What is a HIPAA Business Associate Agreement?

A HIPAA Business Associate Agreement (BAA) is a contract between a covered entity and a business associate (or between business associates) that defines how protected health information (PHI) will be handled. BAAs are not optional paperwork—they are a Privacy Rule requirement before PHI can be disclosed to most vendors.

For healthtech companies, the BAA is often the gateway to revenue: enterprise healthcare customers will not integrate without one. For covered entities, missing or weak BAAs create direct liability and vendor blind spots.

This guide covers:

Who qualifies as a business associate
Required BAA clauses under HIPAA
Subcontractor flow-down and practical negotiation tips
A checklist to evaluate BAAs before signing

Related guides:

Signing and managing HIPAA Business Associate Agreements

GIF via GIPHY

Key takeaways

A BAA must be in place before PHI disclosure to a business associate, with limited exceptions.
Business associates include many cloud, billing, IT, and SaaS vendors that create, receive, maintain, or transmit PHI on behalf of covered entities.
BAAs must include specific HIPAA-mandated clauses covering permitted uses, safeguards, breach notification, and subcontractor obligations.
Subcontractors that handle PHI need flow-down BAAs—multi-tenant vendors must prove their chain of contracts.
Maintain a BAA inventory with review dates—contracts expire; subprocessors change.

Who needs a BAA?

Covered entities

Healthcare providers, health plans, and clearinghouses that disclose PHI to vendors for services generally need BAAs before sharing PHI.

Business associates

A business associate performs functions involving PHI on behalf of a covered entity. Common examples:

Cloud hosting and infrastructure providers with PHI access
EHR, practice management, and telehealth platforms
Billing, coding, and revenue cycle vendors
IT managed service providers with admin access
Data analytics vendors processing identifiable health data
Shredding, transcription, and document storage services

Exceptions (limited)

Certain disclosures do not require BAAs—for example, disclosures to the individual, treatment disclosures between providers, and disclosures required by law. When in doubt, consult counsel rather than assuming an exception applies.

Required BAA clauses under HIPAA

HIPAA specifies that BAAs must include provisions requiring business associates to:

Required topic	What the clause should accomplish
Permitted uses	Limit BA use/disclosure to contract scope and HIPAA permissions
Safeguards	Implement appropriate administrative, physical, and technical safeguards
Subcontractors	Ensure subcontractors agree to same restrictions via written contract
Reporting	Report uses/disclosures not allowed by contract, including breaches
Mitigation	Mitigate harmful effects of known impermissible uses/disclosures
Access to books	Make internal practices, books, and records available to HHS for compliance
Return/destruction	Return or destroy PHI at termination (if feasible)
Breach notification	Notify covered entity of breaches of unsecured PHI

Many organizations add operational detail: security exhibit references, audit rights, insurance, incident cooperation, and data residency.

Subcontractors and flow-down requirements

When a business associate delegates PHI functions to a subcontractor, HIPAA requires a written contract with substantially similar restrictions.

Practical implications:

Cloud providers must list subprocessors (email delivery, monitoring, backup regions)
Covered entities should request subprocessor notification and objection rights
Vendors must maintain a subprocessor BAA inventory with dates and scope

During diligence, ask: "Show me your BAA template and three executed subcontractor BAAs redacted." Gaps here delay enterprise deals.

Negotiating BAAs with vendors

BAAs are often appended to master service agreements (MSAs). Focus negotiations on:

Scope of PHI

Define which systems, environments, and data elements the vendor touches. Narrow scope reduces risk and audit surface.

Breach notification timelines

Align with your incident response plan. Many covered entities require notification without unreasonable delay and often expect faster than 60-day statutory maximum for initial notice.

Audit and assessment rights

Include rights to review SOC reports, penetration tests, or questionnaires on a reasonable cadence.

Termination and data return

Clarify export formats, deletion timelines, and certificates of destruction.

Liability and indemnity

Legal teams negotiate these terms; ensure they do not silently waive HIPAA-required obligations.

BAA checklist for covered entities and vendors

Use this checklist before execution:

Pre-signature

Vendor classified correctly (business associate vs. conduit exception—rare)
Data flow diagram shows PHI entering vendor systems
Security assessment completed (questionnaire, SOC 2, etc.)
Subprocessor list reviewed and acceptable
All required HIPAA clauses present verbatim or substantively equivalent

Operational

BAA stored in central repository with expiration/renewal dates
Owner assigned for periodic vendor review
Integration configs enforce minimum necessary data sharing
Incident contacts documented on both sides

Ongoing

Re-review on vendor scope changes (new AI features, new regions)
Confirm subprocessors remain covered when vendor updates lists
Termination playbook tested (data export and destruction)

Common BAA gaps that cause audit findings

Gap	Risk	Remediation
PHI shared before BAA executed	Direct Privacy Rule violation	Block integrations until signed
Outdated BAA after vendor pivot	Scope mismatch	Amend on material service changes
Missing subcontractor flow-down	Chain breaks at subprocessors	Require subprocessor attestations
Vague breach notification clause	Delayed incident response	Specify timelines and required details
No BAA inventory	Unknown vendor exposure	Central register with owners

OCR enforcement actions frequently cite vendor management failures alongside technical safeguards.

Track BAAs and vendor risk with SecureSlate

BAAs multiply quickly across cloud, billing, and healthtech stacks. SecureSlate helps you stay ahead of vendor-driven HIPAA risk.

SecureSlate helps teams:

Maintain a BAA inventory with owners, renewal dates, and scope notes
Link vendors to systems in your PHI inventory
Track review tasks and evidence from security assessments
Support audit and customer diligence with exportable records

Get started for free to manage BAAs as living compliance data—not buried PDFs.

FAQ

Is a BAA the same as HIPAA compliance?

No. A BAA is a contractual framework. Compliance requires implementing safeguards, policies, training, and evidence—not just signing a document.

Do we need a BAA with every SaaS vendor?

Only when the vendor is a business associate handling PHI on your behalf. Productivity tools without PHI access may not require BAAs—but verify data flows carefully.

Can business associates use standard BAA templates?

Many do, but covered entities may require edits. Ensure templates include all HIPAA-required clauses and match your service scope.

What happens if a BAA expires but services continue?

Continuing PHI access without a current BAA creates compliance risk. Pause integrations until contracts are renewed or amended.

Are cloud providers business associates?

Typically yes when they store or process PHI for covered entities, though facts matter. Major cloud providers offer HIPAA-eligible services with BAA options.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to HIPAA and related regulations, you should consult a licensed attorney.

What is a HIPAA Business Associate Agreement (BAA)? Requirements, clauses, and checklist