Business Associate Agreement: What Is a BAA?

Key takeaways:

• Establish business associate agreements with every third-party vendor who accesses Protected Health Information, as HIPAA legally mandates these contracts for covered entities and missing them can result in penalties reaching $1.5 million annually.

• Recognize that business associate agreements serve a distinct legal purpose from non-disclosure agreements, protecting PHI under federal HIPAA regulations rather than general confidential information, and carrying significantly steeper penalties including potential criminal charges.

• Ensure your business associates maintain BAAs with their own subcontractors who handle PHI, as the subcontractor chain requirement is a commonly overlooked compliance gap that creates direct liability for the covered entity.

• Implement contract lifecycle management systems to standardize BAA creation and tracking with HIPAA-compliant templates, as manual processes increase compliance risks and healthcare contracts average 49 days to execute.

Business associate agreements probably aren’t the most exciting part of your job. You know this if you’ve ever had to track down whether every single vendor in your healthcare organization has the right paperwork in place to handle Protected Health Information (PHI). Missing a BAA here or using an outdated template there can turn compliance from a routine checkmark into a regulatory nightmare, with one such failure leading to a $1.55 million settlement.

A business associate agreement (BAA) is a legally binding contract required under HIPAA that protects Protected Health Information (PHI) when shared with third-party vendors. If your organization is a covered entity under HIPAA, you must establish these agreements with business associates and their subcontractors.

Business associate agreements serve as the foundation of your HIPAA compliance program. They define permissible and impermissible uses of PHI, establish liability frameworks, and outline consequences for non-compliance. Without proper agreements in place, organizations face significant regulatory penalties and legal exposure.

Because business associate agreements need to be vetted against relevant HIPAA rules, it’s a good idea to use advanced contract management tools that provide you with easy-to-use, codeless templates.

Read on to learn more about business associate agreements, why you need them, and how to create and manage them with a no-code contract lifecycle management system (CLM).

What is a business associate agreement?

A business associate agreement establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI.

This type of agreement is necessary if business associates can potentially access PHI during their work. It’s also required if the business associates’ subcontractors have potential access to PHI, as the official HIPAA definition of a business associate includes any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

HIPAA requires specific types of organizations, called “covered entities,” to create business associate agreements. These covered entities include:

• Health plans which refer to groups or individuals who pay or provide the cost of medical care..

• Healthcare clearinghouses which are public or private entities that process health information received from another entity. Examples include repricing companies, billing services, community health information systems, and “value-added” switches and networks that facilitate the processing of health information, particularly health information in nonstandard formats.

• Healthcare providers who submit or transmit any health information for transactions with HHS standards..

• Hybrid entities such as universities with academic medical centers and hospitals that conduct electronic transactions for which HHS has established standards..

Business associates are specific types of vendors or partners who handle PHI on behalf of covered entities. To qualify as a business associate requiring a formal agreement, the organization must meet these criteria:

• People or entities who perform or assist in performing an activity or function involving PHI use or disclosure. These activities and functions include claims processing or administration, data analysis, quality assurance reviews, and utilization reviews.

• People or entities who perform actuarial, consulting, legal, data aggregation, accreditation, management, administration, or financial services for or to a covered entity where performing these services involves disclosing PHI.

Important distinctions about business associate status:

• Covered entity employees are not considered business associates

• Internet service providers typically do not require business associate agreements

• Courier services generally fall outside business associate requirements

• One covered entity can serve as a business associate to another covered entity

HIPAA and BAA requirements

If you’re a “covered entity” under HIPAA and you’re sharing Protected Health Information (PHI) with a vendor, you are legally required to have a Business Associate Agreement (BAA) in place. This isn’t optional. The BAA is the contract that ensures your vendors—and their subcontractors—are held to the same privacy and security standards you are. Without it, you’re looking at serious compliance risks and potential fines.

The HIPAA Privacy Rule requires covered entities to obtain satisfactory assurances from their business associates that they will appropriately safeguard any PHI they receive or create on behalf of the covered entity. These assurances must be documented in a written contract or agreement—which is where the BAA comes in.

Here’s what a BAA must address according to HIPAA requirements:

• Describe the permitted and required uses of PHI by the business associate

• State that the business associate will not use or disclose the information other than as permitted or required

• Require the business associate to implement appropriate safeguards

• Require reporting of any unauthorized use or disclosure

• Ensure any subcontractors agree to the same restrictions

Who qualifies as a covered entity

So, who exactly is a “covered entity”? HIPAA is pretty specific about this. It’s not just hospitals. You’re on the list if you are a health plan, healthcare clearinghouse, or a healthcare provider who transmits health information electronically. This also includes hybrid entities, like a university with a medical center. If your organization falls into one of these buckets, you’re the one responsible for getting BAAs signed with your business associates.

To break it down further:

• Health plans: This includes health insurance companies, HMOs, company health plans, and government programs that pay for healthcare like Medicare and Medicaid.

• Healthcare clearinghouses: These are entities that process nonstandard health information they receive from another entity into a standard format, or vice versa.

• Healthcare providers: Any provider that transmits health information in electronic form in connection with a covered transaction. This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.

If you’re unsure whether your organization qualifies, the key question to ask is: does your organization electronically transmit health information in connection with transactions for which HHS has adopted standards? If yes, you’re likely a covered entity.

Who qualifies as a business associate

A “business associate” is any person or company that performs a function or service for a covered entity that involves the use or disclosure of PHI. Think of your IT provider, a billing company, a data analytics firm, or even a law firm that has access to patient data. It also extends to their subcontractors. If a vendor’s subcontractor handles PHI, they need a BAA with the vendor, too. The key is that they aren’t part of your workforce—they’re an outside party you’re trusting with sensitive information. Managing these external relationships is no small feat, especially considering that standard vendor agreements typically require 80% legal involvement and take an average of 45 days to execute, according to The 2025 Contracting Benchmark Report.

Common examples of business associates include:

• Third-party administrators that assist with claims processing

• CPA firms whose accounting services involve access to PHI

• Attorneys whose legal services involve access to PHI

• Consultants who perform utilization reviews

• Healthcare clearinghouses that translate data for a provider

• Independent medical transcriptionists

• Pharmacy benefits managers

• Cloud service providers that store PHI

One thing to note: members of your workforce aren’t business associates. Neither are other covered entities when they’re providing treatment. And if a vendor only has incidental access to PHI—like a janitorial service that might glimpse a document while cleaning—they typically don’t qualify as business associates either.

BAA vs other confidentiality agreements

You might be thinking, “I have an NDA, isn’t that enough?” Not even close. An NDA, or non-disclosure agreement, is a general contract to protect confidential business information—like your marketing plans or trade secrets. A BAA is a very specific, legally-mandated contract under HIPAA designed to protect one thing: Protected Health Information (PHI). While both deal with confidentiality, a BAA comes with the full weight of HIPAA regulations and penalties. They serve different purposes and one cannot replace the other.

Here’s how they differ:

• Legal basis: NDAs are based on general contract law. BAAs are required by federal HIPAA regulations.

• Scope of protection: NDAs protect any confidential business information you define. BAAs specifically protect PHI as defined by HIPAA.

• Penalties: Breaching an NDA can lead to civil liability. Violating a BAA can result in HIPAA penalties, which can reach millions of dollars, plus potential criminal charges. For example, offenses committed for commercial advantage can result in fines of $250,000 and imprisonment up to 10 years.

• Required terms: NDAs are flexible in their terms. BAAs must include specific provisions mandated by HIPAA.

In practice, you might have both an NDA and a BAA with the same vendor. The NDA protects your general business secrets, while the BAA specifically addresses PHI handling. Don’t assume one covers the other—they’re distinct agreements for distinct purposes.

How to create a business associate agreement

Creating a business associate agreement requires including specific legal and regulatory elements to ensure HIPAA compliance and protect both parties. The agreement must contain these essential components:

Basic information

Business associate agreements must meet standard contract enforceability requirements to be legally binding. These foundational elements include:

• Date. Include one at the top and one at the bottom. The date at the top should indicate when the agreement was created, while the date at the bottom should appear next to each party’s signature to indicate the signing date.

• Names of the parties. Give the full legal names of the parties to the agreement. The names must be exactly as they appear on the parties’ official I.D. cards (i.e., passport or driver’s license for individuals and articles of incorporation for companies). Mention which party is the covered entity and which is the business associate.

• Acceptance. Determine how the parties will indicate acceptance of the terms of the agreement. Because business associate agreements are negotiated, non-standard contracts that require a lot of customization, you should use traditional eSignatures rather than embedded signing or clickwrap.

Business associate agreement-specific requirements

Beyond basic contract elements, business associate agreements must include HIPAA-specific provisions that define PHI handling, establish compliance frameworks, and create accountability measures:

• Acknowledgment. Explain why HIPAA is relevant to the business relationship and why both parties are subject to the HIPAA. Be as clear and direct as possible, so neither of the parties will be able to excuse themselves from liability.

• The nature of the PHI involved. Outline what PHI the business associate and its subcontractors will access.

• Definition of permissible versus impermissible. Define permissible and impermissible uses of PHI as established in relevant case law, rules, and legislation.

• Liability and consequences. The U.S. Department of Health and Human Services (HHS) can audit business associates and business associate subcontractors any time they want. This means you can get in serious trouble with the HHS, the Office of Civil Rights, and even the Department of Justice for violating the HIPAA, as a business associate is directly liable under HIPAA for unauthorized uses and disclosures of PHI. As such, you need to include language that holds either party responsible for a breach of PHI. Remember that a good business associate agreement protects PHI as well as your organization’s reputation.

  • Require the business associate to implement appropriate technical, physical, and administrative safeguards according to the HIPAA’s Security Rule to safeguard the integrity, confidentiality, and availability of PHI.

• Include language that outlines the consequences of failing to comply with HIPAA and contract requirements.

• Protocol for employee HIPAA training. To ensure that both parties’ employees and subcontractors are safeguarding PHI, you should establish a protocol for employee HIPAA training.

• Procedure in the event of a data breach. Establish and outline procedures in case a data breach happens. For instance, mention what you can do to mitigate the harm caused by malicious third parties misusing and accessing PHI.

• Procedure for returning or destroying PHI. Describe how the parties should return and destroy PHI when requested to do so.

As you draft your business associate agreement, make sure to keep an eye on HIPAA regulations and rules. This ensures you have addressed all HIPAA requirements and covered every aspect of the relationship between the parties.

Common BAA compliance mistakes

I’ve seen a few common tripwires over the years. The biggest one is simply not having a BAA in place when one is required. Another is grabbing a generic template off the internet and calling it a day—these often don’t cover your specific situation or the latest rules. A huge one people forget is the subcontractor chain. According to HIPAA rules, you must ensure that any subcontractors engaged by your business associate agree to the same restrictions, meaning you need to ensure your business associate has BAAs with their own subcontractors who handle PHI. If they don’t, that’s a compliance gap that ultimately falls on you.

Here are the most frequent mistakes to avoid:

• No BAA at all. Some organizations simply forget or don’t realize they need one. Every vendor relationship involving PHI requires a BAA—no exceptions.

• Using outdated templates. HIPAA requirements have evolved, especially after the HITECH Act. Make sure your BAA reflects current regulations, not something drafted a decade ago.

• Ignoring the subcontractor chain. Your business associate might use subcontractors who also access PHI. You need assurance that those relationships are also covered by BAAs.

• Vague language around permitted uses. Be specific about what the business associate can and cannot do with PHI. Ambiguity creates risk.

• Missing breach notification procedures. Your BAA should clearly state how and when the business associate must notify you of a breach.

• Failing to update BAAs. When the scope of services changes, or when regulations update, your BAAs should be reviewed and amended accordingly.

How to draft and manage business associate agreements more efficiently

Creating business associate agreements from scratch presents significant complexity due to extensive HIPAA requirements and legal specifications. Traditional contract management approaches—using spreadsheets, email chains, and manual tracking—create additional risks for healthcare organizations.

Modern contract lifecycle management (CLM) systems address these challenges by centralizing contract creation, storage, and management. This centralization is vital for protecting your bottom line, as organizations lose an average of 8.6% of total spending annually to cost leakage in contracts, according to The 2025 Legal Operations Field Guide. These platforms provide HIPAA-compliant templates, automated workflows, and centralized repositories that reduce compliance risks while making your team’s work faster and more efficient.

The benefits become clear when you consider what happens without centralized systems. Each department ends up managing its own contracts, making it difficult for legal to get a comprehensive view of contractual obligations. legal teams struggle to draft, manage, and execute business associate agreements efficiently, especially since these agreements often involve multiple departments and require specialized HIPAA knowledge. In fact, the report found that Healthcare & Life Sciences contracts have an average execution time of 49 days—one of the longest cycle times across all industries surveyed.

CLM software solves these problems by providing a central system for all contracts. You can draft, manage, and store contracts in a centralized repository, which eliminates departmental barriers and makes it easier to answer questions about upcoming obligations.

Modern platforms also offer contract automation that’s particularly valuable for BAAs. You can set up automated workflows for business associate agreements with up-to-date templates that contain built-in guardrails to ensure compliance. These systems allow you to modify contract template language, deliver updates instantly, and fine-tune approval routing workflows—all critical capabilities when you’re dealing with the regulatory requirements of HIPAA.

Key takeaways for BAA compliance

Business associate agreements are mandatory compliance requirements for HIPAA-covered entities working with third-party vendors who access PHI. These agreements protect sensitive health information while establishing clear legal frameworks for vendor relationships.

Effective BAA management requires the right tools and processes. Modern contract management platforms like Ironclad provide HIPAA-compliant templates, automated workflows, and centralized storage that ensure compliance while reducing administrative burden.

To draft an effective business associate agreement that protects PHI and your organization’s reputation, consider Ironclad. Equipped with an arsenal of tools such as Ironclad Data Repository and Ironclad Workflow Designer, Ironclad will make creating HIPAA-compliant contracts easier than ever. Our templates require no coding and contain all the clauses and language you need to get started. Simply upload a template, tag fields as needed, and add signers and approvers. Ironclad also adjusts approvals at the clause level, so you can accelerate contracting without sacrificing control.

Request a demo today to see how Ironclad can help you manage your business associate agreements.

Frequently asked questions about business associate agreements

Is a BAA required by law?

Yes, a Business Associate Agreement (BAA) is a legal requirement under the Health Insurance Portability and Accountability Act (HIPAA). If you are a covered entity sharing Protected Health Information (PHI) with a vendor, you must have a BAA in place to be compliant. Non-compliance can lead to significant fines, legal liability, and reputational damage.

What happens if you don’t have a BAA?

Failing to have a BAA when one is required is a HIPAA violation and can lead to significant consequences. This includes hefty fines from the Office for Civil Rights (OCR), potential legal liability, and serious damage to your organization’s reputation. Penalties can range from $100 per unknowing violation up to $50,000 per violation for willful neglect that is not corrected, with an annual maximum of $1.5 million for the latter.

Does a BAA need to be updated?

It’s a good practice to review your BAAs periodically, especially if there are changes to HIPAA regulations or the services provided by your business associate. While they don’t have a set expiration date, a BAA should be treated as a living document that reflects the current state of your business relationship and legal requirements. Any time the scope of work changes or new subcontractors are added, you should revisit the agreement.

Can a covered entity be a business associate?

Yes, a covered entity can act as a business associate of another covered entity. For example, if a hospital contracts with another healthcare provider to perform a specific service that involves PHI, that provider would need to sign a BAA for that particular arrangement, even though they’re also a covered entity in their own right.

---

Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.