What is a Business Associate Agreement (BAA)?
A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity (or a business associate) and any vendor that creates, receives, maintains, or transmits protected health information on its behalf. The BAA spells out how the vendor will safeguard PHI, report breaches, return or destroy data when the contract ends, and bind subcontractors to the same standards. Without a signed BAA, the covered entity is out of compliance the moment PHI touches the vendor's system.
What a BAA Is For
HIPAA covered entities (hospitals, clinics, health plans, billing companies) often hand patient data to outside vendors. A cloud storage provider, a payment processor, a contact center, a transcription service, an analytics platform: any of these can end up handling protected health information (PHI). HIPAA doesn't ban this. But it requires that the vendor accept the same legal obligations the covered entity has.
The BAA is how that obligation gets transferred. It's a contract that binds the vendor (the "business associate") to specific HIPAA Security Rule and Privacy Rule requirements. It also creates a direct enforcement path for HHS Office for Civil Rights (OCR) to act against the vendor if PHI gets mishandled.
Who Needs One
You need a BAA between any covered entity and any business associate. You also need a BAA between a business associate and any of its subcontractors that touch PHI. The chain runs all the way down.
Typical business associates include:
- Medical billing companies and revenue-cycle management vendors
- Payment processors that handle PHI alongside card data
- Cloud hosting and storage providers
- EHR and practice-management software vendors
- Contact centers and answering services
- Document shredding companies
- Lawyers and accountants who review PHI
- IT consultants with system access
- Transcription and translation services
What doesn't trigger a BAA: vendors who don't actually access PHI. A janitorial service that empties trash without seeing patient files isn't a business associate. A telecom carrier that just transmits encrypted traffic without ability to access the contents is treated as a conduit and doesn't need a BAA.
Required Clauses
HIPAA's regulations spell out what a BAA has to contain. The required terms include:
- Permitted uses and disclosures: The BAA must describe exactly what the business associate is allowed to do with the PHI. Anything outside that scope is a violation.
- Safeguards: The business associate must agree to implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule.
- Reporting requirements: The business associate must report any use or disclosure of PHI not permitted by the BAA, plus any security incident or breach.
- Subcontractor flow-down: The business associate must ensure that any subcontractor it uses to handle PHI signs a BAA with the same protections.
- Access rights: The business associate must make PHI available to the covered entity (or directly to patients) as needed to comply with HIPAA's individual rights provisions.
- Amendment and accounting: The business associate must support the covered entity's obligations to amend PHI on patient request and account for disclosures.
- Return or destruction: When the BAA ends, the business associate must return or destroy all PHI, or extend protections if return or destruction isn't feasible.
- OCR access: The business associate must make its books and records available to HHS for compliance audits.
- Termination: The covered entity must be able to terminate the BAA for material breach, with a defined cure period.
What Goes Wrong Without One
If a covered entity gives PHI to a vendor without a BAA, the covered entity is in immediate violation of HIPAA's Privacy Rule. The penalty range starts at $100 per violation and can hit $50,000 per violation, capped at $1.5 million per identical violation per year.
OCR has issued seven-figure settlements against organizations that handed PHI to vendors without proper BAAs. The most common scenarios: storing PHI in cloud services without checking whether the provider would sign a BAA, using free email or file-sharing services for patient data, and engaging marketing or analytics vendors without locking down the data flow.
Subcontractor Flow-Down
This catches a lot of organizations off guard. If a billing company (business associate) hires a payment processor (subcontractor) that touches PHI, the billing company has to sign a BAA with the processor. The covered entity doesn't sign that BAA directly, but it has the right to expect the chain is intact.
If the billing company skips the BAA with its subcontractor, the billing company is in violation, and the covered entity may be too if it knew or should have known about the gap.
BAAs and Cloud Providers
Major cloud providers (AWS, Microsoft Azure, Google Cloud) all offer BAAs for their HIPAA-eligible services. But signing the BAA only covers data stored in the eligible services. If you put PHI into a non-eligible service in the same provider's stack, you're not covered.
This is a frequent mistake: organizations sign a cloud BAA and assume everything they do with that provider is HIPAA-safe. It isn't. Map your data flows and check each service against the provider's BAA scope.
BAA vs Service Contract
A BAA is a separate document from the underlying service contract, though it can be incorporated as an exhibit. The BAA addresses HIPAA-specific obligations. The service contract addresses commercial terms (price, SLA, support). Both need to exist, and they need to be consistent with each other.
For US healthcare clients, Paytia signs Business Associate Agreements where the engagement requires it. If a client's call recordings or payment workflows could expose PHI, the BAA gets signed before any production traffic hits our platform.
That said, the cleanest approach is to keep PHI out of payment infrastructure in the first place. Paytia's telephone payment solution is built so that card data is captured separately from the conversation. The agent stays on the line, the customer enters card details via DTMF tones that the agent never hears, and the recording captures flat tones instead of card digits. If your contact center workflow can also keep PHI out of the audio (or use IVR-based capture so the patient is talking to a system, not an agent), the HIPAA scope shrinks too.
For healthcare-specific deployments where PHI does flow through Paytia, talk to us about IVR payment options and the BAA process. We've worked with US billing companies and providers and understand both the PCI and HIPAA sides.
Frequently Asked Questions
Who has to sign a BAA?
Any covered entity that gives PHI to a vendor, and any business associate that gives PHI to a subcontractor. The chain runs all the way down through the supply of vendors that touch the data.
Is an NDA the same as a BAA?
No. An NDA protects confidential information generally. A BAA is a HIPAA-specific contract with required clauses about safeguards, breach reporting, subcontractor flow-down, and OCR audit rights. You need both for vendors handling PHI.
What if the vendor refuses to sign a BAA?
Then you can't give them PHI. If a vendor's service is essential and they won't sign, you have to either find an alternative or restructure the engagement so PHI never reaches them. Sending PHI to a vendor without a signed BAA puts you in immediate violation of HIPAA.
Do conduit services need a BAA?
No. The HIPAA conduit exception covers transmission services like telecom carriers and ISPs that move data without persistent access to its contents. Cloud storage providers don't qualify as conduits because they have access to the data they store.
See how Paytia handles business associate agreement
Book a personalised demo and we'll show you how our platform works with your setup.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia