A written contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI, safeguard requirements, and breach reporting obligations.
A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA whenever a covered entity engages a business associate that will have access to protected health information (PHI). The BAA defines the scope of the relationship, specifies what the business associate is permitted and prohibited from doing with the PHI, and establishes the safeguards the business associate must implement. Without a valid BAA in place, a covered entity is in violation of HIPAA, even if no breach has occurred, making it one of the most common compliance failures identified by the Office for Civil Rights.
HIPAA regulations specify several provisions that must be included in every BAA. The agreement must describe the permitted uses and disclosures of PHI, prohibit unauthorized uses, require the business associate to implement appropriate safeguards, require reporting of any breaches or security incidents, ensure that any subcontractors also sign BAAs, make PHI available to individuals exercising their rights, make internal records available to HHS for compliance audits, and require the return or destruction of PHI when the contract ends. Organizations should also include provisions about encryption standards, audit rights, indemnification, and insurance coverage, though these go beyond minimum HIPAA requirements.
The absence of a BAA has been the basis for numerous OCR enforcement actions, some resulting in multi-million-dollar settlements. Beyond the legal requirement, a well-drafted BAA serves as a practical tool for managing vendor relationships and ensuring accountability. It creates a clear framework for how PHI must be handled, establishes breach notification timelines, and provides remedies if the business associate fails to meet its obligations. Organizations should maintain an inventory of all business associate relationships, ensure all BAAs are current and complete, and review them regularly to account for changes in services or regulations.