Last updated: February 2, 2026
TL;DR: A Business Associate Agreement (BAA) is a HIPAA-required contract between a covered entity and any vendor (or subcontractor) that creates, receives, maintains, or transmits PHI on its behalf. It defines permitted uses, required safeguards, breach reporting, subcontractor obligations, and what happens to PHI when the relationship ends. This article is for informational purposes and is not legal advice.
Introduction
If you handle protected health information (PHI), a BAA is not optional paperwork. HIPAA requires a written contract any time a third party touches PHI for a covered entity, including many software, IT, billing, analytics, and cloud vendors.
A practical way to think about it is this: your security controls matter, but regulators will also ask whether the responsibilities were contractually defined. The BAA is where that gets documented.
Quick answers
What does BAA stand for in healthcare?
In HIPAA context, BAA stands for Business Associate Agreement. (Not the Buy American Act.)
What is a business associate agreement?
A BAA is the HIPAA-required written contract between a covered entity and a business associate that sets rules for how PHI can be used and protected.
When do you need a BAA?
You need a BAA before any vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity.
What must a BAA include?
At a minimum: permitted uses and disclosures, required safeguards, reporting of improper uses and breaches, subcontractor flow-down obligations, access to information needed for individual rights, return or destruction of PHI on termination, and authorization to terminate for violations. (See official requirements and sample provisions below.)
How long do you retain BAAs?
HIPAA documentation retention rules generally require keeping required documentation for six years from the date of creation or the date it was last in effect (whichever is later). Keep your BAAs with your HIPAA documentation set.
What a BAA is
A Business Associate Agreement is a contract required under HIPAA when a third party (a business associate) handles PHI for a covered entity. HHS provides sample contract provisions and a model agreement that reflect what HIPAA expects in these contracts.
Official resources:
Covered entity vs business associate vs subcontractor
| Role | Common examples | PHI involvement | BAA required |
|---|---|---|---|
| Covered entity | Providers, health plans, clearinghouses | Uses PHI for care and operations | Yes, with business associates |
| Business associate | Billing, IT/MSP, cloud/SaaS, analytics, consultants with PHI access | Creates, receives, maintains, or transmits PHI for the covered entity | Yes, with the covered entity |
| Subcontractor (downstream BA) | A vendor used by your business associate that also handles PHI | PHI flows through the BA’s stack | Yes, with the business associate |
| Mere conduit (narrow exception) | Some couriers and transmission services | Transmits PHI but does not routinely access or store it | Often no, but validate carefully |
Who needs a BAA
You typically need a BAA any time you hire a third party to perform services that involve PHI on your behalf. Common examples include:
- Cloud hosting and infrastructure vendors
- Database and workflow platforms used to store or process PHI
- IT support, MSPs, and consultants with administrative access
- Billing, claims, and revenue cycle vendors
- Transcription, analytics, data services, or reporting vendors touching PHI
- Document storage, scanning, and secure destruction vendors
Bottom line: if they can create, receive, maintain, or transmit PHI for you, assume you need a BAA and verify scope with counsel.
When a BAA is not required
There are limited scenarios where a BAA is not required. Common examples include:
- Disclosures for treatment between providers (not a vendor relationship)
- Disclosures directly to the individual (the patient)
- Certain services that act as a “mere conduit” for transmission only
If a service stores PHI, provides persistent access, or has administrative ability to access systems with PHI, it usually falls outside the “mere conduit” idea.
What a BAA must include
HIPAA sets minimum required elements for business associate contracts. At a practical level, your BAA should clearly address:
- Permitted uses and disclosures of PHI and limits on use
- Safeguards the business associate must implement to protect PHI
- Reporting of unauthorized uses and disclosures, including breaches as required
- Subcontractors must be bound to the same restrictions and conditions
- Support for individual rights where applicable (access, amendment, accounting)
- Return or destruction of PHI at the end of the relationship (or limits if infeasible)
- Termination steps if the business associate violates a material term
For official language and structure, use HHS sample provisions and the HHS model agreement as your baseline, then tailor to your actual data flows and services.
Vendor checklist before you sign
Use this to pressure-test whether a vendor is actually ready to sign a BAA and support HIPAA workflows.
Contract and scope
- Will they sign a BAA for your specific use case and plan level?
- Does the BAA match how PHI is actually used in the product (storage, messaging, files, integrations)?
- Do they address subcontractors and downstream services in writing?
Security controls and evidence
- Access controls (least privilege, role-based permissions, admin controls)
- Audit logs (who accessed, changed, exported, downloaded)
- Encryption in transit and at rest, key management responsibilities
- Backups, recovery, and availability expectations
- Incident response and breach notification timelines
Operational reality
- How fast can you remove access when staff changes happen?
- Can you enforce PHI visibility rules inside real workflows (intake, scheduling, authorizations, notes)?
- Can you export evidence quickly for an audit (logs, user lists, access history)?
BAA template and sample language
If you need a starting point, use official HHS materials first:
Templates from vendors can be fine as a starting point, but they still need to reflect your services, your PHI scope, and your subcontractor chain. For anything complex, have counsel review.
Cloud and SaaS note
OCR has been explicit on a point many teams miss: a cloud service provider can be a business associate when it stores or processes ePHI on your behalf, and not having the encryption key does not remove business associate status. A BAA is typically required in that scenario.
For background, see OCR’s discussion of cloud computing and file sharing risk considerations and the referenced cloud guidance link in the newsletter.
Using Tadabase for HIPAA-ready workflows
If your biggest problem is not a “compliance binder,” but day-to-day operations, the gap is usually the workflow software that touches PHI. Many teams end up building around spreadsheets, inboxes, and generic tools that were not designed for PHI access controls or audit trails.
Where Tadabase fits
- Build custom internal apps and portals for staff, patients, or partners without writing code
- Configure role-based permissions so users only see what they should
- Use audit logs and access tracking to support audit evidence
- Choose a HIPAA-ready hosting option and request a BAA for eligible accounts
Important: HIPAA compliance is shared responsibility. A platform can provide technical controls and a BAA when applicable, but you still need policies, training, and a real risk analysis for your environment.
Explore Tadabase healthcare and HIPAA-ready hosting options
Frequently asked questions
Is a BAA required even if data is encrypted?
Often yes. If a vendor creates, receives, maintains, or transmits ePHI on behalf of a covered entity, they can be a business associate even if they do not hold the encryption key. Make the decision based on access and control, not on marketing claims.
When is a business associate agreement required?
Before PHI is shared with any vendor performing services on behalf of a covered entity where PHI is involved. If PHI is part of the service delivery, assume a BAA is required and confirm scope.
What is included in a BAA?
At minimum: permitted uses and disclosures, safeguards, breach reporting, subcontractor obligations, support for required individual rights requests, return or destruction of PHI upon termination, and termination rights for violations.
How long is a business associate agreement valid?
Typically as long as the underlying services relationship exists, unless the contract sets a term. Many teams review BAAs annually and anytime services, vendors, or data flows change.
How long should I keep BAAs?
HIPAA documentation retention rules generally require keeping required documentation for six years from creation or last effective date, whichever is later.
Is a BAA the same as an NDA?
No. An NDA is a general confidentiality contract. A BAA is a HIPAA-specific agreement that binds a vendor to required privacy and security obligations for PHI.
Is a BAA the same as a DPA?
No. A DPA is commonly used for GDPR and other privacy laws. Some organizations need both, depending on jurisdictions and data types.
Conclusion
A BAA is one of the clearest compliance signals you control: it documents who is responsible for PHI safeguards, how incidents are handled, and what happens to PHI when a relationship ends.
If you are evaluating vendors, start with scope and access. Then confirm the BAA is available on your plan, matches your real PHI workflows, and is backed by controls you can actually enforce and audit.
Related reads:
