HIPAA / Editorial

Business Associate Agreement, the HIPAA Contract that Crosses Three Federal Rules

A business associate agreement is the written contract HIPAA requires between a covered entity and any vendor that creates, receives, maintains, or transmits protected health information on the covered entity's behalf. Every shipped business associate agreements instrument has to cross three federal rules at once, the Privacy Rule, the Security Rule, and the Breach Notification Rule, and the ten provisions below are the ones the regulation explicitly requires under 45 CFR 164.504(e)(2).

Reviewed by Katherine Brooks, Esq., Privacy & Compliance AttorneyBar admissions: Virginia, D.C.

Layer 1: HIPAA Privacy Rule

45 CFR 164, Subpart E

Sets the baseline restrictions on use and disclosure of protected health information. The BAA is the instrument that extends those restrictions to anyone who handles PHI on the covered entity's behalf.

Layer 2: HIPAA Security Rule

45 CFR 164, Subpart C

Imposes administrative, physical, and technical safeguards on electronic protected health information. 45 CFR 164.314(a) requires the BAA to flow those safeguards through to every business associate.

Layer 3: Breach Notification Rule

45 CFR 164.400-414

Mandates notification to the covered entity, affected individuals, and HHS within strict deadlines after a breach of unsecured PHI. The BAA fixes the contractual breach-notice timeline between the parties.

The BAA is the binding instrument that crosses all three rules.

Definition

What Business Associate Agreements Actually Bind

A business associate agreements instrument binds two specific HIPAA roles. The first is the covered entity: a health plan, a health-care clearinghouse, or a health-care provider that conducts certain electronic transactions defined in 45 CFR 160.103. The second is the business associate: any person or organization that creates, receives, maintains, or transmits protected health information on the covered entity's behalf, or that provides services to the covered entity and incidentally handles PHI in the course of doing so. The BAA sits between them and is the regulatory bridge that allows PHI to move from the covered entity to the vendor without violating the Privacy Rule the moment the data crosses.

The contract is required, not optional. 45 CFR 164.502(e)(1)permits a covered entity to disclose PHI to a business associate only if the covered entity obtains satisfactory assurances, in the form of a written contract or other written arrangement, that the business associate will appropriately safeguard the information. Disclosing PHI to a vendor without a BAA in place is itself a HIPAA violation, separate from any subsequent breach the vendor might commit. The Raleigh Orthopaedic settlement covered below settled at $750,000 specifically for that categorical failure to sign before sharing.

The HITECH Act of 2009 expanded the universe of business associates to include subcontractors and made business associates directly liable to HHS for many HIPAA violations, not just contractually liable to the covered entity. After HITECH, a cloud host that stores PHI for a billing service that bills a hospital is itself a business associate, and it must sign a BAA with the billing service that flows down the same protections the billing service owes the hospital. The chain has no defined length; whoever handles PHI on someone's behalf is in the chain.

For non-health-care confidentiality obligations that sit alongside BAAs in commercial relationships, the underlying confidentiality doctrine is the same general contract-law frame. The non-disclosure agreement template walkthrough covers the general-purpose confidentiality instrument that usually pairs with a BAA when a vendor handles both PHI and non-PHI trade secrets for the same client.

Purpose

Why HIPAA Mandates a Business Associate Agreement at All

HIPAA's Privacy Rule applies directly to covered entities. Without a BAA, the rule would stop at the covered entity's edge: the hospital itself could not use or disclose PHI in ways that violated the rule, but the vendor that actually receives the data from the hospital would have no direct obligation. The BAA closes that gap by extending the same restrictions, by contract, to anyone the covered entity hands the data to. The first purpose, then, is doctrinal: the BAA is the instrument that makes the Privacy Rule travel with the data.

The second purpose is operational allocation of safeguards. TheSecurity Rule requires administrative, physical, and technical safeguards on electronic PHI. The covered entity cannot inspect every vendor's data center, every encryption key, every workforce background check. The BAA, paired with the Security Rule obligations 45 CFR 164.314(a) flows down directly to business associates, makes the vendor responsible for implementing the safeguards on its side and gives the covered entity a contractual handle to enforce them.

The third purpose is breach notificationcoordination. When unsecured PHI is breached, the covered entity owes notice to the affected individuals within 60 days, notice to HHS in the same window for larger breaches, and notice to the media for breaches affecting 500 or more individuals in any one state. The BAA fixes how quickly the business associate must report a breach to the covered entity so the covered entity has runway to meet those statutory deadlines. A BAA that allows the vendor 60 full days to report leaves the covered entity zero runway. A BAA that requires 24-72 hour reporting is the operational baseline most sophisticated covered entities now require.

The fourth purpose is liability allocation. Post-HITECH,business associates are directly liable to HHS for many HIPAA violations, but the covered entity remains the primary regulated party and the most likely target of an OCR audit. The BAA's indemnification and termination clauses are the covered entity's recourse against a vendor whose conduct triggers an OCR settlement against the covered entity itself. The settlements summarized in the enforcement section below show what those numbers can look like.

Anatomy

The Ten Required Provisions of a Working Business Associate Agreement

45 CFR 164.504(e)(2) lists the required content of a business associate agreements contract. The provisions below track that subsection directly. A BAA missing any one of them is non-compliant on its face, regardless of how the parties otherwise behave. HHS-OCR's published model BAA contains the same ten elements; sophisticated industry templates layer additional commercial terms (indemnification, liability caps, audit rights, insurance) on top of the regulatory floor.

01

Permitted uses and disclosures

Names the limited purposes for which the business associate may use or disclose PHI: only to perform the contracted services for the covered entity, plus management and administration of its own business, and as required by law.

02

Prohibition on further disclosure

Bars the business associate from using or further disclosing PHI in any manner that would violate the Privacy Rule if done by the covered entity itself.

03

Required safeguards

Requires implementation of administrative, physical, and technical safeguards under the Security Rule to prevent unauthorized use or disclosure of electronic PHI.

04

Breach reporting

Obligates the business associate to report any unauthorized use or disclosure, and any security incident, to the covered entity. Most BAAs hard-code a notice period of 60 days or less from discovery, often as short as 24 to 72 hours.

05

Subcontractor flow-down

Requires every subcontractor that creates, receives, maintains, or transmits PHI on the business associate's behalf to sign its own BAA with the same protections, per 45 CFR 164.502(e)(1)(ii).

06

Individual rights support

Requires the business associate to make PHI available to support the covered entity's obligations to provide individuals with access, amendment, and an accounting of disclosures under 45 CFR 164.524, .526, and .528.

07

Records availability for HHS

Requires the business associate to make its internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance audits and investigations.

08

Return or destruction at termination

Obligates the business associate to return or destroy all PHI at the end of the engagement, where feasible. If return or destruction is not feasible, the protections of the BAA must continue to apply for as long as the PHI is retained.

09

Termination for breach

Authorizes the covered entity to terminate the contract if it determines the business associate has materially breached the BAA, with cure provisions and a duty to report unresolved breaches to HHS where applicable.

10

Compliance with applicable Security Rule provisions

Tracks 45 CFR 164.314(a)(2) and confirms the business associate complies with all Security Rule provisions that apply directly to business associates under the HITECH Act.

The Flow-Down: Two Required Tiers, Same Provisions

HIPAA does not stop at the first vendor. 45 CFR 164.502(e)(1)(ii) requires the same written contract with the same protections at every tier where a person handles PHI on the prior tier's behalf. Subcontractors are themselves business associates and the chain extends as far as PHI travels. Both tiers below carry the same ten provisions in the prior section.

Tier 1

Covered Entity → Business Associate

Hospital, health plan, or qualifying provider engages a vendor (cloud host, transcription service, billing company, claims processor, analytics platform) that will handle PHI. 45 CFR 164.504(e)(2) requires a written BAA with the ten provisions above.

Tier 2

Business Associate → Subcontractor

The business associate engages its own subcontractor (sub-cloud host, support contractor, third-party developer) that will handle PHI. 45 CFR 164.502(e)(1)(ii) requires the same written BAA with the same flow-down obligations down the chain. Liability follows.

Breach Notification Countdown, 45 CFR 164.404 + 164.410

The 60-Day Clock and Why the BAA's Notice Period Decides Everything

  1. 1
    Day 0
    Discovery

    A business associate discovers an impermissible use or disclosure of unsecured PHI. The clock under 45 CFR 164.410 starts running on the calendar day the breach is discovered or by exercise of reasonable diligence would have been discovered.

  2. 2
    Within X days
    Notice to covered entity

    The BAA's contractual notice period governs. The HIPAA outer limit is 60 calendar days from discovery, but most BAAs require notice within 10 to 30 days, and some require notice within 24 to 72 hours where the covered entity needs the runway to meet its own individual-notice deadline.

  3. 3
    Day 60
    Individual notice deadline

    The covered entity must notify each affected individual without unreasonable delay and no later than 60 calendar days after discovery, per 45 CFR 164.404. If the BAA gave the covered entity only 5 days of runway, the covered entity scrambles; if the BAA gave 55 days, only 5 days remain.

  4. 4
    Day 60 (concurrent)
    HHS notice for breaches affecting 500+

    Breaches affecting 500 or more individuals require concurrent notice to HHS and to prominent media outlets serving the affected geography. Smaller breaches are reported in an annual summary to HHS.

For commercial agreements that sit alongside the BAA in the same vendor relationship (master services agreements, statements of work, software license agreements for clinical-systems software), the underlying contract architecture is the same general commercial frame. The BAA is the HIPAA-specific overlay that sits on top of those broader contract families, not a replacement for them, and a sophisticated vendor onboarding ships the BAA in parallel with the MSA, the SOW, and any product-specific license.

Enforcement

How HHS-OCR Enforces Business Associate Agreement Compliance

The HHS Office for Civil Rights (OCR) enforces HIPAA through audits, investigations triggered by breach reports or complaints, and resolution agreements with civil monetary penalties. OCR does not need to prove a downstream harm to a patient; the regulatory failure itself is the violation. The three published settlements below illustrate the spectrum of BAA failures OCR has actually penalized, and the per-violation penalty tiers under 45 CFR 160.404 range from $137 to $68,928 per violation depending on the culpability tier, capped at $2.067 million per identical-violation year (post-2024 inflation adjustment).

Anchorage Community Mental Health Services, Inc.

$150,000
2014 OCR settlement

OCR settlement after a malware breach exposed ePHI of 2,743 individuals. OCR's investigation found that the entity had not conducted an accurate and thorough security risk assessment as required by the Security Rule, and that BAAs in place with software vendors did not adequately address the Security Rule safeguards.

Care New England Health System

$400,000
2016 OCR settlement

OCR settlement after an unencrypted backup tape containing ePHI of 14,000 individuals went missing. The investigation revealed the parent organization's BAA with a covered hospital subsidiary had not been updated to reflect HITECH Act amendments effective 2010, leaving a six-year gap in flow-down obligations.

Raleigh Orthopaedic Clinic, P.A.

$750,000
2016 OCR settlement

OCR settlement after the clinic transferred X-ray films containing ePHI of 17,300 individuals to a vendor for harvesting silver from the films, without first executing a BAA. OCR found a categorical failure to enter the BAA before disclosing PHI, the most basic BAA-compliance failure.

The Common BAA Failures OCR Sees Repeatedly

Three failure modes recur across published OCR settlements. The first is no BAA in place at all before PHI was disclosed; this is the categorical failure Raleigh Orthopaedic illustrates and is the hardest to defend, since the regulation itself bars the disclosure absent the contract. The second is an outdated BAA that was never refreshed after HITECH took effect in 2010 or after the Omnibus Final Rule took effect in 2013; older BAAs often lack the direct flow-down to subcontractors and the updated breach-notification language. The third is a present-but-lightweight HIPAA BAA that papers over the requirement without implementing the underlying safeguards; OCR's investigations routinely look beyond the contract to whether the safeguards were actually deployed, and a paper-only BAA does not save a real-world security failure.

For health-care contracts that sit upstream of the BAA (the master services agreement, the software license agreement, the statement of work), the standard commercial drafting frame applies. Browse the contract templates Word library for the underlying commercial contract families a covered entity ships alongside the BAA in any sophisticated vendor onboarding.

Common Questions

Business Associate Agreements, Frequently Asked Questions

What is a business associate agreement?
A business associate agreement, or BAA, is a written contract required by the HIPAA Privacy Rule between a covered entity (a health plan, health-care clearinghouse, or health-care provider that conducts certain electronic transactions) and a business associate (any person or organization that creates, receives, maintains, or transmits protected health information on behalf of the covered entity). The contract is mandated by 45 CFR 164.504(e) and must obligate the business associate to use protected health information only for the purposes specified, to safeguard the information against unauthorized use or disclosure, to report any breach to the covered entity, to make information available for amendment and accounting, and to return or destroy the information at the end of the engagement. Without a signed BAA in place before any protected health information is shared, both parties violate HIPAA the moment the data crosses the boundary, and the covered entity is exposed to civil monetary penalties from the U.S. Department of Health and Human Services Office for Civil Rights.
What is another name for a business associate agreement?
A business associate agreement is sometimes called a HIPAA business associate agreement, a BAA, a HIPAA business associate contract, or simply a business associate contract. The four labels are interchangeable in practice and refer to the same instrument: the written contract that 45 CFR 164.504(e) requires between a covered entity and any business associate that handles protected health information on the covered entity's behalf. Some industries also use the term data processing agreement when discussing a BAA in a broader privacy context, though that label more commonly refers to the GDPR Article 28 instrument or the CCPA service-provider contract, both of which are similar in structure but governed by different legal regimes. When a vendor signs a single document that is intended to satisfy HIPAA, GDPR, and CCPA simultaneously, the document is usually titled a data processing addendum (DPA) and incorporates BAA-specific language by reference for U.S. health-care customers.

Drafting or Reviewing a HIPAA BAA?

A workable BAA tracks 45 CFR 164.504(e)(2), flows down to every subcontractor, fixes a breach-notification window the covered entity can actually meet, and layers commercial protections (indemnification, liability caps, audit rights, insurance) above the regulatory floor. Submit the deal facts and a privacy and compliance attorney will return a drafted or reviewed BAA tied to the specific vendor scope and the covered entity's risk posture.

Get a Custom HIPAA BAA Quote

Or browse the free agreement contract template catalog and the LLC operating agreements template for the underlying commercial drafting frames.