Question 1

What is a HIPAA Business Associate Agreement?

Accepted Answer

A HIPAA Business Associate Agreement (BAA) is a federally required contract between a HIPAA-covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse) and a business associate — any person or entity that performs functions or activities on behalf of the covered entity that involve the use or disclosure of protected health information (PHI). The BAA is mandated by the HIPAA Privacy and Security Rules at 45 C.F.R. §§ 164.502(e) and 164.504(e) and must contain specific provisions governing how the business associate may use and disclose PHI, what safeguards it must implement, breach notification obligations, subcontractor flow-downs, and termination rights. Without a signed BAA, sharing PHI with a vendor is itself a HIPAA violation.

Question 2

Who is a business associate?

Accepted Answer

A business associate is any person or entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity, or that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services involving PHI. Examples include cloud hosting providers, medical billing companies, IT consultants, electronic health record vendors, medical transcription services, document shredding companies, outside counsel, and third-party administrators. The HITECH Act extended business-associate obligations directly to subcontractors of business associates, so a business associate must enter into a BAA with any vendor it hires to handle PHI.

Question 3

When is a HIPAA BAA required?

Accepted Answer

A BAA is required whenever a covered entity or business associate discloses protected health information to a third party that will use or have access to the PHI in the course of performing services. Examples include a hospital hiring a cloud storage provider, a clinic engaging a billing service, a health plan contracting with a customer-support call center, or a medical practice using an electronic health record system. A BAA is not required when PHI is disclosed to a healthcare provider for treatment purposes, to a person or entity that is a member of the covered entity's workforce (employees are covered by the entity's own compliance), to a plan sponsor under certain conditions, or to another covered entity under limited circumstances.

Question 4

What must a HIPAA BAA include?

Accepted Answer

The required provisions under 45 C.F.R. § 164.504(e)(2) include: (1) establishing the permitted and required uses and disclosures of PHI by the business associate; (2) a prohibition on using or disclosing PHI other than as permitted by the contract or required by law; (3) requirements to use appropriate safeguards (including Security Rule compliance for electronic PHI); (4) a duty to report any use or disclosure not provided for by the contract, including breaches of unsecured PHI; (5) a requirement to ensure that subcontractors agree to the same restrictions through their own BAAs; (6) a duty to make PHI available for individual access, amendment, and accounting of disclosures; (7) a duty to make internal practices and records available to HHS for compliance reviews; (8) return or destruction of PHI upon termination; and (9) authorization to terminate the contract if the business associate materially breaches.

Question 5

What is protected health information (PHI)?

Accepted Answer

Protected health information is individually identifiable health information held or transmitted by a covered entity or business associate in any form — electronic, paper, or oral. It includes demographic information (name, address, birth date, Social Security number), medical record numbers, health insurance information, treatment history, test results, billing records, and any information that relates to a person's past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare, and that identifies the individual or could reasonably be used to identify them. When PHI is stored or transmitted electronically, it is sometimes called ePHI and is subject to the HIPAA Security Rule's administrative, physical, and technical safeguards.

Question 6

What are the breach notification requirements?

Accepted Answer

Under the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D), a business associate must notify the covered entity of any breach of unsecured PHI without unreasonable delay and in no event later than 60 days after discovery. The covered entity is then responsible for notifying affected individuals, the Department of Health and Human Services (HHS), and, for breaches affecting 500 or more individuals, prominent media outlets in the state or jurisdiction. A breach is defined as an impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy, unless the business associate can demonstrate through a risk assessment that there is a low probability the PHI has been compromised. A well-drafted BAA often imposes tighter notification timelines (such as 10–30 days) to give the covered entity adequate time to meet its own reporting obligations.

Question 7

What penalties apply for HIPAA non-compliance?

Accepted Answer

HIPAA civil penalties are structured in four tiers based on the level of culpability. As adjusted for inflation (2024 values), penalties range from approximately $137 per violation (for unknowing violations) up to $2,067,813 per identical-provision-per-year cap for willful neglect not corrected. Criminal penalties under 42 U.S.C. § 1320d-6 can reach $50,000 and one year in prison for basic violations, up to $250,000 and ten years for offenses committed with intent to sell or use PHI for commercial advantage or malicious harm. HHS Office for Civil Rights (OCR) actively enforces HIPAA through settlements and corrective action plans; recent settlements with business associates have reached several million dollars. State attorneys general also have authority to bring civil suits under HITECH.

Question 8

Does a BAA replace a standard confidentiality agreement?

Accepted Answer

For the PHI-related aspects of the relationship, yes — a BAA is the specific confidentiality framework required by federal law and supersedes a generic NDA for those purposes. However, many healthcare vendors sign both a BAA (for PHI) and a broader services agreement or standard NDA (for non-PHI confidential information such as the covered entity's financial data, operational plans, or trade secrets). The BAA is narrowly focused on HIPAA compliance, while a standard confidentiality agreement covers commercial information that falls outside HIPAA's scope.

Question 9

Are subcontractors of business associates also covered?

Accepted Answer

Yes. Under the HITECH Act and the 2013 Omnibus Rule, subcontractors of business associates that create, receive, maintain, or transmit PHI on behalf of the business associate are themselves considered business associates and must be bound by a BAA with the upstream business associate. This is known as a 'flow-down' requirement. For example, if a hospital engages a medical billing company (business associate) and that billing company uses a cloud hosting provider to store its data (subcontractor), both the billing company and the cloud provider must be under BAAs. HHS enforcement has increasingly focused on ensuring that these flow-down obligations are properly documented and followed.

Question 10

Can a business associate use de-identified PHI without a BAA?

Accepted Answer

Yes. Information that has been properly de-identified under 45 C.F.R. § 164.514(b) — using either the Safe Harbor method (removing 18 specified identifiers) or the Expert Determination method (statistical or scientific assessment) — is no longer considered PHI and may be used without a BAA. However, re-identification is prohibited, and the BAA or a separate data use agreement should address whether and how de-identified data may be used. A limited data set, which still contains some identifiers, requires a data use agreement with specific provisions but is distinct from a full BAA.

Question 11

Who signs the HIPAA BAA?

Accepted Answer

A BAA must be signed by authorized representatives of both the covered entity and the business associate. On the covered entity side, this is typically the HIPAA Privacy Officer, compliance officer, or an executive with contracting authority. On the business associate side, it is usually the account executive, general counsel, or compliance officer. Electronic signatures through DocuSign or similar services are fully enforceable for BAAs under the ESIGN Act and the Uniform Electronic Transactions Act. The signature date should predate any actual disclosure of PHI.

Question 12

How long should a HIPAA BAA last?

Accepted Answer

A BAA typically remains in effect for the duration of the underlying services relationship and must include a termination provision that requires return or destruction of PHI (or, if return or destruction is infeasible, continuation of protections) upon termination. There is no federal maximum duration. Many BAAs are structured as evergreen agreements that automatically renew until one party provides notice of termination. The BAA must allow the covered entity to terminate the contract (and potentially the underlying services relationship) if it determines the business associate has materially breached.

Question 13

Do I need a new BAA if HIPAA rules are updated?

Accepted Answer

Possibly. When HHS updates the HIPAA rules — as with the 2013 Omnibus Rule, which made substantial changes to BAA requirements — existing BAAs may need to be updated or replaced to reflect the new requirements. HHS has historically provided transition periods during which existing agreements remain compliant. Covered entities and business associates should periodically review their BAAs against current regulations and update them when rules change. The HHS OCR website publishes sample BAA language that reflects current regulatory requirements.

Factor	HIPAA BAA	Standard NDA
Required By	Federal law (HIPAA)	Voluntary contract
Covers	Protected health information	General confidential information
Required Provisions	Mandated by 45 CFR 164.504(e)	Flexible
Breach Notification	Required within 60 days	Contract-based
Penalties	Up to $2M+/year per violation	Contract damages
Enforcement	HHS OCR, state AGs	Private litigation

Free HIPAA Business Associate Agreement Forms

What Is a HIPAA Business Associate Agreement?

Federally Required

Protects PHI

Avoids Penalties

HIPAA BAA Form Preview

Business Associate Agreement

Parties

Required Provisions

When a HIPAA BAA Is Required

Cloud & IT Vendors

Billing & Claims

EHR & Practice Management

Transcription Services

Legal & Accounting

Shredding & Records

HIPAA BAA vs Standard NDA

How to Create a HIPAA BAA

Identify covered entity and business associate

Describe the services and PHI involved

Include all required provisions under 45 CFR 164.504(e)

Set breach notification timing

Address subcontractor flow-down

Include termination and cure rights

Sign with authorized representatives

Required Provisions Under 45 C.F.R. § 164.504(e)

Permitted Uses and Disclosures

Safeguards

Impermissible Use Reporting

Subcontractor Flow-Down

Individual Rights Support

HHS Access

Return or Destruction

Termination for Breach

Breach Notification

Minimum Necessary Rule

What Is Protected Health Information

Breach Notification Rules

Penalties for Non-Compliance

Sample HIPAA Business Associate Agreement

Frequently Asked Questions

Official Resources

Create your Business Associate Non Disclosure Agreement in under 10 minutes.