a Business Associate can and cannot do with the PHI they handle.

Thus, a Business Associate Agreement acts as a sentinel, enforcing the proper use and disclosure of PHI. It's a key tool in the arsenal of HIPAA (in fact, one of our keys to success for HIPAA compliance), ensuring that the sanctity of private patient information is upheld and respected. Through this mechanism, the law aims to prevent the misuse of sensitive patient information, echoing the old saying that "Prevention is better than cure". So, the next time you come across the term BAA, you'll know it's not just any contract—it's a shield safeguarding the privacy of countless individuals.

But Who Are Business Associates?

According to the Department of Health and Human Services, a Business Associate is:

“[A] person or entity, other than a member of the workforce of a Covered Entity who performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involve access by the Business Associate to protected health information. A [BA] also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another [BA].”

In essence, an organization hired or contracted by a Covered Entity that stores or uses PHI is most likely a Business Associate.

See below for some examples of common Business Associates who would likely require a BAA when working with a Covered Entity.

  • Accounting or consulting firms
  • Cloud vendors
  • Consultants hired to conduct audits, perform coding reviews, etc.
  • Lawyers
  • Medical equipment service companies handling equipment that holds PHI
  • Translator services
  • Shredding services
  • File sharing vendors
  • Information Technology vendors

In most organizations, the HIPAA Privacy Officer is responsible for designing and implementing BAA’s within the organization. Learn more about the roles and responsibilities of the Privacy Officer here.

Why is a BAA Crucial in Today's Age?

In this digital era where personal information can zip around the globe in a blink of an eye, a BAA is more important than ever. HIPAA creates serious financial liability for a Covered Entity that fails to execute BAAs as directed. And in a world where data security can never be absolutely guaranteed, a BAA is the bare minimum a Covered Entity should be doing to protect themselves.

HHS has issued financial penalties for Covered Entities who have failed to secure BAA’s in numerous instances. The below entities were all fined in part, or entirely, due to having failed to secure BAAs in each necessary instance.

Covered Entity



Oregon Health & Science University



North Memorial Health Care of Minnesota



Raleigh Orthopaedic Clinic, P.A. of North Carolina



Advanced Care Hospitalists



Care New England Health System



Pagosa Springs Medical Center



The Center for Children’s Digestive Health



Breaking Down the BAA: Key Elements

In the spirit of not leaving any stone unturned, let's examine the main components that make up a BAA. Read on to learn what must be in a BAA for it to meet minimum standards.

Permitted Uses and Disclosures: The BAA outlines the specific circumstances under which the Business Associate can use and disclose PHI, as well as the specific type of PHI to which the Business Associate will have access.

Safeguards: The BAA must define the safeguards the Business Associate should implement to protect PHI, including required HIPAA training for Business Associate personnel and mandating compliance requirements for any subcontractors who may handle PHI on behalf of the Business Associate.

Reporting Obligations: In the event of a breach of PHI, the Business Associate is obligated to notify the Covered Entity, and this process is detailed in the BAA.

Termination: The BAA should also include terms regarding termination of the agreement, including instances when the Business Associate does not comply with the obligations described within. This includes processes for safe disposal of any PHI following the conclusion of the agreement.

HIPAA Training for Business Associates

As a Covered Entity, it is important to rigorously evaluate any potential Business Associate for their willingness and ability to comply with the requirements of HIPAA and the terms of your agreement. Chief among them, the requirement to train their personnel in the requirements of HIPAA. At TeachMeHIPAA, we offer an industry leading training solution with superior quality and affordable pricing. Whether you’re a Covered Entity evaluating a Business Associate, or a prospective Business Associate evaluating how best to comply, consider TeachMeHIPAA for your HIPAA training needs.


So, there we have it, the BAA demystified! It's not just a legal contract; it's a testament to HIPAA's commitment to preserving the sanctity of a person's private health information. Grasping the ins and outs of a BAA is a cornerstone in crafting a robust HIPAA compliance plan. Remember, it's more than evading fines—it's about fostering a culture of privacy, a culture that values and protects sensitive health information. So, as you venture further into the world of HIPAA, let the essence of BAA guide you: it's not just a piece of paper, but a solemn promise to safeguard that which is most personal and most valuable. The BAA, therefore, is a beacon of trust in the vast sea of healthcare. Understanding the BAA, what it’s for, and how to use it, is a key to success for HIPAA compliance.


Does every business dealing with a healthcare entity need a BAA?
Not necessarily. Only businesses that handle PHI on behalf of a Covered Entity, such as a hospital or clinic, need a BAA.

What happens if a business doesn't have a BAA?
Failure to have a BAA in place when required can lead to heavy penalties, both financial and legal.

Can a BAA be terminated?
Yes, a BAA can be terminated if a party is found to violate its terms. It's not a "til death do us part" kind of agreement.

You've successfully subscribed to TeachMeHIPAA compliance blog
Great! Next, complete checkout to get full access to all premium content.
Error! Could not sign up. invalid link.
Welcome back! You've successfully signed in.
Error! Could not sign in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.