Ironclad Journal icon IRONCLAD JOURNAL

Business Associate Agreement: What Is a BAA?

Four colleagues huddled around one side of the desk in front of a computer over a small stack of papers. | What is a Business Associate Agreement?

If your organization is considered a “covered entity” under the Health Insurance Portability and Accountability Act (HIPAA), you must establish business associate agreements with business associates and their subcontractors to ensure the proper protection of personal health information. 

Business associate agreements form the backbone of your organization’s HIPAA compliance program. These agreements include clauses outlining the permissible and impermissible uses of Protected Health Information (PHI), each party’s liabilities, consequences of failing to comply with stated requirements, and more.

Because business associate agreements need to be vetted against relevant HIPAA rules, it’s a good idea to use advanced contract management tools like Ironclad Editor, which provides you with easy-to-use, codeless templates. Say goodbye to drafting business associate agreements from scratch—Ironclad allows you to create, upload, and share templatable workflows within minutes, with no coding required.

Read on to learn more about business associate agreements, why you need them, and how to create and manage them with Ironclad.

What is a business associate agreement?

A business associate agreement establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI. 

This type of agreement is necessary if business associates can potentially access PHI during their work. It’s also required if the business associates’ subcontractors have potential access to PHI. 

Not every business that deals with PHI needs to create a business associate agreement. According to HIPAA, only the following “covered entities” need to establish business associate agreements:

  • Health plans, which refer to groups or individuals who pay or provide the cost of medical care.
  • Healthcare clearinghouses, which are public or private entities that process health information received from another entity. Examples include repricing companies, billing services, community health information systems, and “value-added” switches and networks that facilitate the processing of health information, particularly health information in nonstandard formats.
  • Healthcare providers who submit or transmit any health information for transactions with HHS standards.
  • Healthcare, including services, care, or supplies related to the health of an individual.
  • Hybrid entities such as universities with academic medical centers and hospitals that conduct electronic transactions for which HHS has established standards.

In the same vein, not every business partner working for a HIPAA-covered entity can be considered a business associate for a business associate agreement. Only the following are considered HIPAA-covered business associates:

  • People or entities who perform or assist in performing an activity or function involving PHI use or disclosure. These activities and functions include claims processing or administration, data analysis, quality assurance reviews, and utilization reviews.
  • People or entities who perform actuarial, consulting, legal, data aggregation, accreditation, management, administration, or financial services for or to a covered entity where performing these services involves disclosing PHI.

A covered entity’s employees, Internet service providers, and courier service partners are not considered one of its business associates, and a covered entity can be a business associate of another covered entity. 

How to create a business associate agreement

To create a business associate agreement, you need to include the following:

1. Basic information

As with all legally binding agreements, business associate contracts must have the following to be legally enforceable:

  • Date. Include one at the top and one at the bottom. The date at the top should indicate when the agreement was created, while the date at the bottom should appear next to each party’s signature to indicate the signing date.
  • Names of the parties. Give the full legal names of the parties to the agreement. The names must be exactly as they appear on the parties’ official I.D. cards (i.e., Passport or Driver’s License for individuals and Articles of Incorporation for companies). Mention which party is the covered entity and which is the business associate.
  • Acceptance. Determine how the parties will indicate acceptance of the terms of the agreement. Because business associate agreements are negotiated, non-standard contracts that require a lot of customization, you should use traditional eSignatures rather than embedded signing or clickwrap.

2. Business associate agreement-specific requirements

After you’ve filled out the basic information above, you need to include the following:

  • Acknowledgment. Explain why HIPAA is relevant to the business relationship and why both parties are subject to the HIPAA. Be as clear and direct as possible, so neither of the parties will be able to excuse themselves from liability.
  • The nature of the PHI involved. Outline what PHI the business associate and its subcontractors will access.
  • Definition of permissible versus impermissible. Define permissible and impermissible uses of PHI as established in relevant case law, rules, and legislation.
  • Liability and consequences. The U.S. Department of Health and Human Services (HHS) can audit business associates and business associate subcontractors any time they want. This means you can get in serious trouble with the HSS, the Office of Civil Rights, and even the Department of Justice for violating the HIPAA. As such, you need to include language that holds either party responsible for a breach of PHI. Remember that a good business associate agreement protects PHI as well as your organization’s reputation.
    • Require the business associate to implement appropriate technical, physical, and administrative safeguards according to the HIPPA’s Security Rule to safeguard the integrity, confidentiality, and availability of PHI.
    • Include language that outlines the consequences of failing to comply with HIPAA and contract requirements.
  • Protocol for employee HIPAA training. To ensure that both parties’ employees and subcontractors are safeguarding PHI, you should establish a protocol for employee HIPAA training.
  • Procedure in the event of a data breach. Establish and outline procedures in case a data breach happens. For instance, mention what you can do to mitigate the harm caused by malicious third parties misusing and accessing PHI.
  • Procedure for returning or destroying PHI. Describe how the parties should return and destroy PHI when requested to do so.

As you draft your business associate agreement, make sure to keep an eye on HIPAA regulations and rules. This is to ensure you’ve covered everything you need to under HIPAA and that you’ve covered every aspect of the relationship between the parties.

How to streamline drafting and managing business associate agreements

With so many clauses to draft, it can be challenging to create a business associate agreement from scratch. Managing these contracts can be even harder, particularly if your company is still relying on traditional ways of processing and storing contracts. Without a centralized hub to store and draft contracts, each department would have to manage its own contracts, making it difficult for Legal to get a thorough understanding of your company’s contractual obligations. Legal will also find it challenging to draft, manage, and execute business associate agreements, especially since they often interest more than one department. 

If your organization is still relying on USBs and hard drives to store Word and PDF contracts, consider shifting to modern CLM software. Draft, manage, and store contracts in a centralized Data Repository, thereby breaking down your company’s contract silos and streamline the process of answering questions about upcoming contractual obligations.

You can use also Workflow Designer to draft and approve automated workflows for business associate agreements.  Our templates are up-to-date and contain guardrails to ensure 100% automatic contract compliance. What’s more, you can easily modify contract template language, deliver updates instantly, and fine-tune approval routing workflows.


Business associate agreements are vital for HIPAA compliance if you are a covered entity. HIPAA-covered entities—such as healthcare providers and healthcare clearinghouses—must draft business associate agreements with business associates and subcontractors to shield PHI from potential attackers.

To draft an effective business associate agreement that protects PHI and your organization’s reputation, consider Ironclad. Equipped with an arsenal of tools such as Data Repository and Workflow Designer, Ironclad will make creating HIPAA-compliant contracts easier than ever. Our templates require no coding and contain all the clauses and language you need to get started. Simply upload a template, tag fields as needed, and add signers and approvers. Ironclad also adjusts approvals at the clause level, so you can speed-contract without sacrificing control.

Try Ironclad for your contracts today.

Want more content like this? Sign up for our monthly newsletter.

Book your live demo