Missing that agreement doesn't require a data breach to generate penalties. Pagosa Springs Medical Center paid $111,400 after disclosing ePHI to Google without a BAA in place — no mass breach, just an absent contract. At the other end of the scale, the current Tier 4 penalty ceiling sits at $2,134,831 per violation after 2026 inflation adjustments.
This guide covers what a BAA is, who needs one, what it must contain, how to create and manage one, and the mistakes that most reliably trigger enforcement.
TL;DR
- A BAA is a federally required contract governing how vendors handle PHI — it must be signed before any PHI is shared with a vendor (45 CFR § 164.504(e))
- Business associates face direct HIPAA liability and can be fined by OCR independently, without any action against the covered entity
- BAA obligations flow downstream — business associates must also sign BAAs with any subcontractors that handle PHI
- A cloud provider storing encrypted ePHI is still a business associate — encryption alone doesn't remove BA status
- OCR penalizes covered entities that fail to vet and monitor their vendors' security posture — a signed BAA is not a compliance substitute
What Is a HIPAA Business Associate Agreement?
A Business Associate Agreement is a written contract required by 45 CFR § 164.504(e) between a covered entity and any third party that creates, receives, maintains, or transmits PHI on the covered entity's behalf. The contract defines what the business associate may and may not do with that data, how they must protect it, how they must report incidents, and what happens to the PHI when the relationship ends.
The BAA isn't a formality. It directly binds the business associate to HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. Under the HITECH Act and the 2013 Omnibus Final Rule, business associates carry direct liability — OCR can fine them independently, without the covered entity being involved at all.
What the BAA Actually Does
Before HITECH (2009), HIPAA enforcement focused almost entirely on covered entities. Business associates were largely held accountable only through their contracts. The 2013 Omnibus Rule closed that gap. Today, the HHS Direct Liability Factsheet identifies six categories of direct business associate liability, including:
- Failure to comply with the Security Rule
- Impermissible uses or disclosures of PHI
- Failure to report breaches to the covered entity
- Failure to execute required BAAs with subcontractors
- Failure to provide HHS with access to records during an investigation
The absence of a signed BAA doesn't eliminate these obligations. A business associate is bound to the Security Rule regardless of whether the covered entity ever executed a written agreement.
Who Needs a HIPAA BAA — and Who Doesn't?
Covered Entities
Under 45 CFR § 160.103, covered entities are health plans, health care clearinghouses, and health care providers that conduct covered electronic transactions. These are the organizations responsible for executing BAAs before sharing PHI with vendors.
Business Associates
The business associate definition is broad. Per HHS, it covers any person or entity that performs functions involving the use or disclosure of PHI on behalf of a covered entity. The regulatory function list at 45 CFR § 160.103 explicitly includes:
- Claims processing and billing services
- Benefit management and utilization review
- Data aggregation, analytics, and quality assurance
- IT consultants, legal, and accounting services with PHI access
- Cloud storage providers and SaaS platforms
- Medical transcriptionists and coding services
For HR tech and benefits platforms specifically: "benefit management" is explicitly listed in the HHS function categories. Benefits enrollment platforms that process employee health plan elections, COBRA qualifying event data, ACA eligibility records, or dependent health coverage information are clearly within the business associate definition — regardless of whether they think of themselves as a healthcare company.
That classification has direct implications for integration infrastructure. Bindbee, which powers benefits data exchange across 60+ HRIS, payroll, and carrier systems for 50+ benefits platforms, processes PHI categories including health plan enrollment elections, dependent coverage data, COBRA qualifying events, ACA eligibility records, and HSA/FSA contribution data.
Its HIPAA-compliant infrastructure includes a formal BAA framework. Bindbee executes a Business Associate Agreement as part of its customer relationship, providing a compliant foundation for these data flows.
The Conduit Exception (and Why It Rarely Applies)
Entities that merely transport PHI in transit without storing it — postal services, couriers, internet service providers — qualify for the conduit exception and don't need a BAA.
Cloud vendors and API platforms don't. HHS's October 2016 Cloud Computing Guidance settled this: a cloud service provider is a business associate even if it stores only encrypted ePHI and never possesses the decryption key, because it "maintains" ePHI on behalf of the covered entity. SaaS, PaaS, and IaaS providers all fall within scope.
When a BAA Is NOT Required
A BAA isn't needed when a vendor's functions don't involve PHI use or disclosure. Specific exceptions under HHS guidance include:
- Treatment referrals between providers
- Laboratory disclosures to providers for treatment purposes
- Disclosures from a group health plan to a plan sponsor under specific conditions
- Entities acting purely as conduits (transient transmission only, no storage)
What a HIPAA-Compliant BAA Must Include
Under 45 CFR § 164.504(e)(2), a BAA must address eleven core areas. HHS published sample BAA provisions in January 2013 that remain publicly available as a drafting reference.
Mandatory Provisions
| Requirement | What It Covers |
|---|---|
| Permitted uses and disclosures | Defines exactly what the BA may do with PHI; prohibits all other uses |
| Safeguards obligation | Requires appropriate administrative, physical, and technical controls consistent with the Security Rule |
| Breach and incident reporting | BA must notify the covered entity of any breach of unsecured PHI without unreasonable delay |
| Subcontractor flow-down | BA must execute BAAs with all subcontractors that create, receive, maintain, or transmit PHI |
| Patient rights support | BA must support individual access (§ 164.524), amendment (§ 164.526), and disclosure accounting (§ 164.528) |
| HHS audit access | BA must make books and records available to the Secretary of HHS for compliance determinations |
| Return or destruction of PHI | At termination, all PHI must be returned or destroyed; obligations survive agreement end |
| Termination for cause | Covered entity may terminate if BA materially violates the agreement |
Optional Provisions Worth Including
The HIPAA minimum is a floor, not a ceiling. Depending on the relationship and applicable state law, consider adding:
- Indemnification clauses that cover breach-related costs and regulatory penalties
- Stricter breach notification timelines — Bindbee's BAA, for example, requires notification within 72 hours, compared to HIPAA's open-ended "without unreasonable delay" standard
- State law addenda for jurisdictions with stricter rules — the Texas Medical Records Privacy Act imposes penalties up to $250,000 per violation, a 15-day deadline for electronic record access requests, and a full ban on PHI sales, and it applies to any out-of-state vendor handling PHI of Texas residents
The Downstream Chain Problem
The optional provisions above only matter if the BAA chain holds at every level. Every business associate must cascade BAA requirements to its own subcontractors — and that obligation doesn't stop at the first tier.
The further PHI travels from the covered entity, the more links exist in that chain. Each unexecuted downstream BAA is an independently enforceable violation under the HITECH Act, meaning a gap two or three vendors removed from the covered entity still creates direct liability.
How to Create and Execute a BAA
Step 1: Vet Before You Draft
Executing a BAA doesn't substitute for due diligence. OCR Director Jocelyn Samuels stated in the Raleigh Orthopaedic enforcement action that BAA requirements are "more than a mere check-the-box paperwork exercise."
Before sharing any PHI, covered entities should:
- Confirm the vendor qualifies as a business associate (does the service involve PHI?)
- Review the vendor's security posture and request evidence of HIPAA compliance
- Obtain SOC 2 Type II reports, ISO 27001 certificates, or equivalent audit documentation
- Review prior breach history and current risk assessment practices
For vendors handling employee health data or benefits eligibility — the kind that flows through HRIS and benefits integrations — look for providers that maintain SOC 2 Type II and ISO 27001 certifications alongside documented incident response procedures. Bindbee, for instance, carries all three and undergoes annual third-party risk assessments and penetration testing, which simplifies the vendor vetting checklist for benefits platforms using its API infrastructure.
Step 2: Draft and Customize
Once vetting is complete, start with the HHS sample BAA provisions as a baseline, then customize for:
- The specific services and PHI types involved
- Any applicable state law requirements
- Additional contractual protections relevant to the relationship
Have legal counsel with HIPAA expertise review the agreement before execution — template language rarely accounts for state-specific requirements or relationship-specific risk.
Step 3: Manage It Ongoing
BAAs remain valid indefinitely unless a termination date is specified — but a signed contract that's never revisited creates hidden risk. Best practices:
- Annual review of all active BAAs
- Re-confirm BA compliance posture after mergers, infrastructure changes, or regulatory updates
- Document your monitoring process — OCR expects covered entities to maintain oversight throughout the relationship, not just at signing
Common BAA Mistakes That Lead to Penalties
Treating the Signed BAA as the Finish Line
It isn't. Multiple OCR enforcement actions confirm that covered entities face penalties for failing to actually vet and monitor business associate compliance — even when a signed BAA exists.
Two cases illustrate this clearly:
- North Memorial Health Care paid $1,550,000 in March 2016 after failing to execute a BAA with Accretive Health, Inc., a major contractor with access to ePHI of 289,904 patients. The case began with a stolen laptop, but the core violation was the absent agreement and a missing organization-wide risk analysis.
- Raleigh Orthopaedic Clinic paid $750,000 in April 2016 after handing approximately 17,300 X-ray films to a recycling vendor without a BAA in place.
Neither penalty required a systemic breach of thousands of records. The absence of a required contract was sufficient.
Scope Gaps Within Covered Services
A BAA with a cloud provider or SaaS vendor only covers the specific services listed in the agreement. If employees use personal accounts or uncovered tools to handle PHI — sending patient data through personal Gmail when a Google Workspace BAA is in place — the covered entity is still in violation. What isn't in the contract isn't covered.
Subcontractor Chain Failures
The CHSPSC enforcement action shows how seriously OCR takes subcontractor chain failures: a business associate paid $2,300,000 in September 2020 for Security Rule violations affecting over 6 million individuals — pursued directly, without any covered entity violation triggering the action.
The underlying rule is straightforward. Business associates that don't execute downstream BAAs with their subcontractors break the chain of PHI custody, and that gap is a direct, independently enforceable violation under the HITECH Act.
Over-Executing BAAs
Over-executing BAAs creates its own compliance risk. Requiring agreements from vendors with no PHI access — landscapers, parking services, janitorial staff — generates contractual liability where none would otherwise exist.
The test is simple:
- Does the vendor perform a function involving PHI? If yes, a BAA is required.
- Does the vendor only have a general business relationship? If yes, no BAA is needed.
Unnecessary BAAs dilute the seriousness of genuine obligations and add administrative weight without any compliance benefit.
Frequently Asked Questions
What is a BAA under HIPAA?
A BAA is a written contract required by HIPAA between a covered entity and any third party (business associate) that creates, receives, maintains, or transmits PHI on the covered entity's behalf. It establishes permitted uses, required safeguards, breach reporting duties, and obligations upon termination.
Who needs a business associate agreement under HIPAA?
Covered entities — health plans, health care clearinghouses, and qualifying health care providers — must execute BAAs with any vendor that handles PHI on their behalf. Business associates must also execute BAAs with their own subcontractors who access PHI.
What are the requirements for a BAA under HIPAA?
Under 45 CFR § 164.504(e), a compliant BAA must include:
- Defined permitted uses and disclosures of PHI
- Required safeguards (administrative, physical, technical)
- Breach reporting obligations
- Subcontractor flow-down provisions
- Support for patient rights (access, amendment, accounting)
- HHS audit access
- Return or destruction of PHI upon termination
Does the HIPAA Privacy Rule apply to business associates?
Yes. The HITECH Act and the 2013 Omnibus Final Rule made business associates directly liable under both the Privacy Rule and the Security Rule. OCR can fine business associates independently. A covered entity doesn't need to be in violation for the BA to face enforcement.
Are a BAA and an NDA the same thing?
No. An NDA is a general confidentiality agreement under contract law with no regulatory mandate. A BAA is a federally required contract with specific prescribed elements under HIPAA. An NDA does not satisfy the BAA requirement — relying on one in place of a BAA exposes both parties to regulatory penalties.
