What a BAA is
A Business Associate Agreement (BAA) is a written contract HIPAA requires between two parties when one of them processes electronic Protected Health Information (ePHI) on behalf of the other. It's the legal mechanism that makes a service provider — your SaaS company, say — accountable directly to HHS for protecting ePHI, not just contractually accountable to the customer that hired you.
Without a signed BAA, the Covered Entity (your healthcare-industry customer) is in violation of HIPAA the moment they send you ePHI. So are you, since you've now become a Business Associate who's processing ePHI without authorization.
When you need one
You need a BAA before you create, receive, maintain, or transmit ePHI on behalf of a Covered Entity. "Before" is important — if you're already processing ePHI without one, the breach has technically already happened.
You're a Business Associate if you do any of these on behalf of a Covered Entity:
- Host, store, or transmit ePHI (cloud storage, databases, message queues, backups)
- Process ePHI (analytics, ML features, billing, claims processing, scheduling)
- Provide IT support that gives you incidental access to ePHI
- Provide legal, accounting, consulting, or financial services that involve ePHI
You're not a Business Associate if:
- You only handle truly de-identified data (HHS Safe Harbor or Expert Determination methods)
- You're a "conduit" — a network/telecom that only transmits ePHI without persistent access (this exception is narrower than people think; cloud storage doesn't qualify)
- Your service is sold direct-to-consumer and the patient/individual is your customer, not a Covered Entity
What HIPAA requires the BAA to contain
HHS publishes sample BAA provisions that cover the required clauses. At minimum, the BAA must:
- Define permitted uses and disclosures of ePHI by the Business Associate. The BA can't do anything with the ePHI that isn't explicitly authorized.
- Require safeguards consistent with the HIPAA Security Rule (administrative, physical, technical).
- Require BAA flow-down to subcontractors — every downstream processor that touches the ePHI must also sign a BAA with the Business Associate.
- Require breach notification from BA to Covered Entity within an agreed timeframe (usually 24-72 hours; HIPAA says "without unreasonable delay").
- Require BA to make ePHI available for the Covered Entity to fulfill individual access requests, amendments, and accountings of disclosure.
- Permit HHS audits of the BA's HIPAA practices and policies.
- Require ePHI return or destruction on contract termination, where feasible.
- Authorize Covered Entity to terminate the contract for material BA breach.
Subprocessor BAAs (BAA flow-down)
Your BAA with your customer means you're accountable for ePHI. Every subprocessor you use that touches that ePHI must have a BAA with you. The good news: most major cloud and SaaS vendors offer BAAs. The bad news: you have to actively request and sign each one — they're not part of the default Terms of Service.
Vendors that offer BAAs (request, then sign)
- AWS — request via AWS Artifact, then enable HIPAA-eligible services per the BAA's covered-services list
- Google Cloud — request via Cloud Console → Support → BAA
- Microsoft Azure — included with most enterprise agreements via Online Services Terms
- Datadog, Sentry, Splunk — request via sales for the BAA addendum on the appropriate tier
- Stripe — Stripe Treasury and Stripe Identity offer BAAs for healthcare use cases
- SendGrid (Twilio) — Email API with BAA via the HIPAA-eligible plan
- Postmark, Mailgun — both offer BAAs on request
- Snowflake, BigQuery — HIPAA-eligible with the appropriate BAA
Vendors that don't offer BAAs
If a vendor doesn't offer a BAA, you can't send them ePHI. Common gotchas: free-tier analytics tools (Google Analytics free tier, Mixpanel free tier, etc.), most consumer-grade email providers, generic Slack/Notion accounts.
BAA vs DPA vs MSA
| Agreement | Regulation | Covers | Required when |
|---|---|---|---|
| BAA | HIPAA (US) | ePHI | Processing ePHI for a Covered Entity |
| DPA | GDPR (EU) | Personal data of EU residents | Processing EU personal data for a controller |
| MSA | Commercial | The overall vendor relationship | Default vendor contract — BAA and DPA layer on top |
| SCCs | GDPR | EU→non-EU data transfers | Transferring EU data outside the EEA |
Managing BAAs at scale
One BAA is paperwork. Twenty BAAs is a compliance program. Things that go wrong:
- Expirations sneak up. Most BAAs auto-renew, but some don't. An expired BAA on a major customer = sales-blocking incident.
- Subprocessor changes invalidate flow-down. You added a new analytics tool last quarter; nobody checked whether it can handle ePHI under your existing BAAs.
- Different customers want different terms. You'll end up tracking variant BAA terms (notification windows, audit rights, indemnification caps) per customer.
- Subprocessor list drift. Your published subprocessor list says one thing; engineering started using a new tool that touches data; the BAA addendum requires notification before adding subprocessors.
What works:
- Single source of truth for every BAA: customer name, BAA effective + expiration date, the signed PDF, deviation from your standard template, notification window, audit rights granted.
- Subprocessor inventory with the corresponding BAA reference + HIPAA-eligibility documentation. Reviewed before any new tool is procured.
- Calendar reminders 90 days before BAA expiration. Renewals usually take 4-8 weeks of legal back-and-forth.
- Public subprocessor page kept current. Notify customers before changes per BAA terms.
Frequently asked questions
Do I need a BAA?
If your SaaS creates, receives, maintains, or transmits ePHI for a Covered Entity — yes. If you only handle de-identified data, generally no. When in doubt, sign one — overcompliance is cheap, breach penalties aren't.
Who signs the BAA?
Two parties: the Covered Entity (or upstream Business Associate) and you. If you have downstream subprocessors that touch ePHI, you also sign a BAA with each of them.
What's the difference between a BAA and a DPA?
A DPA is a GDPR document covering personal data of EU residents. A BAA is a HIPAA document covering ePHI of US individuals. Different regulations, different data sets — many enterprise contracts include both.
Can I use a template BAA?
For low-risk processing, yes — HHS publishes sample provisions. Once you have a meaningful book of healthcare customers, get counsel to review and tailor.
What happens if I process ePHI without a BAA?
Both you and your customer are in HIPAA violation. Civil penalties scale by culpability tier — willful neglect uncorrected tops out at $1.5M per violation category per year. Your customer will also terminate immediately because they're equally exposed.