HIPAA

HIPAA Business Associate Agreement (BAA): Requirements, Provisions, and Common Mistakes

Security Compliance Guide Editorial Team
Security Compliance Guide Editorial Team
·Updated: May 12, 2026 · 14 min read
HIPAA Business Associate Agreement (BAA): Requirements, Provisions, and Common Mistakes

HIPAA Business Associate Agreement: Requirements, Provisions, and Common Mistakes

TL;DR

  • A BAA is a federally required contract under 45 CFR 164.504(e) that must be in place before any vendor creates, receives, maintains, or transmits PHI on your behalf — no BAA means a violation exists regardless of the vendor's security posture.
  • The HIPAA Omnibus Rule (January 25, 2013) made business associates directly liable under HIPAA; your vendor can now be fined independently of anything you did or failed to do.
  • 45 CFR 164.504(e)(2) lists eleven mandatory provisions — a BAA that omits any of them is non-compliant even if signed by both parties.
  • Subcontractor BAAs are required under 45 CFR 164.504(e)(5): your business associate must execute its own BAAs with any downstream vendor that touches PHI.
  • Business associates must report breaches to the covered entity without unreasonable delay and no later than 60 calendar days from discovery, per 45 CFR 164.410 — most BAAs tighten this to 24-72 hours contractually.

Who this is for: Compliance officers, privacy counsel, and operational leads at covered entities (health plans, providers, clearinghouses) and business associates evaluating or updating their BAA programs. Also relevant to SaaS vendors selling into healthcare who need to understand what they are agreeing to when they sign a customer's BAA.

What a BAA Is and Where It Comes From

A HIPAA Business Associate Agreement is a written contract that binds a vendor (the "business associate") to specific obligations under HIPAA regarding PHI it handles on a covered entity's behalf. The requirement appears in the HIPAA Privacy Rule at 45 CFR 164.504(e).

Before 2009, the BAA was purely contractual: a vendor that violated HIPAA could be held liable only through contract law, not directly by HHS. The HITECH Act of 2009 changed that, and the 2013 Omnibus Rule finalized the direct liability framework. Under current law, a business associate is subject to the same HIPAA civil and criminal penalties as the covered entity itself — HHS can cite and fine the vendor directly without any finding of covered entity fault.

The Security Rule adds a parallel BAA obligation at 45 CFR 164.314(a): the agreement must also require the business associate to comply with the Security Rule's administrative, physical, and technical safeguard standards for electronic PHI.

HHS publishes sample BAA provisions as a drafting reference. These are starting points, not finished contracts: they require legal review and customization for vendor-specific scope before execution.

Who Needs a BAA

Illustration related to Who Needs a BAA
Photo by Gammel Knecht

BAA obligations follow PHI. The question is: does this vendor create, receive, maintain, or transmit PHI on your behalf? If yes, a BAA is required. There is no de minimis exception based on volume or sensitivity.

Covered entities — the parties that must initiate BAAs with their vendors — fall into three statutory categories under 45 CFR 160.103:

  • Health plans: insurers, HMOs, Medicare, Medicaid, and employer group health plans with more than 50 participants
  • Health care clearinghouses: entities that process non-standard health information into standard formats or vice versa
  • Health care providers who transmit health information electronically in connection with a covered transaction (hospitals, clinics, dental practices, behavioral health, home health agencies, pharmacies)

Business associates that typically require BAAs include:

  • Cloud hosting providers when the service tier includes storage of, or access to, PHI (AWS, Azure, Google Cloud all publish BAAs for their HIPAA-eligible service lists)
  • EHR and practice management software vendors
  • Medical billing and coding companies
  • Telehealth platforms
  • IT managed service providers with incidental PHI access
  • Data destruction vendors handling PHI-bearing media
  • Transcription services
  • Cybersecurity tools that ingest PHI in logs or security alerts
  • Email and SMS platforms used for patient communication
  • Analytics platforms that process patient data

No BAA required:

  • Conduit-only services that transport data without any ability to access it — traditional telecommunications carriers and postal services are the clearest examples. The conduit exception is narrow: 45 CFR 160.103 explicitly includes Health Information Organizations and e-prescribing gateways as business associates rather than exempting them as conduits. A cloud storage provider that holds PHI does not qualify for the conduit exception because it has persistent access to the data.
  • Members of the covered entity's own workforce
  • Other covered entities receiving PHI for treatment purposes

The Eleven Mandatory BAA Provisions

45 CFR 164.504(e)(2) specifies what a compliant BAA must contain. A BAA that omits any of these provisions does not satisfy the covered entity's compliance obligation — signing it creates a paper record but not legal protection.

Required by 45 CFR 164.504(e)(2):

  1. Establish the permitted and required uses and disclosures of PHI by the business associate
  2. Prohibit the business associate from using or disclosing PHI in any way not authorized by the contract or required by law
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure
  4. Require the business associate to report any unauthorized use or disclosure, including any breach of unsecured PHI, to the covered entity
  5. Require the business associate to ensure that subcontractors agree to the same restrictions and conditions — this is the downstream chain requirement
  6. Make PHI available to individuals exercising their right of access under 45 CFR 164.524
  7. Make PHI available for amendment under 45 CFR 164.526 and incorporate any amendments
  8. Make available the information needed to provide an accounting of disclosures under 45 CFR 164.528
  9. Make its internal practices, books, and records available to the Secretary of HHS for compliance determinations
  10. At termination, return or destroy all PHI — and if return or destruction is not feasible, extend BAA protections for as long as PHI is retained
  11. Authorize the covered entity to terminate the contract if the business associate materially breaches its terms

The Security Rule adds to this list via 45 CFR 164.314(a)(2): the BAA must also require the business associate to comply with the Security Rule's standards (45 CFR Part 164, Subpart C) with respect to electronic PHI.

Optional provisions that are now standard practice in most healthcare contracts:

  • Contractual breach notification timeline: most organizations specify 24-72 hours, shorter than the 60-day federal maximum at 45 CFR 164.410
  • Cyber liability insurance minimums and evidence requirements
  • Data residency restrictions (US-only storage)
  • Audit rights for the covered entity
  • Minimum encryption standards (AES-256 at rest, TLS 1.2 or higher in transit)
  • Indemnification for breach-related costs

Subcontractor BAAs: The Downstream Chain

45 CFR 164.504(e)(5) requires business associates to extend HIPAA obligations to their own subcontractors. When a business associate engages a downstream vendor that will create, receive, maintain, or transmit PHI, that downstream vendor is itself a business associate, and a separate BAA must be executed between them.

The practical result is a chain. A hospital signs a BAA with an EHR vendor. That EHR vendor uses AWS for infrastructure, so the EHR vendor signs a BAA with AWS. The EHR vendor uses Datadog for application monitoring, so the EHR vendor signs a BAA with Datadog. Each link in the chain is a separate, required agreement.

Three enforcement consequences flow from this structure:

  1. Each business associate is directly liable under HIPAA for its own compliance failures, including the failure to execute required downstream BAAs
  2. A covered entity is not automatically liable for a subcontractor's actions, but the intermediate business associate is liable if it failed to get the required BAA with the subcontractor
  3. HHS has cited the failure to obtain subcontractor BAAs as a standalone violation in published enforcement actions — it is not treated as a minor procedural gap

Covered entities increasingly require business associates to provide subcontractor BAA evidence during vendor due diligence, and many enterprise healthcare contracts now include a schedule listing the business associate's subcontractors that touch PHI.

Common BAA Mistakes That Appear in Enforcement Actions

Illustration related to Common BAA Mistakes That Appear in Enforcement Actions
Photo by KATRIN BOLOVTSOVA

HHS OCR reviews BAAs during complaint investigations and compliance audits. The failure patterns below are documented across published OCR resolution agreements.

No signed BAA at all. The most basic failure. Sharing PHI with any vendor without a signed BAA is a HIPAA violation from the moment PHI is transmitted. OCR has cited this in settlements ranging from small practices to large health systems. The Advocate Health Care resolution agreement (2016) — which resulted in a settlement — included findings related to missing BAAs alongside other violations. Dollar amounts vary widely depending on violation tier; the point is that enforcement is active, not theoretical.

Incorrect reliance on the conduit exception. Vendors sometimes claim BAA-free status because they "only pass data through." The exception is narrow: it applies when the vendor has no ability to access the PHI, not just when it does not routinely do so. Cloud storage providers, managed database services, and email delivery platforms almost never qualify. The definition at 45 CFR 160.103 explicitly includes Health Information Organizations as business associates rather than conduits.

Accepting a vendor's template BAA without review. Many SaaS vendors provide BAA templates that are heavily weighted toward the vendor: long breach notification windows, broad PHI use rights for "service improvement," high liability caps. Covered entities have the right to negotiate. The mandatory provisions at 45 CFR 164.504(e)(2) set a floor; anything above that floor is negotiable.

Missing subcontractor flow-down language. Some BAAs state that the business associate must obtain "equivalent protections" from subcontractors without specifying what those protections are. This creates an ambiguity that can make the clause unenforceable. Best practice: incorporate the full mandatory provision list from 45 CFR 164.504(e)(2) by reference in the subcontractor requirement clause.

Incomplete termination provisions. 45 CFR 164.504(e)(2)(ii)(J) requires the BAA to address PHI at termination. A clause that says only "return or destroy all PHI" is incomplete: it does not address what happens when return or destruction is not feasible (for example, when PHI is embedded in backup media that cannot be selectively wiped). The BAA must specify that protections continue for as long as PHI is retained in that scenario.

Pre-Omnibus BAAs still in use. Any BAA signed before January 25, 2013 — the effective date of the Omnibus Rule — predates the direct liability framework, the updated subcontractor requirements, and the revised breach notification standard. These BAAs are not compliant with current regulations. OCR auditors treat them as missing BAAs for practical purposes.

Penalty Exposure for BAA Failures

45 CFR 160.404 establishes four civil monetary penalty tiers, adjusted annually for inflation:

TierCulpabilityPer ViolationAnnual Cap (Same Violation Category)
1Did not know$100–$50,000$1,500,000
2Reasonable cause$1,000–$50,000$1,500,000
3Willful neglect, corrected within 30 days$10,000–$50,000$1,500,000
4Willful neglect, not corrected$50,000 minimum$1,500,000

These figures are updated annually under the Federal Civil Monetary Penalties Inflation Adjustment Act. Operating without a required BAA falls most often into Tier 2 or Tier 3, depending on whether the covered entity knew a BAA was required and chose not to execute one.

Criminal penalties under 42 U.S.C. 1320d-6 apply when PHI is knowingly obtained or disclosed in violation of HIPAA, particularly for personal gain or malicious intent. The absence of a BAA alone is almost always a civil matter, not a criminal one.

Breach Notification Obligations Under a BAA

When a business associate discovers a breach of unsecured PHI, two notification clocks start simultaneously.

The federal clock is set by 45 CFR 164.410: notification to the covered entity must occur "without unreasonable delay and in no case later than 60 calendar days after discovery."

The contractual clock is whatever the BAA specifies — typically shorter. Most healthcare contracts today set 24-72 hours for the business associate's initial notification, giving the covered entity time to investigate before the 60-day federal clock runs out.

What counts as discovery under 45 CFR 164.410: the first day the breach is known to the business associate, or the first day it would have been known through reasonable diligence. Knowledge by any employee or agent (other than the person who caused the breach) counts as discovery by the organization.

What the business associate must provide to the covered entity at notification, per 45 CFR 164.410:

  • Identity of affected individuals, or an approximation if identities are not yet known
  • Any other information that the covered entity is required to include in notifications to individuals under 45 CFR 164.404(c) — this includes description of the breach, types of PHI involved, protective steps individuals should take, and contact information

The covered entity then takes over: it notifies affected individuals, notifies HHS, and (for breaches affecting 500 or more individuals in a state) notifies prominent media outlets in that state, per 45 CFR 164.404. Some BAAs shift individual notification execution to the business associate, but HHS holds the covered entity ultimately accountable for that notification regardless.

BAA Templates and What They Cost

Illustration related to BAA Templates and What They Cost
Photo by Kindel Media

HHS provides sample BAA provisions at no cost. These are a drafting starting point covering the mandatory elements from 45 CFR 164.504(e)(2) — they are not a finished contract and should be reviewed by healthcare counsel before use.

Common template sources:

  • HHS OCR sample provisions: free, covers mandatory elements, requires customization
  • State hospital association templates: often free to members, sometimes include jurisdiction-specific additions
  • HIPAA compliance platform templates (Vanta, Drata, Compliancy Group): included in platform subscriptions, vary in completeness

Legal review cost varies with complexity:

ScenarioTypical Cost Range
Small practice using HHS sample provisions with minor modificationsAttorney review 1-2 hours at standard healthcare counsel rates
Customizing a template for a specific vendor engagement2-4 attorney hours
Negotiating a vendor-provided BAA with experienced healthcare counsel3-6 attorney hours depending on vendor responsiveness
Enterprise BAA framework with playbooks for recurring vendor categoriesHigher initial investment; reduces per-engagement cost significantly after rollout

The cost figures above depend on your law firm's rates and the complexity of the vendor relationship. The highest-leverage investment for most covered entities with 20 or more PHI-handling vendors is building one well-drafted standard BAA template, then using it as the opening position in every vendor negotiation. This concentrates legal spend at template creation and reduces per-vendor negotiation time.

Managing BAAs Across Multiple Vendors

For covered entities with more than a handful of PHI-handling vendors, an ad hoc approach to BAA management creates direct compliance exposure. OCR auditors ask to see the current BAA inventory, and a missing, expired, or pre-2013 BAA is a finding.

Minimum tracking fields for a BAA inventory:

  • Vendor name and primary compliance contact
  • BAA version and effective date
  • Expiration or renewal trigger date
  • Scope of PHI handled (data categories, storage locations)
  • Subcontractor flow-down verification status (date verified, subcontractor list received)
  • Breach notification history
  • Cyber liability insurance evidence on file and expiration date

GRC platforms including Vanta, Drata, and Compliancy Group include BAA tracking modules that integrate with vendor management workflows. For organizations that already maintain a vendor risk register, adding BAA fields to the existing register is often the simplest path. The tracking method matters less than the habit of reviewing the inventory at least annually and at any of these trigger events: HIPAA regulatory change, merger or acquisition involving either party, breach incident, change in scope of services, or subcontractor change.

International BAAs and Cross-Border PHI

HIPAA does not prohibit processing or storing PHI outside the United States, but its protections follow the data. A business associate based outside the US is subject to HIPAA if it handles PHI of US patients for a US covered entity.

Practical issues with international BAAs:

  • Non-US courts may not enforce HIPAA-based contract claims, which limits the practical value of indemnification clauses in the event of a foreign vendor breach
  • Data localization laws in some jurisdictions (including requirements in certain EU member states for specific data categories) can conflict with BAA obligations around returning or destroying PHI
  • HIPAA and GDPR can apply to the same dataset when EU residents receive care from US providers — both frameworks apply in full and neither displaces the other
  • HHS has jurisdiction over foreign business associates but faces practical enforcement limits

Most covered entities address this by requiring BAAs to specify US data residency or to require written approval before any international transfer.

Frequently Asked Questions

Is a BAA the same as a HIPAA-compliant vendor agreement?

No. A vendor can implement appropriate security safeguards without the legal contract that creates HIPAA obligations. The BAA is the contract; operational compliance is what the vendor does under that contract. Both are required. A vendor with excellent security controls but no signed BAA is still a HIPAA violation waiting to be cited.

What happens if a vendor refuses to sign a BAA?

PHI cannot be shared with that vendor. If the service is operationally essential and the vendor will not sign, the options are: redesign the workflow to keep PHI out of the vendor's systems entirely (through de-identification or architectural separation of identifiers from clinical data), or change vendors. The business reason for needing the service does not create an exception.

Do we need a BAA with our cloud provider?

Yes, if the cloud provider stores, processes, or can access PHI. AWS, Azure, Google Cloud, and Oracle Cloud all offer BAAs for qualifying service tiers, and each publishes a list of HIPAA-eligible services. Using a service not on that list for PHI storage or processing is a violation regardless of whether a BAA exists for other services on the platform.

How often should BAAs be reviewed and updated?

At minimum, every two years, and at any of the following: HIPAA regulatory change, merger or acquisition involving either party, a breach incident, change in the scope of services, or a change in the business associate's subcontractors. A BAA that predates January 25, 2013 should be replaced immediately.

Can a small practice use one BAA template for all vendors?

Yes. A standard template covering the mandatory provisions from 45 CFR 164.504(e)(2), with an attachment that describes each vendor's specific PHI access and subcontractors, is a practical approach for small and mid-size practices. The HHS sample provisions are a reasonable framework; a healthcare attorney should review the final template before first use.

Does HIPAA require a specific breach notification timeline in the BAA itself?

45 CFR 164.410 sets a federal maximum of 60 calendar days from discovery. The BAA can require a shorter window — most do. A 24-72 hour contractual requirement gives the covered entity time to conduct initial investigation before the 60-day federal clock creates pressure for a formal HHS filing.

Are criminal penalties possible for not having a required BAA?

Operating without a required BAA is almost always a civil matter. Criminal liability under 42 U.S.C. 1320d-6 requires knowing, intentional misuse of PHI — typically for personal gain or malicious purposes. The civil penalty tiers at 45 CFR 160.404 are the more relevant exposure for BAA failures.

Sources used

  1. 45 CFR 164.504(e) — accessed 2026-05-12
  2. HIPAA Omnibus Rule (January 25, 2013) — accessed 2026-05-12
  3. 45 CFR 164.410 — accessed 2026-05-12
  4. 45 CFR 164.314(a) — accessed 2026-05-12
  5. sample BAA provisions — accessed 2026-05-12
  6. 45 CFR 160.103 — accessed 2026-05-12
  7. 45 CFR 164.524 — accessed 2026-05-12
  8. 45 CFR 164.526 — accessed 2026-05-12
  9. 45 CFR 164.528 — accessed 2026-05-12
  10. OCR resolution agreements — accessed 2026-05-12
  11. 45 CFR 160.404 — accessed 2026-05-12
  12. 42 U.S.C. 1320d-6 — accessed 2026-05-12
  13. 45 CFR 164.404(c) — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.

HIPAABAABusiness AssociateComplianceVendor Management
Security Compliance Guide Editorial Team
Security Compliance Guide Editorial Team
Author
Security Compliance Guide Editorial Team covers topics in this category and related fields. Views expressed are editorial and based on research and experience.
Related Articles
How Long Does HIPAA Certification Take?
HIPAA
How Long Does HIPAA Certification Take?
May 12, 2026 · 14 min read
 HIPAA telehealth compliance: 2026 Guide
HIPAA
HIPAA telehealth compliance: 2026 Guide
May 7, 2026 · 12 min read
 HIPAA vs SOC 2: Which Comes First for Healthcare?
HIPAA
HIPAA vs SOC 2: Which Comes First for Healthcare?
May 7, 2026 · 13 min read
 HIPAA vs HITRUST: Which Do You Actually Need?
HIPAA
HIPAA vs HITRUST: Which Do You Actually Need?
May 4, 2026 · 12 min read