BAA vs DPA (data processing agreement)
A Business Associate Agreement is the HIPAA-required contract between a covered entity and a vendor handling PHI. A Data Processing Agreement is the GDPR-required contract between a controller and processor of EU personal data.
Last reviewed May 24, 2026
Side by side
Business Associate Agreement (BAA)
HIPAA-required written contract between a covered entity (or upstream BA) and a vendor handling PHI on its behalf. Specifies permitted uses, safeguards, and breach reporting.
45 CFR 164.504(e)- Required by 45 CFR 164.504(e).
- Must address use/disclosure limits, safeguards, subcontractor BAAs, breach reporting, and return/destruction of PHI.
Data Processing Agreement (DPA)
GDPR-required written contract between a controller and processor of personal data of individuals in the EU. Specifies processing scope, technical and organizational measures, and subprocessor terms.
GDPR Art. 28- Required by GDPR Article 28.
- Applies whenever a vendor processes EU personal data on behalf of a controller.
- Often includes Standard Contractual Clauses for international transfer.
When to use Business Associate Agreement (BAA)
- Contracting with a vendor that creates, receives, maintains, or transmits PHI — BAA required before sharing data.
When to use Data Processing Agreement (DPA)
- Contracting with a processor handling personal data of EU individuals — DPA required.
- Practice that treats EU patients (telehealth across borders) — DPA may apply in addition to BAA.
Common mistakes
- Assuming a SaaS vendor's DPA covers HIPAA obligations — it usually does not; you still need a separate BAA.
- Signing only a BAA when EU data is also processed.
- Allowing a vendor to use PHI for general product improvement (e.g., model training) — BAA must restrict use.
Sources
- HHS — Business Associate Contracts (45 CFR 164.504(e))https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- EUR-Lex — GDPR Article 28https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
Related
Track vendor BAAs in the SRA readiness check
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.