Business Associate Agreements (BAA): What They Are & When You Need One

If a vendor touches your patients' protected health information, HIPAA almost always requires a signed Business Associate Agreement first. This guide explains what a BAA is, who counts as a business associate, what a compliant agreement must include, and how to keep track of them so none quietly expire.

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a written contract between a covered entity (or another business associate) and a vendor that handles protected health information (PHI) on its behalf. Required under the HIPAA Privacy and Security Rules (§164.308(b) and §164.502(e)), it obligates the business associate to protect PHI, use it only as permitted, and report breaches — and it makes each party's HIPAA responsibilities explicit.

Who counts as a business associate?

A business associate is anyone outside your workforce who creates, receives, maintains, or transmits PHI to perform a service for you. Common examples include:

  • Billing, coding, and claims-processing companies
  • IT providers, managed service providers, and cloud hosting
  • EHR and practice-management software vendors
  • Email, e-fax, and secure messaging services that carry PHI
  • Document shredding and storage companies
  • Answering services and transcription vendors

Subcontractors that a business associate uses to handle PHI are also business associates and need their own agreements.

What a compliant BAA must include

  • The permitted and required uses and disclosures of PHI by the business associate.
  • A requirement to use appropriate safeguards to prevent unauthorized use or disclosure.
  • An obligation to report breaches and security incidents to the covered entity.
  • A requirement to ensure subcontractors that handle PHI agree to the same terms.
  • An obligation to make PHI available to satisfy patients' access rights.
  • Return or destruction of PHI when the agreement ends, where feasible.
  • Authorization for the covered entity to terminate the contract if terms are violated.

Why tracking BAAs matters

Signing a BAA once isn't enough. Vendors change, contracts renew, and agreements can lapse — and a missing or expired BAA is one of the most common findings in HIPAA enforcement. Keeping a current vendor list with each BAA's status and renewal date is part of your §164.314 organizational requirements and is exactly the evidence an auditor looks for.

Track your vendors and BAAs in Wardably

Keep a living vendor register — who touches PHI, whether a BAA is on file, and when it renews. Tracking vendors is free; storing BAA documents, generating agreements, and getting renewal reminders come with Pro, and you can attach a BAA straight to your risk assessment as evidence.

Manage vendors & BAAs

Frequently asked questions

A written contract between a covered entity (or another business associate) and a vendor that handles PHI on its behalf. It requires the business associate to safeguard PHI and defines each party's responsibilities under HIPAA.

Any person or company outside your workforce that handles PHI to perform a service for you — billing companies, IT and cloud providers, EHR vendors, shredding services, and many software tools. Subcontractors that handle PHI are business associates too.

Sharing PHI with a vendor without a signed BAA is itself a HIPAA violation and can result in significant penalties, even if no breach occurs. Missing BAAs are a common finding in HIPAA enforcement actions.

Related HIPAA guides

This guide is for general educational purposes and is not legal advice. Consult a qualified professional for guidance specific to your organization.