Business Associate Agreement (BAA)

Definition

A Business Associate Agreement (BAA) is the formal, legally binding contract that HIPAA requires a covered entity to execute with any business associate before disclosing Protected Health Information. The covered entity may be a healthcare provider, health plan, or healthcare clearinghouse. The business associate is any vendor, contractor, or subcontractor that creates, receives, maintains, or transmits PHI on the covered entity’s behalf — a broad category that encompasses cloud software platforms, EHR integration partners, medical transcription services, billing companies, AI call platforms, and analytics vendors, among others.

Without a signed BAA, a covered entity cannot lawfully disclose PHI to a business associate under HIPAA’s Privacy Rule. The BAA is therefore a core compliance artifact that every healthcare provider must execute with any cloud software, call platform, EHR integration partner, medical transcription service, or other vendor that handles PHI. Failure to obtain a BAA before sharing PHI constitutes a Privacy Rule violation regardless of whether a breach occurs.

Regulatory basis

The BAA requirement is codified at 45 CFR 164.502(e) and 45 CFR 164.504(e) of the HIPAA Privacy Rule, which govern permissible uses and disclosures of PHI by covered entities. Security Rule obligations for business associates are addressed at 45 CFR 164.308(b), requiring that covered entities obtain satisfactory assurances that their business associates will implement appropriate administrative, physical, and technical safeguards to protect ePHI. The HITECH Act of 2009 further strengthened this framework by extending direct HIPAA liability to business associates, making them independently responsible for Security Rule compliance even absent a contract.

HHS publishes HHS sample BAA provisions that covered entities and business associates can use as a drafting starting point. These sample provisions are not mandatory templates, but they illustrate the minimum elements that satisfy the regulatory requirements and are widely used in practice.

Who uses it and when it applies

• Required between any covered entity and any business associate before PHI is disclosed — the BAA must be in place prior to, not after, the first disclosure
• Business associates include: EHR vendors, billing services, transcription services, cloud storage providers, AI and call platforms handling PHI, analytics vendors, and consultants with PHI access
• Subcontractor BAAs: business associates must also execute BAAs with their own subcontractors that handle PHI, creating a chain of contractual accountability down to each entity that touches the data
• Required provisions under 45 CFR 164.504(e): permitted uses and disclosures of PHI, safeguards commitment, breach notification obligations to the covered entity, subcontractor BAA requirements, termination conditions for material breach, and return or destruction of PHI at contract termination

Related terms

• HIPAA Compliance — the broader regulatory framework that mandates the BAA requirement
• ePHI — the electronic PHI most commonly in scope for vendor BAAs
• HITECH Act — the law that extended direct HIPAA liability to business associates
• Patient engagement — programs that typically require vendor BAAs before deploying digital touchpoints involving PHI

How Positive Check relates

Positive Check executes a Business Associate Agreement with every provider partner before any PHI is handled. The BAA covers Security Rule safeguards, breach notification SLAs, subcontractor provisions, and PHI destruction at termination. Learn more about how the platform is structured on the Positive Check platform overview.