HIPAA

HIPAA Business Associate Agreement (BAA): 2026 Guide

James Mitchell
James Mitchell
·Updated: April 21, 2026 · 11 min read
HIPAA Business Associate Agreement (BAA): 2026 Guide

HIPAA Business Associate Agreement (BAA): 2026 Guide

A HIPAA Business Associate Agreement, usually shortened to HIPAA BAA, is a written contract that a covered entity must sign with any vendor that will create, receive, maintain, or transmit Protected Health Information (PHI) on its behalf. Without a signed BAA in place, handing PHI to a vendor is itself a HIPAA violation, regardless of whether the vendor has strong security controls.

This guide explains exactly when you need a BAA, what HIPAA requires the contract to contain, how subcontractor BAAs work, and the specific mistakes that have generated seven-figure enforcement penalties from the HHS Office for Civil Rights.

What Is a HIPAA Business Associate Agreement?

A HIPAA BAA is a federally mandated contract created by the HIPAA Privacy Rule and expanded by the HITECH Act of 2009. It binds a vendor (the business associate) to specific obligations around how it handles PHI received from a covered entity such as a hospital, health plan, healthcare clearinghouse, or a HIPAA-regulated provider.

The purpose is to extend HIPAA's security, privacy, and breach notification requirements beyond the covered entity itself and into its vendor supply chain. Before HITECH, vendors were only contractually bound through the BAA. After HITECH, business associates became directly liable for HIPAA violations and can be fined by HHS even if the covered entity is fully compliant.

The statutory basis for the BAA sits in 45 CFR 164.504(e). The Office for Civil Rights publishes a sample BAA provisions document that many organizations use as a starting point.

A BAA is not optional and cannot be waived. If PHI touches the vendor, the BAA is required, period.

Who Needs to Sign a Business Associate Agreement?

BAAs flow in a predictable pattern based on who handles PHI and in what role.

Covered entities must sign BAAs with any business associate they engage. The three categories of covered entities defined by HIPAA are:

  • Healthcare providers who transmit health information electronically (hospitals, clinics, dental practices, behavioral health, home health, pharmacies)
  • Health plans (insurers, HMOs, Medicare, Medicaid, employer group health plans with 50+ participants)
  • Healthcare clearinghouses (entities that process non-standard health data into standard formats)

Business associates are vendors and service providers that handle PHI on behalf of a covered entity. Typical examples include:

  • Cloud hosting providers (AWS, Azure, Google Cloud) when they store PHI
  • Electronic Health Record (EHR) vendors
  • Medical billing and coding companies
  • Practice management software vendors
  • Telehealth platforms
  • IT services, managed service providers, and helpdesk vendors with incidental PHI access
  • Data destruction companies
  • Transcription services
  • Cybersecurity tools that process PHI in logs or security alerts
  • Email and SMS messaging platforms used for patient communication
  • Analytics platforms that ingest patient data

Not business associates (no BAA required):

  • Conduit-only services that merely transport data without accessing it (traditional telecommunications carriers, postal services, basic ISPs)
  • Members of a covered entity's workforce
  • Other covered entities in a treatment relationship (provider-to-provider treatment does not create a BAA requirement)

The conduit exception is narrow. A cloud storage provider that holds PHI, even encrypted, does not qualify for the conduit exception because it has persistent access to the data. OCR's interpretation has consistently rejected attempts by cloud providers to avoid BAAs under this exception.

What HIPAA Requires a BAA to Include

Illustration related to What HIPAA Requires a BAA to Include
Photo by www.kaboompics.com

The HIPAA Privacy and Security Rules specify the minimum required provisions of a business associate agreement. A BAA that omits any of these provisions is not compliant, and signing it does not satisfy the covered entity's obligations.

Mandatory BAA provisions under 45 CFR 164.504(e)(2):

  1. Describe the permitted and required uses of PHI by the business associate
  2. Prohibit the business associate from using or further disclosing PHI except as permitted by the contract or required by law
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
  4. Require the business associate to report any unauthorized use or disclosure, including breaches of unsecured PHI, to the covered entity
  5. Require the business associate to ensure that any subcontractors that create, receive, maintain, or transmit PHI on its behalf agree to the same restrictions (subcontractor BAAs)
  6. Make PHI available to individuals exercising their right of access under the Privacy Rule
  7. Make PHI available for amendment and incorporate any amendments
  8. Make available the information required to provide an accounting of disclosures
  9. Make internal practices, books, and records available to HHS for compliance determinations
  10. At termination, return or destroy all PHI (or extend BAA protections if return or destruction is not feasible)
  11. Authorize termination of the contract if the covered entity determines the business associate has violated a material term

The Security Rule adds a further requirement: the BAA must require the business associate to comply with 45 CFR Part 164 Subpart C (the HIPAA Security Rule) to the same extent as the covered entity with respect to electronic PHI.

Common provisions that are optional but recommended:

  • Specific breach notification timelines (HIPAA requires notification without unreasonable delay, but most BAAs tighten this to 24 to 72 hours)
  • Indemnification clauses for breach-related costs
  • Liability caps and insurance minimum requirements (cyber liability is now standard)
  • Data residency and international transfer restrictions
  • Audit rights for the covered entity
  • Background check requirements for the business associate's workforce accessing PHI
  • Minimum encryption standards (AES-256 at rest, TLS 1.2+ in transit)

Subcontractor BAAs: The Downstream Chain

Under HITECH, when a business associate hires another vendor to help handle PHI, that downstream vendor is also a business associate, and a separate BAA is required between the business associate and the subcontractor.

This creates a chain. A hospital signs a BAA with an EHR vendor. The EHR vendor uses AWS for hosting, so the EHR vendor signs a BAA with AWS. The EHR vendor also uses Datadog for application monitoring, so the EHR vendor signs a BAA with Datadog. Every link in the chain requires its own BAA.

Three rules make the subcontractor chain enforceable:

  1. Each business associate is directly liable under HIPAA for its own compliance
  2. Each business associate must sign BAAs with its own subcontractors that handle PHI
  3. A covered entity is not automatically liable for a subcontractor breach, but the business associate in the middle is liable if it failed to execute a required BAA with the subcontractor

A 2022 enforcement action against a business associate included a $75,000 penalty specifically for failing to obtain BAAs with its subcontractors. Covered entities increasingly require their business associates to provide evidence of subcontractor BAAs during vendor due diligence.

Common BAA Mistakes That Trigger Enforcement

The HHS Office for Civil Rights reviews BAAs as a routine part of any HIPAA complaint investigation or audit. These are the failure patterns that most often surface during enforcement.

No signed BAA at all. Advocate Health Care paid a $5.55 million penalty in 2016 that included, among other findings, the failure to have a required BAA with a vendor. A 2021 settlement with Diabetes, Endocrinology and Lipidology Center included a $5,000 penalty for sharing PHI with a vendor without a BAA. The dollar amount is less important than the fact that enforcement is active and ongoing.

Incorrectly relying on the conduit exception. Many vendors claim they do not need a BAA because they only pass data through. Unless the vendor never has the ability to access or store PHI, the conduit exception does not apply. Cloud storage, managed databases, and email delivery services almost never qualify.

Using a vendor's "standard" BAA without review. Many SaaS vendors offer a BAA, but their templates are often weighted heavily in the vendor's favor (high liability caps, long breach notification windows, broad PHI use rights for service improvement). Covered entities should negotiate the specific terms, not just request and sign whatever the vendor provides.

Missing subcontractor flow-down language. A BAA that requires the business associate to obtain equivalent protections from its subcontractors, but does not specify the actual provisions, is often unenforceable in practice. Best practice is to incorporate the full list of mandatory provisions by reference.

Failing to terminate PHI obligations at contract end. A BAA must address what happens to PHI at termination. A clause that says "return or destroy all PHI" is incomplete without addressing what happens if return or destruction is not feasible, in which case the BAA obligations must continue for as long as the PHI is retained.

Not updating BAAs after the Omnibus Rule (2013). Many organizations still operate with pre-HITECH BAAs that do not reflect the direct liability of business associates, breach notification obligations under the HITECH Act, or subcontractor requirements. These BAAs are not compliant. Any BAA signed before January 25, 2013 should be reviewed and likely replaced.

BAA Templates and Cost

Illustration related to BAA Templates and Cost
Photo by www.kaboompics.com

HHS publishes sample business associate agreement provisions at no cost. These are starting points, not finished contracts, and should be reviewed by healthcare counsel before execution.

Common sources for BAA templates:

Typical BAA legal review costs:

| Scenario | Typical Cost Range | |---|---| | Using HHS sample provisions as-is (small practice) | $0 to $500 | | Customizing a template for a specific vendor engagement | $1,500 to $4,000 | | Negotiating a vendor-provided BAA with counsel | $3,000 to $8,000 | | Enterprise BAA framework with playbooks for recurring vendor types | $15,000 to $40,000 |

The highest ROI investment is usually building a standard BAA template once, then using it as the covered entity's opening position for every vendor negotiation. This reduces per-vendor legal spend by 70 to 90 percent after the initial investment.

Managing BAAs at Scale

For covered entities with more than 20 or 30 vendors that handle PHI, ad hoc BAA management becomes untenable. A missing, expired, or outdated BAA creates direct legal exposure, and OCR auditors will ask to see the current BAA inventory.

Minimum BAA inventory fields:

  • Vendor name and primary contact
  • BAA version and effective date
  • Expiration or renewal date
  • Scope of PHI handled (categories, volume, geographic locations)
  • Subcontractor flow-down verification status
  • Breach notification history
  • Cyber insurance evidence on file

GRC platforms such as Vanta, Drata, and Compliancy Group offer BAA tracking modules that integrate with vendor management workflows. For organizations already maintaining a vendor risk register, adding BAA fields to the register is often the simplest approach.

For a detailed view of how BAA management fits into a broader program, see our HIPAA compliance guide and the HIPAA risk assessment process. If your vendor touches billing, schedule, or payment, PHI often intersects with financial data, which is why PCI and HIPAA programs are increasingly merged in healthcare IT.

Breach Notification Obligations Under a BAA

When a business associate discovers a breach of unsecured PHI, two clocks start. The federal clock under the HITECH breach notification rule (45 CFR 164.410) requires notification to the covered entity without unreasonable delay, and in no case later than 60 calendar days after discovery. The contractual clock is whatever the BAA specifies, usually tighter than 60 days.

What counts as breach discovery:

  • The date the breach is known to the business associate
  • The date the breach would have been known through reasonable diligence
  • Knowledge by any employee or agent of the business associate, other than the person who caused the breach, counts as discovery by the business associate

Information the business associate must provide to the covered entity:

  • Identity of affected individuals (or approximation if identities are unknown)
  • Description of what happened, including the date of breach and date of discovery
  • Types of unsecured PHI involved
  • Steps the business associate is taking to mitigate harm
  • Steps the business associate is taking to prevent recurrence

The covered entity then assumes responsibility for notifying affected individuals, HHS, and (for breaches of more than 500 individuals) the media. Some BAAs shift the individual notification responsibility to the business associate, but HHS still holds the covered entity ultimately responsible.

International BAAs and Cross-Border Data

Illustration related to International BAAs and Cross-Border Data
Photo by RDNE Stock project

HIPAA does not prohibit storing or processing PHI outside the United States, but it does require that protections continue to apply regardless of geography. A business associate based outside the US is still subject to HIPAA if it handles PHI of US-based individuals for a US-based covered entity.

Practical considerations for international BAAs:

  • Non-US courts may not enforce HIPAA-based contract claims, which affects the practical value of indemnification clauses
  • Data localization laws in certain jurisdictions (China, Russia, some EU member states on specific data categories) may conflict with BAA obligations
  • HIPAA and GDPR can apply to the same dataset, particularly for EU residents receiving care from US providers. In that case, both frameworks apply in full and neither supersedes the other
  • HHS can investigate foreign business associates but faces practical enforcement limits; covered entities should assess this risk before engaging international vendors for PHI handling

Most risk-averse covered entities require BAAs to specify US data residency or to require prior written approval for any international transfer.

Frequently Asked Questions

Is a BAA the same as a HIPAA-compliant vendor agreement?

No. A vendor can be "HIPAA-compliant" in the sense of having appropriate safeguards without the legal document that creates direct HIPAA liability. The BAA is the contract; HIPAA compliance is the operational state. Both are required.

What happens if a vendor refuses to sign a BAA?

You cannot share PHI with that vendor. If the service is essential and the vendor will not sign, you must either redesign the workflow to keep PHI out of the vendor's systems (de-identification, separation of identifiers from clinical data) or change vendors. Sharing PHI without a BAA is a HIPAA violation regardless of the business reason.

Do we need a BAA with our cloud provider?

Yes, if the cloud provider stores, processes, or has access to PHI. All major cloud providers (AWS, Azure, Google Cloud, Oracle Cloud) offer BAAs for their HIPAA-eligible services. Each provider publishes a list of services covered by their BAA, and only those services may be used for PHI. Using a non-listed service for PHI is a violation.

How often should we review and update our BAAs?

At minimum, every two years or upon any of the following triggers: a change in HIPAA regulations, a merger or acquisition involving either party, a breach incident, a change in the scope of services, or a change in subcontractors. Many large covered entities run a full BAA inventory audit annually.

Can a small practice use a single BAA template for all vendors?

Yes, with adjustments for vendor-specific scope. A standard template covering the mandatory provisions, with a schedule that describes each vendor's specific PHI access, is a practical model for small and mid-size practices. The HHS sample BAA provisions provide the framework, and a healthcare attorney should review the final template before first use.

Does HIPAA require a specific breach notification timeline in the BAA?

HIPAA sets a maximum of 60 calendar days from breach discovery. The BAA can and typically should require faster notification. Most healthcare contracts today specify 24 to 72 hours, which gives the covered entity time to investigate before the HHS 60-day clock forces a decision.

Are there criminal penalties for not having a required BAA?

HIPAA civil penalties apply to most BAA failures and can reach $1.9 million per violation category per year (2024 adjusted amount). Criminal penalties apply when PHI is knowingly obtained or disclosed in violation of HIPAA, particularly for personal gain or malicious intent. The failure to execute a BAA on its own is almost always a civil, not criminal, matter.

HIPAABAABusiness AssociateComplianceVendor Management
James Mitchell
James Mitchell
Author
James Mitchell covers topics in this category and related fields. Views expressed are editorial and based on research and experience.
Related Articles
HIPAA for Startups: Minimum Viable Compliance
HIPAA
HIPAA for Startups: Minimum Viable Compliance
April 19, 2026 · 9 min read
 HIPAA Documentation Templates (Free, 2026)
HIPAA
HIPAA Documentation Templates (Free, 2026)
April 19, 2026 · 11 min read
 Is Zoom HIPAA Compliant? Telehealth Guide (2026)
HIPAA
Is Zoom HIPAA Compliant? Telehealth Guide (2026)
April 16, 2026 · 13 min read
 Healthcare Compliance: HIPAA, SOC 2 & More (2026 Guide)
HIPAA
Healthcare Compliance: HIPAA, SOC 2 & More (2026 Guide)
April 14, 2026 · 11 min read