What is Business Associate Agreement (BAA)?

A Business Associate Agreement (BAA) is a HIPAA-required written contract between a covered entity and a vendor (or between business associates) that handles protected health information on its behalf. Mandated by 45 CFR 164.504(e) and 164.308(b), it obligates the business associate to safeguard PHI, limit its use, report breaches, and comply with applicable HIPAA rules.

A BAA matters because covered entities cannot lawfully share PHI with a vendor — a cloud host, billing company, IT provider, or transcription service — without one. The agreement passes HIPAA obligations down the chain so that everyone touching PHI is contractually bound to protect it, and it is one of the first documents OCR asks for after a vendor-related breach.

For example, a dental practice using cloud practice-management software needs a signed BAA with that vendor; without it, simply storing PHI there can be a HIPAA violation regardless of how secure the platform is. Subcontractors that handle PHI need BAAs too.

Maintaining a BAA template and a tracked register of executed agreements makes vendor risk management and audit prep much faster, because you can show every PHI-handling relationship is papered. Templates speed up getting agreements in place, but a signed BAA alone does not make either party compliant — both must actually meet their HIPAA obligations.

Related terms: Covered Entity vs Business Associate · Vendor Risk Management · Data Processing Agreement (DPA) · Protected Health Information (PHI)

Frequently asked questions

Do I legally need a BAA?
Yes, if you disclose PHI to a vendor that creates, receives, maintains, or transmits it on your behalf. HIPAA requires the BAA before that PHI is shared; sharing without one is itself a compliance failure.
How is a BAA different from a standard vendor contract?
A BAA specifically addresses HIPAA: permitted uses of PHI, required safeguards, breach reporting, subcontractor flow-down, and return or destruction of PHI at termination. A general services contract does not satisfy this requirement on its own.
Who is responsible if the business associate has a breach?
Business associates are directly liable under HIPAA for their own violations and breaches. A covered entity can also face liability if it failed to obtain a BAA or knew of a vendor's ongoing violations and did not act.

Toolkits that cover Business Associate Agreement (BAA)

HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Medical Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.

$7930% off with codeView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Dental Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.

$7930% off with codeView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Mental Health Practices

18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.

$7930% off with codeView toolkit

Learn more in our HIPAA guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.