1. What is a HIPAA Business Associate Agreement?
A Business Associate Agreement (BAA) — also called a Business Associate Contract — is a legally binding contract required under HIPAA between a Covered Entity and any Business Associate that creates, receives, maintains, or transmits Protected Health Information (PHI) on the Covered Entity's behalf.
The BAA establishes the permitted uses and disclosures of PHI, obligates the Business Associate to safeguard that PHI, and creates accountability if something goes wrong. Without a signed BAA in place, both parties are in violation of HIPAA — even if no breach ever occurs.
BAA requirements are codified in the HIPAA Privacy Rule (45 CFR §164.502(e) and §164.504(e)) and the Security Rule (45 CFR §164.314(a)). The HITECH Act (2009) extended these obligations directly to Business Associates and their subcontractors.
The OCR (HHS Office for Civil Rights) enforces BAA requirements actively. Failure to have a BAA in place — or having one with missing required provisions — is a standalone HIPAA violation, separate from any actual data breach. Fines start at $100 per violation and can reach $50,000 per violation, with an annual cap of $1.9 million for identical violations.
2. Who Needs to Sign a BAA?
Two parties must sign a BAA: a Covered Entity and a Business Associate. Understanding which role you occupy — and with whom you need agreements — is step one.
Covered Entities
Covered Entities are healthcare organizations that are directly subject to HIPAA:
- Health plans (insurance companies, HMOs, employer-sponsored health plans)
- Healthcare clearinghouses (billing processors, data translators)
- Healthcare providers who conduct electronic transactions (hospitals, clinics, physicians, pharmacies)
Business Associates
If your company performs a function or activity for a Covered Entity that involves PHI, you are a Business Associate. This is a broad category:
- SaaS vendors whose platform stores, processes, or displays PHI
- Cloud infrastructure providers (AWS, GCP, Azure) hosting systems with ePHI
- EHR/EMR vendors providing software to healthcare providers
- Revenue cycle management and billing service companies
- Medical transcription services
- Data analytics firms processing patient data on behalf of a hospital
- IT managed service providers with access to systems containing PHI
- Legal, accounting, and consulting firms if their work requires access to PHI
If your software could potentially receive PHI (through API calls, log files, support tickets, or error reports), you likely need a BAA — even if PHI is not your primary data type. When in doubt, treat it as required. The cost of an unnecessary BAA is zero. The cost of a missing one is significant.
Subcontractors (Business Associates of Business Associates)
Under HITECH, the BAA obligation flows downstream. If you are a Business Associate and you engage a subcontractor that will handle PHI on your behalf, that subcontractor is also a Business Associate — and you must have a signed BAA with them. Your obligations don't end at your own front door.
Not sure if you need a BAA?
CompliMed's free assessment identifies every BAA gap in your vendor stack and gives you a clear action list.
Start Free Assessment → See Pricing3. Required BAA Provisions
HIPAA specifies exactly what a BAA must contain. A BAA missing any of these provisions is non-compliant — even if both parties signed it in good faith.
| Provision | What It Must Say | Status |
|---|---|---|
| Permitted Uses & Disclosures | Describe the specific permitted uses and disclosures of PHI. Uses not listed are prohibited by default. | Required |
| Appropriate Safeguards | Business Associate must implement appropriate safeguards to prevent unauthorized use or disclosure of PHI. | Required |
| Security Incident Reporting | Business Associate must report any Security Incident (including breaches) to the Covered Entity without unreasonable delay. | Required |
| Subcontractor Flow-Down | Business Associate must ensure any subcontractor that receives PHI agrees to the same restrictions and conditions. | Required |
| Individual Rights Access | Business Associate must support the Covered Entity in providing individuals access to their own PHI upon request. | Required |
| Amendment of PHI | Business Associate must support amendment of PHI when directed by the Covered Entity per 45 CFR §164.526. | Required |
| Accounting of Disclosures | Business Associate must document and provide an accounting of PHI disclosures as required to support the Covered Entity's obligations. | Required |
| OCR Access | Business Associate must make internal practices, books, and records available to HHS for determining compliance. | Required |
| Termination & PHI Return/Destruction | Upon contract termination, Business Associate must return or destroy all PHI. If return/destruction is infeasible, protections must extend beyond termination. | Required |
| Termination for Cause | Covered Entity must be able to terminate the agreement if the Business Associate materially breaches BAA terms. | Required |
Most enterprise Covered Entities will send you their own BAA template. Read it carefully — some contain provisions that are commercially onerous (unlimited liability for breaches, audit rights with 24-hour notice, PHI deletion within 30 days of contract end). These are negotiable. Know what you're agreeing to.
4. Five Common BAA Mistakes Health Tech Vendors Make
Mistake 1: Not Having a BAA at All
Surprising how often this happens. A startup lands their first health system customer, the deal closes, the integration goes live — and the BAA conversation never happened. Sometimes the sales team didn't know to ask. Sometimes the customer's procurement didn't catch it. Both parties are in violation from day one.
- Always confirm BAA execution before your integration accesses PHI, not after.
Mistake 2: Forgetting Subcontractor BAAs
You signed a BAA with the hospital. But your logging vendor (Datadog, Splunk) receives log lines that contain patient IDs. Your error tracker (Sentry) captures stack traces with ePHI. Your cloud database provider stores the PHI. Each of these is a subcontractor relationship requiring its own BAA.
- Audit your entire vendor stack for any service that could receive, process, or store PHI — directly or indirectly.
Mistake 3: Using a Generic NDA Instead of a BAA
An NDA addresses confidentiality. A BAA addresses PHI-specific obligations under HIPAA — they are not interchangeable. Confidentiality provisions in an NDA do not satisfy BAA requirements. Covered Entities that accept NDAs in lieu of BAAs are themselves non-compliant.
- If a customer's legal team sends an NDA for PHI-related work, flag it. You need a BAA addendum.
Mistake 4: BAAs That Are Missing Required Provisions
Templates found online or drafted by non-HIPAA-specialized counsel often omit required provisions — most commonly the subcontractor flow-down requirement, the accounting of disclosures clause, or the PHI return/destruction on termination requirement. A signed-but-incomplete BAA doesn't protect you.
- Run every BAA against the required provisions table above before signing.
Mistake 5: Not Updating BAAs After the Relationship Changes
You signed a BAA covering one specific integration. Two years later, your product has expanded: you now process additional data types, you've added new subprocessors, or you've expanded into new use cases. The original BAA may no longer accurately reflect permitted uses — creating a compliance gap without anyone noticing.
- Review BAAs annually and update them when the scope of PHI handling changes materially.
Find your BAA gaps before your customer does.
CompliMed maps your current BAA coverage against every vendor relationship and flags missing or incomplete agreements.
Start Free Assessment → View Pricing →5. Your Subcontractor BAA Checklist
The following are the most common vendor categories that require BAAs for health tech companies. Check each one against your current vendor stack.
Infrastructure & Hosting
- Cloud infrastructure provider (AWS, GCP, Azure) — all three offer BAAs; you must request and execute them
- Database-as-a-Service providers (RDS, Cloud SQL, Neon, Supabase) — BAA required if PHI stored
- CDN / edge compute providers (Cloudflare, Fastly) — BAA required if PHI passes through
- Container orchestration platforms (if hosting PHI-touching workloads)
Observability & Monitoring
- Application performance monitoring (Datadog, New Relic, Dynatrace) — BAA required if logs contain PHI
- Error tracking (Sentry, Bugsnag, Rollbar) — BAA required; also configure PII scrubbing
- Log aggregation (Splunk, Elastic, Papertrail) — BAA required if log lines include PHI identifiers
- Uptime monitoring (if health check endpoints expose PHI)
Communication & Support
- Business email provider (Google Workspace, Microsoft 365) — BAA required if PHI sent via email
- Customer support ticketing (Intercom, Zendesk, Freshdesk) — BAA required if support tickets contain PHI
- Video conferencing (Zoom, Teams) — BAA required for any PHI-related patient communications
- Internal messaging (Slack) — BAA required if PHI shared in channels
Data & Analytics
- Analytics platforms (if PHI or patient identifiers passed in event data)
- Data warehouse / BI tools (Snowflake, BigQuery, Looker) — BAA required if PHI loaded
- ETL / data pipeline tools (Fivetran, Airbyte) — BAA required if PHI in transit
Development Tools
- Source code hosting (GitHub, GitLab) — BAA required only if PHI committed to repos (which should be avoided)
- CI/CD platforms (if production secrets or PHI-adjacent configs flow through build pipelines)
AI coding assistants and LLM APIs (OpenAI, Anthropic, etc.) that receive PHI in prompts require BAAs or equivalent data processing agreements. As of 2024, most enterprise AI providers offer BAA coverage on their paid tiers. Never send de-identified PHI through a model API without confirming your BAA coverage first.
6. How to Get a BAA Signed and Stay Compliant
Get the checklist + monthly compliance updates
Stay current on BAA requirements and HIPAA changes. No spam, unsubscribe anytime.
Step 1: Inventory Your PHI Flows
Before you can know who needs a BAA, you need to know where PHI goes. Map every system in your stack that receives, stores, processes, or transmits PHI — including indirect flows through logs, error reports, and analytics events.
Step 2: Identify Required BAAs
For each system in your PHI flow map, determine whether a BAA is required. The test: does this vendor create, receive, maintain, or transmit PHI on behalf of a Covered Entity? If yes, BAA required.
Step 3: Execute Missing BAAs
Most major cloud and SaaS vendors have self-service BAA processes. AWS, GCP, Azure, Google Workspace, Microsoft 365, and Zoom all offer BAA execution through their admin portals. For smaller vendors, you may need to request their HIPAA addendum directly from their legal or compliance team.
Step 4: Maintain a BAA Register
Document every executed BAA: vendor name, effective date, expiration or review date, scope of PHI covered, and storage location of the signed document. HIPAA requires you to retain BAAs for 6 years from the date of creation or last effective date.
Step 5: Review Annually
Vendor relationships change. Products expand. New subprocessors get added. Review your BAA register at least annually and update agreements when the scope of PHI handling changes.
Having a BAA in place is not enough if you cannot produce it during an audit. OCR can request BAAs during investigations. Store signed BAAs in a searchable, accessible location — not buried in an email thread from 2022.
The Bottom Line
A BAA is not a legal formality — it is the foundation of your HIPAA compliance posture as a health tech vendor. No BAA means no deal with enterprise health systems. And a BAA with missing provisions is the same as no BAA from a regulatory standpoint.
Get your BAA stack right before the procurement team asks. Because when they ask, they expect the paperwork to already be done.
Get your BAA compliance package ready.
CompliMed generates your complete HIPAA evidence package — including BAA gap analysis, vendor checklist, and compliance documentation your prospects require before signing.
Start Free Assessment → View Pricing →Get the checklist + monthly compliance updates
Join health tech vendors who stay ahead of HIPAA changes. Monthly updates, no fluff.