HIPAA · BAAs

Business Associate Agreements, actually explained.

A Business Associate Agreement (BAA) is the HIPAA-required contract between a Covered Entity (a healthcare provider, health plan, or clearinghouse) and any organization that processes electronic Protected Health Information (ePHI) on its behalf. It makes the service provider directly accountable to HHS for protecting ePHI, not just contractually accountable to the customer.

What a BAA is

A Business Associate Agreement (BAA) is a written contract HIPAA requires between two parties when one of them processes electronic Protected Health Information (ePHI) on behalf of the other. It's the legal mechanism that makes a service provider — your SaaS company, say — accountable directly to HHS for protecting ePHI, not just contractually accountable to the customer that hired you.

Without a signed BAA, the Covered Entity (your healthcare-industry customer) is in violation of HIPAA the moment they send you ePHI. So are you, since you've now become a Business Associate who's processing ePHI without authorization.

Plain-English version: BAA = the paperwork that says "yes, we both know there's regulated health data flowing between us, and here's exactly what each side is required to do about it."

When you need one

You need a BAA before you create, receive, maintain, or transmit ePHI on behalf of a Covered Entity. "Before" is important — if you're already processing ePHI without one, the breach has technically already happened.

You're a Business Associate if you do any of these on behalf of a Covered Entity:

You're not a Business Associate if:

What HIPAA requires the BAA to contain

HHS publishes sample BAA provisions that cover the required clauses. At minimum, the BAA must:

  1. Define permitted uses and disclosures of ePHI by the Business Associate. The BA can't do anything with the ePHI that isn't explicitly authorized.
  2. Require safeguards consistent with the HIPAA Security Rule (administrative, physical, technical).
  3. Require BAA flow-down to subcontractors — every downstream processor that touches the ePHI must also sign a BAA with the Business Associate.
  4. Require breach notification from BA to Covered Entity within an agreed timeframe (usually 24-72 hours; HIPAA says "without unreasonable delay").
  5. Require BA to make ePHI available for the Covered Entity to fulfill individual access requests, amendments, and accountings of disclosure.
  6. Permit HHS audits of the BA's HIPAA practices and policies.
  7. Require ePHI return or destruction on contract termination, where feasible.
  8. Authorize Covered Entity to terminate the contract for material BA breach.

Subprocessor BAAs (BAA flow-down)

Your BAA with your customer means you're accountable for ePHI. Every subprocessor you use that touches that ePHI must have a BAA with you. The good news: most major cloud and SaaS vendors offer BAAs. The bad news: you have to actively request and sign each one — they're not part of the default Terms of Service.

Vendors that offer BAAs (request, then sign)

Vendors that don't offer BAAs

If a vendor doesn't offer a BAA, you can't send them ePHI. Common gotchas: free-tier analytics tools (Google Analytics free tier, Mixpanel free tier, etc.), most consumer-grade email providers, generic Slack/Notion accounts.

BAA vs DPA vs MSA

AgreementRegulationCoversRequired when
BAAHIPAA (US)ePHIProcessing ePHI for a Covered Entity
DPAGDPR (EU)Personal data of EU residentsProcessing EU personal data for a controller
MSACommercialThe overall vendor relationshipDefault vendor contract — BAA and DPA layer on top
SCCsGDPREU→non-EU data transfersTransferring EU data outside the EEA

Managing BAAs at scale

One BAA is paperwork. Twenty BAAs is a compliance program. Things that go wrong:

What works:

  1. Single source of truth for every BAA: customer name, BAA effective + expiration date, the signed PDF, deviation from your standard template, notification window, audit rights granted.
  2. Subprocessor inventory with the corresponding BAA reference + HIPAA-eligibility documentation. Reviewed before any new tool is procured.
  3. Calendar reminders 90 days before BAA expiration. Renewals usually take 4-8 weeks of legal back-and-forth.
  4. Public subprocessor page kept current. Notify customers before changes per BAA terms.
LukaGRC tracks all of the above by default — BAA inventory with expiration alerts, subprocessor management with HIPAA-eligibility flags, and an audit log of every BAA-related change. Try it.

Frequently asked questions

Do I need a BAA?

If your SaaS creates, receives, maintains, or transmits ePHI for a Covered Entity — yes. If you only handle de-identified data, generally no. When in doubt, sign one — overcompliance is cheap, breach penalties aren't.

Who signs the BAA?

Two parties: the Covered Entity (or upstream Business Associate) and you. If you have downstream subprocessors that touch ePHI, you also sign a BAA with each of them.

What's the difference between a BAA and a DPA?

A DPA is a GDPR document covering personal data of EU residents. A BAA is a HIPAA document covering ePHI of US individuals. Different regulations, different data sets — many enterprise contracts include both.

Can I use a template BAA?

For low-risk processing, yes — HHS publishes sample provisions. Once you have a meaningful book of healthcare customers, get counsel to review and tailor.

What happens if I process ePHI without a BAA?

Both you and your customer are in HIPAA violation. Civil penalties scale by culpability tier — willful neglect uncorrected tops out at $1.5M per violation category per year. Your customer will also terminate immediately because they're equally exposed.

Track every BAA without spreadsheets.

LukaGRC keeps your BAA inventory, subprocessor list, and expiration calendar in one place — and ties it to the underlying HIPAA controls and evidence.

Start your free trial →