HIPAA Business Associate Agreements
A Business Associate Agreement (BAA) is a legally required contract between a covered entity and any business associate that handles Protected Health Information (PHI). For technology companies serving healthcare customers, understanding and properly executing BAAs is fundamental to HIPAA compliance.
This guide explains what BAAs are, what they must contain, and how to approach them strategically as a SaaS or technology company.
Key Takeaways
| Aspect | Details |
|---|---|
| What it is | Legally required contract for handling PHI |
| When required | Before any PHI is shared |
| Required provisions | 10+ specific elements mandated by HIPAA |
| Liability | Creates direct HIPAA liability for business associates |
| Enforcement | HHS OCR can enforce directly against business associates |
Quick Answer: A BAA is required whenever a business associate will access PHI on behalf of a covered entity. It must include specific provisions defined by HIPAA regulations, and creates direct HIPAA compliance obligations for your organization. You need BAAs with both your healthcare customers (upstream) and your vendors who access PHI (downstream).
What is a Business Associate?
A business associate is any person or organization that:
- Performs functions or activities involving PHI on behalf of a covered entity, or
- Provides services to a covered entity involving access to PHI
Common Business Associate Relationships
| Business Associate Type | Examples |
|---|---|
| SaaS platforms | EHR systems, telehealth platforms, patient portals |
| Cloud providers | AWS, GCP, Azure, Heroku |
| Analytics services | Data analytics, BI tools processing PHI |
| Communication tools | Email, messaging platforms handling PHI |
| IT services | Managed IT, security monitoring, data backup |
| Professional services | Legal, accounting, consulting with PHI access |
When is a BAA NOT Required?
A BAA is not required for:
- Conduits for transmission (like postal service or internet providers)
- Entities acting as workforce members of the covered entity
- Treatment relationships between covered entities
- Banking and financial institutions for payment processing
- Persons or entities whose functions do not involve PHI use or disclosure
The BAA Chain
BAAs must extend through the entire chain of entities accessing PHI:
Covered Entity (Hospital)
↓ BAA
Business Associate (Your SaaS Platform)
↓ BAA
Subcontractor (Cloud Provider)
↓ BAA
Sub-subcontractor (Monitoring Service)Each link in the chain requires a BAA. If you're a business associate using subcontractors who access PHI, you must obtain BAAs from each of them.
Required BAA Provisions
HIPAA regulations specify required elements for Business Associate Agreements. A compliant BAA must include:
1. Permitted Uses and Disclosures
The BAA must establish:
- What PHI the business associate can receive
- What uses are permitted (must be limited to BAA purposes)
- What disclosures are permitted
- Prohibition on uses not permitted by the BAA
Example provision:
Business Associate may use or disclose PHI only as necessary to perform services set forth in the underlying service agreement, as required by law, or as otherwise permitted by this Agreement.
2. Prohibition on Unauthorized Use or Disclosure
The BAA must prohibit the business associate from using or disclosing PHI in ways not permitted by the agreement.
3. Safeguard Requirements
The BAA must require the business associate to:
- Use appropriate safeguards to prevent unauthorized use or disclosure
- Comply with applicable Security Rule requirements
- Implement administrative, physical, and technical safeguards
4. Reporting Requirements
The BAA must require reporting of:
- Any use or disclosure not permitted by the agreement
- Any security incident (successful or unsuccessful unauthorized access)
- Any breach of unsecured PHI
Timing matters: The BAA should specify reasonable timeframes for reporting (e.g., within 5 business days of discovery).
5. Subcontractor Requirements
The BAA must require:
- Ensuring subcontractors agree to the same restrictions
- Obtaining BAAs from all subcontractors accessing PHI
- Business associate responsibility for subcontractor compliance
6. Access for Patient Rights
The BAA must require the business associate to:
- Make PHI available to satisfy patient access requests
- Make PHI available for amendment requests
- Provide accounting of disclosures information
How this works in practice:
- Covered entity requests PHI to fulfill patient request
- Business associate provides requested PHI within timeframe
- Business associate may provide direct access (with covered entity consent)
7. Internal Practices Availability
The BAA must require the business associate to make its internal practices and records relating to PHI available to HHS for compliance determination.
8. Return or Destruction of PHI
The BAA must require, upon termination:
- Return of PHI to the covered entity, or
- Destruction of PHI, or
- If neither is feasible, extension of protections and limitation on further uses
9. Breach Notification Support
For unsecured PHI breaches, the BAA should address:
- Notification timeline to covered entity
- Information to be provided
- Cooperation with breach investigation
- Cost allocation for notification
10. Term and Termination
The BAA must include:
- Term of the agreement
- Termination provisions
- Termination rights for material breach
BAA Negotiation Considerations
What Covered Entities Typically Request
| Request | Typical BA Position |
|---|---|
| Immediate breach notification | Negotiate reasonable timeframe (3-5 business days) |
| Unlimited liability | Cap liability at reasonable amount |
| Indemnification for all breaches | Limit to BA's negligent acts |
| Annual audits | Offer SOC 2 report instead |
| Specific security requirements | Reference your security program |
| Cyber insurance requirements | Reasonable minimums acceptable |
What Business Associates Should Ensure
| Provision | Your Interest |
|---|---|
| Scope clarity | Clear definition of what constitutes PHI under the agreement |
| Reasonable timelines | Adequate time for reporting, access requests, etc. |
| Liability limits | Reasonable caps and mutual indemnification |
| Subcontractor flexibility | Ability to use subcontractors with proper BAAs |
| Termination rights | Mutual termination rights and reasonable wind-down |
Red Flags in BAAs
Watch for these problematic provisions:
- Unlimited liability without reciprocal protections
- Immediate notification requirements (same day)
- Prohibition on subcontractors entirely
- Audit requirements beyond providing SOC 2 reports
- Unreasonable insurance requirements (very high limits)
- Unilateral termination without cure period
- Indemnification for all breaches regardless of cause
BAAs with Your Vendors (Downstream)
You need BAAs from every vendor who accesses PHI, including:
Cloud Infrastructure
- AWS (Enterprise agreements include BAA)
- Google Cloud Platform (BAA available)
- Microsoft Azure (BAA available)
- Heroku (requires specific add-on)
SaaS Tools
- Email providers handling PHI
- Customer support platforms with PHI access
- Analytics tools processing PHI
- Backup and disaster recovery services
Professional Services
- Legal counsel with PHI access
- Accounting firms with PHI access
- Consultants with PHI access
How to Obtain Vendor BAAs
- Major cloud providers: BAAs available through enterprise agreements or online acceptance
- SaaS vendors: Request BAA; many offer standard versions
- Smaller vendors: May need to provide your BAA template
- Vendors without BAAs: Evaluate alternatives or ensure no PHI access
If a Vendor Won't Sign a BAA
Options include:
- Use a different vendor that will sign
- Configure the tool to avoid PHI exposure
- De-identify data before sharing
- Accept the risk (not recommended for core services)
Sample BAA Structure
A well-structured BAA typically includes:
1. Definitions
- Business Associate
- Covered Entity
- PHI, ePHI, Designated Record Set
- Required by Law, Secretary
2. Obligations of Business Associate
- Use and disclosure limitations
- Safeguards
- Reporting
- Subcontractor requirements
- Patient rights support
- HHS access
3. Permitted Uses and Disclosures
- Services under service agreement
- BA management and administration
- Legal responsibilities
- Data aggregation (if applicable)
4. Obligations of Covered Entity
- Notice of restrictions
- Permission notices
- Revocation of authorizations
5. Term and Termination
- Term
- Termination for cause
- Effect of termination
- Return/destruction of PHI
6. Miscellaneous
- Regulatory references
- Amendment
- Survival
- Interpretation
- Governing lawCommon BAA Mistakes
1. No BAA in Place
Problem: Sharing PHI without an executed BAA.
Solution: Always execute BAA before any PHI is shared.
2. Outdated BAA
Problem: BAA doesn't reflect HIPAA Omnibus Rule changes (2013).
Solution: Ensure BAA references current regulations and includes business associate direct liability.
3. Missing Subcontractor BAAs
Problem: Using vendors without BAAs.
Solution: Audit all vendors accessing PHI; obtain BAAs from each.
4. Vague Scope
Problem: Unclear what data is covered.
Solution: Clearly define PHI scope in the agreement.
5. No Termination Provisions
Problem: Missing PHI return/destruction requirements.
Solution: Include specific termination and post-termination obligations.
BAA vs Service Agreement
BAAs work in conjunction with service agreements:
| Agreement | Purpose | Required |
|---|---|---|
| Service Agreement | Defines services, pricing, SLA, general terms | Yes (business need) |
| BAA | HIPAA-specific provisions for PHI handling | Yes (legal requirement) |
Common approaches:
- Separate BAA: Standalone document referencing service agreement
- BAA Addendum: Attachment to service agreement
- Combined Agreement: Service agreement with integrated BAA provisions
All approaches are acceptable if required provisions are included.
Managing BAAs at Scale
For technology companies with many healthcare customers:
Standardize Your BAA
- Develop a standard BAA you provide to customers
- Include all required provisions
- Set reasonable terms you can operationally support
- Have legal review and approve
Track BAA Status
Maintain records of:
- Which customers have executed BAAs
- BAA effective dates and terms
- BAA versions
- Any negotiated modifications
Update Processes
Establish processes to:
- Execute BAAs before PHI sharing
- Track BAA expirations
- Update BAAs when regulations change
- Respond to amendment requests
BAA Checklist
For Customer (Upstream) BAAs
- BAA in place before PHI access
- All required provisions included
- Reasonable timelines for reporting
- Liability appropriately allocated
- Subcontractor use permitted
- Termination provisions clear
For Vendor (Downstream) BAAs
- All PHI-accessing vendors identified
- BAA requested/obtained from each
- Vendor BAA includes required provisions
- Vendor termination/destruction obligations clear
- BAA records maintained
How Bastion Helps
Bastion helps technology companies manage Business Associate Agreements:
- BAA review: Evaluate customer and vendor BAAs for compliance and risk
- BAA template development: Create your standard BAA for customers
- Vendor BAA management: Identify vendors needing BAAs and obtain them
- Negotiation support: Guidance on acceptable terms and positions
- BAA tracking: Systems for managing BAA status across relationships
Ready to discuss your BAA needs? Talk to our team
Sources
- HHS Business Associates - Official guidance on business associate requirements
- Business Associate Contracts - Sample BAA provisions from HHS
- HIPAA Omnibus Rule - 2013 rule expanding BA requirements