The Business Associate Agreement is one of the most frequently cited gaps in HIPAA compliance programs. Organizations that have invested in privacy policies, security controls, and workforce training sometimes discover during an OCR audit or investigation that they have vendors accessing protected health information without a signed BAA in place. That gap is not a technicality. It is a direct violation of the Privacy Rule and a significant source of enforcement exposure.

This article explains what a Business Associate Agreement is, who qualifies as a business associate, when a BAA is required, what the agreement must contain, and the mistakes organizations most commonly make when managing their BAA programs.

What Is a Business Associate Agreement

A Business Associate Agreement is a written contract required by the HIPAA Privacy Rule whenever a covered entity engages a business associate to perform services that involve creating, receiving, maintaining, or transmitting protected health information on the covered entity’s behalf. The BAA establishes the permitted uses and disclosures of PHI by the business associate, obligates the business associate to implement appropriate safeguards, and defines the business associate’s responsibilities in the event of a breach.

The requirement is codified at 45 CFR 164.502(e) and 45 CFR 164.504(e). The Privacy Rule prohibits covered entities from disclosing PHI to a business associate unless the covered entity obtains satisfactory assurances, in the form of a written contract, that the business associate will appropriately safeguard the information.

The BAA is not a privacy notice to patients. It is not a vendor confidentiality agreement. It is a specific contract with specific required provisions, and a generic NDA does not satisfy the requirement even if it covers confidential information broadly.

Who Is a Business Associate

A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. The definition is broad and catches many organizations that do not think of themselves as healthcare entities.

Common categories of business associates include:

Medical billing and revenue cycle management companies. Any organization that processes claims, submits billing to payers, or manages collections on behalf of a covered entity is handling PHI and qualifies as a business associate.

Electronic health record vendors. EHR and practice management software vendors that store or process patient records on behalf of a covered entity are business associates, regardless of whether the data is hosted in the vendor’s cloud environment or on the covered entity’s premises.

IT service providers and managed service providers. An IT vendor that has access to systems containing ePHI — even if they are not actively reading patient records — qualifies as a business associate. Remote monitoring, server administration, and help desk services all create business associate relationships when ePHI systems are in scope.

Cloud service providers. Any cloud vendor that stores, processes, or transmits ePHI on behalf of a covered entity is a business associate. This includes general-purpose cloud platforms like AWS, Azure, and Google Cloud when used to host healthcare applications or data, as well as healthcare-specific SaaS platforms.

Transcription and coding services. Medical transcription vendors, coding companies, and any service that processes clinical documentation containing patient information are business associates.

Legal, accounting, and consulting firms. Attorneys, accountants, and consultants who access PHI in the course of providing services to a covered entity qualify as business associates. A healthcare attorney reviewing patient records in connection with litigation, or an auditing firm reviewing claims data, requires a BAA.

Shredding and disposal companies. Vendors that destroy paper records or electronic media containing PHI are business associates. Physical destruction of PHI-containing media is a covered function under the Privacy Rule.

Subcontractors of business associates. When a business associate engages a subcontractor to assist with functions involving PHI, the subcontractor also becomes a business associate and requires its own BAA with the primary business associate. This chain of agreements extends through every level of the vendor relationship.

When a BAA Is Not Required

Not every vendor relationship requires a Business Associate Agreement. Several categories of relationships are explicitly excluded from the business associate definition under the Privacy Rule.

Members of the covered entity’s workforce. Employees, volunteers, and trainees who perform functions for the covered entity under its direct supervision are not business associates. Their access to PHI is governed by the covered entity’s own privacy and security policies, not by a BAA.

Covered entities disclosing to other covered entities for treatment purposes. When a covered entity discloses PHI to another covered entity for treatment purposes, such as a referring physician sharing records with a specialist, a BAA is not required. Both parties are independently subject to HIPAA.

Conduit providers. Entities that act as mere conduits for PHI transmission — internet service providers, the postal service, and courier services that transport PHI but do not have routine access to it — are not business associates. The distinction between a conduit and a business associate depends on whether the entity has persistent access to the PHI or is simply transmitting it.

Vendors with no PHI access. A vendor that provides services to a covered entity but has no access to PHI — a landscaping company, a non-IT equipment supplier — is not a business associate and does not require a BAA.

What a Business Associate Agreement Must Include

The Privacy Rule specifies what a BAA must contain at 45 CFR 164.504(e)(2). A compliant BAA must address the following elements:

Permitted uses and disclosures. The BAA must describe the specific purposes for which the business associate is permitted to use or disclose PHI. Uses and disclosures that are not described in the BAA are prohibited. The scope of permitted activity should align with the services the business associate is providing.

Prohibition on unauthorized use or disclosure. The BAA must require that the business associate not use or disclose PHI except as permitted by the agreement or required by law.

Appropriate safeguards. The BAA must require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI. For electronic PHI, the agreement must require compliance with the Security Rule’s applicable requirements.

Breach reporting. The BAA must require the business associate to report to the covered entity any use or disclosure of PHI that is not permitted by the agreement, and any security incident of which it becomes aware. For reportable breaches, the business associate must notify the covered entity without unreasonable delay and in no case later than 60 days after discovery.

Subcontractor requirements. The BAA must require the business associate to ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions that apply to the business associate.

Individual rights access. The BAA must require the business associate to make PHI available to the covered entity as needed to fulfill patients’ rights of access and amendment under the Privacy Rule.

HHS access for compliance review. The BAA must require the business associate to make its internal practices, books, and records available to HHS for purposes of determining the covered entity’s compliance with the Privacy Rule.

Return or destruction of PHI upon termination. The BAA must provide that upon termination of the agreement, the business associate will return or destroy all PHI received from or created on behalf of the covered entity. If return or destruction is not feasible, the business associate must extend the protections of the BAA to the PHI and limit further uses and disclosures.

Common BAA Mistakes That Create Compliance Risk

No BAA in place at all. The most common mistake is simply failing to execute a BAA before allowing a vendor access to PHI. Organizations often discover this gap during audits when they cannot produce a signed agreement for a vendor that has been accessing their systems for years. OCR has levied significant penalties against covered entities for this failure.

Using a generic NDA instead of a compliant BAA. A standard non-disclosure agreement does not satisfy the BAA requirement even if it is comprehensive in its confidentiality protections. The Privacy Rule requires specific provisions that a generic NDA will not contain, including breach notification obligations, subcontractor requirements, and HHS access provisions.

Failing to update BAAs after regulatory changes. The HITECH Act significantly expanded business associate obligations in 2013, and organizations that had BAAs in place before those changes were required to update them. BAAs that were compliant under pre-HITECH rules may no longer satisfy current requirements.

No inventory of business associate relationships. Covered entities with multiple vendors and systems often do not have a complete inventory of which vendors qualify as business associates and whether BAAs are in place for each one. Without that inventory, gaps are inevitable. The inventory should be maintained as a living document and reviewed whenever a new vendor is engaged.

Assuming the vendor’s template BAA is compliant. Many vendors offer their own BAA templates. Those templates are written to protect the vendor’s interests, not to ensure the covered entity’s compliance. A covered entity that signs a vendor-provided BAA without reviewing it against the Privacy Rule’s requirements may find that the agreement is missing required provisions or contains terms that limit the covered entity’s rights in ways that create compliance problems.

Not tracking BAA expiration and renewal. Business relationships change over time, and BAAs can become outdated or lapse. Organizations that do not track BAA effective dates and renewal requirements risk operating without a current agreement in place even when the original BAA was compliant.

What Business Associates Need to Know

Business associates often focus on BAAs from the perspective of the contract they are asked to sign. But business associates have their own obligations that go beyond the terms of any individual agreement.

Under the HITECH Act, business associates are directly liable for compliance with the Security Rule’s administrative, physical, and technical safeguard requirements. A business associate that signs a BAA agreeing to implement appropriate safeguards must actually have those safeguards in place — documented security policies, a completed risk analysis, workforce training, and incident response procedures. The BAA is not a compliance program. It is a contract that presupposes a compliance program exists.

Business associates are also responsible for ensuring their own subcontractors have BAAs in place. A business associate that delegates PHI-related functions to a subcontractor without executing a subcontractor BAA is in violation of the Privacy Rule even if its own BAA with the covered entity is fully compliant.