Business Associate Agreements (BAAs): What They Are and Why You Need Them
Published May 2, 2026
A Business Associate Agreement (BAA) is a written contract between a HIPAA covered entity and any third party that handles Protected Health Information on the covered entity's behalf. If your dental lab receives x-rays tied to a patient name, your billing service processes insurance claims, or your EHR vendor stores your patient charts — they're business associates, and they need a BAA before you can legally transmit PHI to them. Skipping the BAA is one of the most common — and most-enforced — HIPAA violations.
What counts as a business associate
45 CFR § 160.103 defines a business associate as a person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. The qualifying word is "on behalf of" — somebody doing a job for you that involves patient information.
Examples: EHR vendors, cloud backup services, billing companies, dental labs, transcription services, virtual receptionists, telehealth platforms, shred vendors that handle paper records with PHI, IT contractors with access to your systems, and patient engagement platforms.
Not business associates: utility companies, your landlord, banks that process credit card transactions (treated separately under the Conduit Exception), and other covered entities you exchange PHI with for treatment purposes.
What a BAA must contain
45 CFR § 164.504(e)(2) lists the required elements. A compliant BAA must:
• Describe the permitted uses and disclosures of PHI by the business associate
• Prohibit further uses or disclosures beyond what the contract or law allows
• Require the business associate to implement appropriate safeguards (the same Security Rule standards covered entities follow)
• Require the business associate to report any breach back to the covered entity
• Require the business associate to ensure any subcontractors agree to the same restrictions
• Give the covered entity termination rights if the business associate violates the agreement
• Require the business associate to return or destroy all PHI upon termination, or extend the BAA's protections for as long as the data is retained
HHS publishes a free sample BAA template that meets the regulatory floor.
The risk of skipping the BAA
Sending PHI to a vendor without a signed BAA is a separate violation from any downstream breach the vendor might cause. HHS has issued enforcement actions for missing BAAs alone — most notably the $750,000 Cancer Care Group settlement in 2015, where the missing BAA was a primary factor in the penalty calculation.
The practical risk: if a vendor you didn't have a BAA with has a breach, you face penalties under both the missing-BAA violation and the breach itself.
How to fix gaps in your BAA inventory
Start with a written list of every vendor that touches PHI in your practice — EHR, billing, lab, IT, scheduling, telehealth, shredding, transcription, anything. For each one, check whether you have a signed BAA on file. If not, request one. Major vendors (Epic, Athenahealth, AWS, Google Workspace, Microsoft 365) have BAAs available on request — most refuse to do business without one.
For smaller vendors that may not have a standard BAA, you can send them the HHS sample BAA or generate one through TrackHIPAA, which pre-populates the required clauses for your practice.
Key takeaways
- Any vendor that handles PHI on your behalf needs a BAA
- 45 CFR § 164.504(e)(2) lists exactly what a BAA must contain
- HHS has fined practices for missing BAAs alone, separate from any breach
- Most major vendors offer BAAs on request — small vendors often don't
- Maintain a written BAA inventory and review it annually