BAA 101: Business Associate Agreements Explained for Healthcare Vendors

A business associate agreement (BAA) is a written contract required by HIPAA between a covered entity (or another business associate) and any vendor that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. The BAA defines how that vendor may use PHI, requires it to safeguard the data, and obligates it to report breaches. If your company touches PHI for a healthcare client, you almost certainly need a signed BAA in place before any data changes hands.

That last point trips up a lot of founders. The BAA isn’t paperwork you can backfill after go-live. Under the HIPAA Privacy Rule, a covered entity may disclose PHI to you only after it has obtained satisfactory assurances — in practice, a signed contract — that you will safeguard the data. So the BAA is often the gate between “we have a signed deal” and “we can actually start.”

This guide explains what a BAA is, who needs one, what it must contain, and how small vendors handle BAAs at scale without an enterprise legal department.

What is a business associate agreement?

A business associate agreement is a HIPAA-mandated contract that flows the rules of the Privacy Rule and Security Rule down from a covered entity to its vendors. HIPAA establishes two main categories of regulated party:

• Covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions (clinics, hospitals, labs, pharmacies, and the like).
• Business associates — anyone who performs a function or service for a covered entity that involves PHI. This includes billing companies, EHR vendors, cloud hosting providers, analytics firms, transcription services, B2B SaaS tools, and increasingly AI vendors that process clinical or claims data.

The BAA is the legal bridge between them. It says, in effect: “We are handing you regulated health data. Here are the only things you may do with it, the protections you must apply, and what happens if something goes wrong.”

Importantly, the BAA isn’t the only thing holding you accountable. Since the 2013 Omnibus Rule implemented the HITECH Act, the HIPAA Security Rule and a defined set of Privacy Rule provisions apply directly to business associates. The Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), can enforce those requirements against a business associate directly — including the duty to safeguard ePHI, to report breaches, and to enter into BAAs with subcontractors. The BAA doesn’t conjure your obligations out of thin air; it documents and assigns them. But once you handle PHI, you’re on the hook whether or not your client does everything right.

Who needs to sign a BAA?

You need a BAA whenever PHI moves between two parties and at least one of them is handling it on behalf of a covered entity. Three common scenarios:

1. Covered entity to business associate. A clinic hires your SaaS to schedule patients or process claims. You’re the business associate. You sign a BAA with the clinic.
2. Business associate to subcontractor. You, the business associate, use a cloud provider, a sub-processor, or an email/SMS vendor that will touch PHI. You must have a BAA with them. HIPAA pushes obligations all the way down the chain, so subcontractors that handle PHI are themselves business associates.
3. Two covered entities exchanging PHI for treatment, payment, or operations generally do not need a BAA for that specific exchange, because they’re acting as principals, not on each other’s behalf.

A frequent mistake: assuming a vendor doesn’t need a BAA because it “doesn’t look at” the data. The conduit exception is narrow — it covers transmission-only services with transient access to PHI, like the postal service or an ISP. A vendor that stores PHI, even encrypted, generally needs a BAA. Cloud hosting providers are the classic example: HHS guidance treats a cloud provider as a business associate even when it stores only encrypted ePHI and holds no decryption key, because it maintains the data and has more than transient access.

If you’re a small practice trying to figure out which vendors require agreements, our HIPAA compliance checklist and guide to HIPAA for small medical practices walk through the vendor inventory step in more detail.

What a BAA must contain

HIPAA specifies required elements for a compliant business associate agreement at 45 CFR 164.504(e). While the exact wording varies, a valid BAA generally must:

• Describe the permitted uses and disclosures of PHI. The business associate may use or disclose PHI only as the contract and HIPAA allow, and not for its own unrelated purposes.
• Prohibit further use or disclosure except as permitted by the agreement or required by law.
• Require appropriate safeguards — administrative, physical, and technical controls consistent with the HIPAA Security Rule — to protect electronic PHI.
• Require breach and incident reporting. The business associate must report security incidents and breaches of unsecured PHI to the covered entity. HIPAA leaves the reporting deadline to the parties, so the specific window is something you negotiate.
• Flow down obligations to subcontractors. Any subcontractor that touches PHI must agree to restrictions and conditions at least as strict as those that apply to the business associate.
• Provide for access, amendment, and accounting so the covered entity can meet individuals’ rights under the Privacy Rule.
• Make records available to HHS for purposes of determining compliance.
• Address return or destruction of PHI at contract termination, where feasible.
• Permit termination by the covered entity if the business associate materially violates the agreement.

Clauses to read carefully before you sign

Beyond the HIPAA minimums, real-world BAAs often add terms with real cost implications. Watch for:

• Breach notification windows. Because HIPAA itself doesn’t fix the deadline, clients set their own — sometimes notice within 24, 48, or 72 hours of discovery. Make sure your incident response process can actually meet whatever you sign.
• Indemnification and liability caps. These are negotiable business terms, not HIPAA requirements. A BAA that makes you indemnify the covered entity for their misconduct, or that strips your liability cap entirely, deserves legal review.
• Audit and assessment rights. Some clients reserve the right to audit you on short notice. Understand the scope before agreeing.
• Insurance requirements. Many BAAs now require cyber liability coverage at specified limits.

A BAA is a contract. You can redline it. Don’t treat the version your client sends as non-negotiable, especially the indemnity and liability sections.

How small vendors manage BAAs without a legal team

For an SMB or startup, the operational challenge isn’t understanding one BAA — it’s handling dozens of slightly different ones from different clients, plus the BAAs you owe your own subcontractors, and proving to each customer that you actually do what you promised.

A few practices that scale:

Keep a signed-BAA register. Track every BAA you’ve signed (inbound from clients and outbound to subcontractors), with effective dates, breach-notice windows, and termination and data-destruction obligations. When a contract ends, that register tells you what PHI you must return or destroy.

Standardize your own BAA template. If you’re large enough that clients sign your paper, a clean, HIPAA-compliant template you offer up front shortens sales cycles. Buyers’ security teams move faster when your terms are reasonable and ready.

Treat subcontractor BAAs as part of vendor risk. Every sub-processor that touches PHI needs a BAA and should be tracked in your vendor risk program. If a downstream vendor causes a breach, you’re still accountable to your client.

Back the BAA with real controls. Signing a BAA is a promise to implement HIPAA Security Rule safeguards. The supporting work — your HIPAA Security Risk Assessment, access controls, encryption, audit logging, and incident response — is what makes the promise true. Many healthcare buyers will also ask for a SOC 2 report alongside the BAA as independent proof.

Document, don’t improvise. When a client’s security team asks how you safeguard PHI, you want evidence ready, not a scramble. A maintained Trust Center and current policies turn a multi-week questionnaire exchange into a link.

A short checklist before signing any BAA

• Confirm PHI is actually involved and you genuinely need the agreement.
• Read the breach-notification window and verify you can meet it.
• Identify every subcontractor that will touch the data and confirm you have BAAs with them.
• Review indemnification, liability caps, and insurance requirements — these are negotiable.
• Note return and destruction obligations at termination, and log them in your register.
• Make sure the underlying safeguards you’re promising actually exist.

Conclusion

A business associate agreement is more than a signature on a contract — it’s a commitment to handle protected health information the way HIPAA requires, backed by safeguards you can prove. For vendors selling into healthcare, the BAA is both a sales gate and an ongoing obligation. Get the agreement right, track it, and make sure the security controls behind it are real and maintained.

That last part — turning signed promises into demonstrable, continuously monitored controls — is where most small teams struggle. Forteri is a multi-framework compliance platform (HIPAA, SOC 2, ISO 27001, and more) built for SMBs and startups priced out of enterprise tools. It helps you manage policies, monitor controls, and track vendors and subcontractor BAAs in one place — so the BAA you sign reflects what you actually do.