‍

In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA), establishing the national standards for safeguarding sensitive patient data. This framework applies to all healthcare organizations that handle protected health information (PHI). Its reach also extends to external vendors and service providers, known as business associates, that support healthcare organizations.

‍

To encourage accountability, HIPAA requires covered entities to enter into a business associate agreement (BAA) with their external partners that access PHI. The agreement is mandatory to stay HIPAA-compliant and demonstrate strong data protection practices to clients and partners. 

‍

This article breaks down the key components of HIPAA BAAs, including:

‍

• Who’s required to sign one
• What its five key provisions are

‍

What is a HIPAA business associate agreement?

A business associate agreement (BAA) is a legally binding contract between a covered entity (CE) and a business associate (BA) that handles PHI on the entity's behalf. The document outlines how PHI must be safeguarded, stored, used, and disclosed in compliance with HIPAA.

‍

Bonus: Learn about covered entities and business associates thoroughly in our dedicated guide.

‍

Drafting and signing a BAA is mandatory whenever a covered entity shares PHI—such as billing information or medical records—with a business associate. However, there are exceptions where the two parties don’t need to sign a BAA.

‍

For example, a BAA is not required when PHI is disclosed between covered entities for purposes permitted under the HIPAA Privacy Rule, such as treatment, payment, or healthcare operations (TPO). However, if a third-party vendor is performing those functions on behalf of a covered entity, and requires access to PHI, a BAA is still required.

‍

Other examples where a BAA may not be necessary include:

‍

• Disclosing PHI for a patient’s treatment
• Disclosing PHI for payment between a provider and a health plan
• Sharing PHI between a hospital lab and a reference lab for patient treatment
• Using a conduit service, such as the U.S. Postal Service, to transport PHI

‍

Who needs to sign a BAA?

As noted earlier, every business associate that handles PHI in any capacity must sign a BAA.

‍

A business associate is any individual or organization that performs activities or functions on behalf of a covered entity and requires access to PHI to do so. For example, an IT service provider that manages a hospital’s data system must sign a BAA with that hospital. Common examples of BAs include:

‍

• Cloud storage providers
• Billing companies
• Claims processors
• Accounting firms 

‍

In some cases, a covered entity may be considered a business associate if it provides services to another covered entity and handles PHI in the process. For example, a hospital that provides centralized billing services for an affiliated clinic will be a BA to the latter.

‍

The scope of BAAs also extends to subcontractors hired by business associates. If a BA authorizes a subcontractor to access, create, receive, or transmit PHI, the subcontractor must be bound by a BAA. For example, a cloud storage provider (business associate) contracts a data backup company (subcontractor) to store encrypted patient records. In this case, the data backup company will sign a BAA. Covered entities remain indirectly responsible for ensuring downstream compliance and may choose to require visibility as part of their due diligence.

‍

“

HIPAA does not require covered entities to have access to the BAAs their business associates sign with subcontractors—but it also doesn’t prohibit it. While the law mandates that subcontractors be contractually bound to HIPAA-compliant obligations, whether a covered entity can review those agreements depends entirely on what the CE-BA contract explicitly allows.”

Evan Rowse

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

What happens if you don't sign a BAA?

Failing to sign a BAA is a direct violation of HIPAA. Both covered entities and business associates can be held accountable and be subject to fines and penalties. These penalties are determined based on the entity’s level of culpability and the severity of the offense, and can range from steep fines to criminal charges.

‍

Vanta’s latest HIPAA violation report cites missing BAAs as one of the leading causes of HIPAA violations. In the past, such situations were resolved with milder consequences, such as following a corrective action plan.

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

What are the key provisions of a BAA?

In addition to governing how PHI is used and disclosed by the business associate or subcontractor per the Privacy Rule, a BAA also includes several provisions. Here are the five essential ones:

‍

1. Implementing appropriate safeguards
2. Notifying in case of breaches
3. Maintaining detailed documentation of PHI uses
4. Assuring HIPAA compliance of subcontractors
5. Terminating the contract in case of violations

‍

You can review other provisions that may be outlined in a BAA in the model agreement shared by HHS.

1. Implementing appropriate safeguards

To meet this BAA provision, you must comply with the HIPAA Security Rule, which outlines measures to protect the safety, integrity, and availability of electronic protected health information (ePHI).

‍

Complying with this rule requires implementing three types of safeguards, outlined in the table below:

‍

‍

2. Notifying in case of breaches

This provision requires compliance with the Breach Notification Rule, which outlines the following:

‍

• What qualifies as a breach
• How to evaluate the associated risks
• What is the required timeframe for reporting the breach

‍

Regarding reporting timelines, you’ll have to adhere to the same deadlines that apply to covered entities. Specifically, you must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach. The covered entity is then responsible for notifying affected individuals within the same deadline.

‍

If the breach involves over 500 individuals, the covered entity must also notify the U.S. Department of Health and Human Services (HHS). These larger breaches can be viewed on the HHS breach portal. 

‍

To clarify further, the table below outlines the required reporting process and compliance timeline:

‍

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

3. Maintaining detailed documentation of PHI uses

Covered entities are ultimately responsible for ensuring HIPAA compliance across all vendors and partners that handle PHI. Depending on the contractual terms, a covered entity may reserve the right to audit its business associates to verify if they're upholding required privacy and security standards, including maintaining documentation.

‍

Both CEs and BAs must maintain comprehensive documentation of all PHI-related activities to demonstrate transparency and be prepared for audits. Examples of essential records include:

‍

• Access logs
• Risk assessment records
• Breach reports
• HIPAA training logs

‍

This kind of meticulous record-keeping can be time-consuming and error-prone when done manually, especially when the data flows across cross-functional teams. To systemize the process, many organizations turn to automation tools that can fast-track collecting evidence, creating reports, and identifying compliance gaps.

‍

4. Assuring the HIPAA compliance of subcontractors

Similar to covered entities, business associates are required to ensure that any subcontractors they engage are compliant with HIPAA regulations, provided those subcontractors handle PHI on the business associates’ behalf.

‍

Note that the primary BAA between a covered entity and a business associate does not extend to subcontractors. HIPAA requires that business associates establish a separate BAA with each of their subcontractors. Here’s how the process takes place:

‍

1. The covered entity signs a BAA with the business associate
2. The business associate then signs a BAA with any subcontractor that accesses PHI

‍

Many organizations conduct risk assessments and vetted onboarding processes to ensure their business associates and subcontractors meet their internal security and compliance standards.

‍

5. Terminating the contract in case of violations

One purpose of HIPAA BAA requirements is to protect covered entities from liability arising from the actions of their business associates. 

‍

Before the BAA requirement was introduced, covered entities could still be held accountable for breaches committed by business associates, particularly if they failed to exercise due diligence in selecting or overseeing them.

‍

To address this issue, HIPAA provision 45 CFR 164.504(e)(1)(iii) mandates that covered entities take reasonable steps to address a business associate’s breach or violation of the agreement. If the corrective efforts are unsuccessful, the covered entity can terminate the contract to remain compliant. 

‍

This provision makes it valid for covered entities to verify that their business associates and any downstream subcontractors are compliant with HIPAA requirements under the terms of the BAA. 

‍

Remember that business associates are also legally responsible for implementing HIPAA compliance workflows to maintain a relationship with CEs, whether it's documentation, subcontractor oversight, or breach response.

‍

{{cta_withimage13="/cta-blocks"}}   | HIPAA compliance checklist

‍

Streamline HIPAA compliance and policies with Vanta

Vanta is a compliance and trust management platform that streamlines many tedious HIPAA compliance processes, including creating BAAs. The platform comes with a customizable policy builder that helps you tailor predesigned templates for different use cases.

‍

With built-in vendor monitoring tools, you can maintain clear visibility over business associates and contractors that handle your ePHI. You no longer have to juggle spreadsheets or scattered documents—access your relevant compliance resources from a single dashboard.

‍

Vanta offers compliant management support for 35+ regulations and frameworks, including SOC2, HITRUST, and ISO 27001. If you’re looking for a HIPAA-specific solution, Vanta offers:

‍

• Automated evidence collection by integrating with 375+ tools
• Real-time gap assessments
• Over 20 ready-to-use document templates
• In-app policy editor
• Cross-mapping for existing controls
• Built-in guidance and training that also define BAAs

‍

Schedule a custom demo to see firsthand how Vanta can automate your HIPAA compliance efforts.

‍

{{cta_simple18="/cta-blocks"}}  | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.