Comparison · Privacy

BAA vs DPA (data processing agreement)

A Business Associate Agreement is the HIPAA-required contract between a covered entity and a vendor handling PHI. A Data Processing Agreement is the GDPR-required contract between a controller and processor of EU personal data.

Last reviewed May 24, 2026

Side by side

Option A

Business Associate Agreement (BAA)

HIPAA-required written contract between a covered entity (or upstream BA) and a vendor handling PHI on its behalf. Specifies permitted uses, safeguards, and breach reporting.

45 CFR 164.504(e)
  • Required by 45 CFR 164.504(e).
  • Must address use/disclosure limits, safeguards, subcontractor BAAs, breach reporting, and return/destruction of PHI.
Option B

Data Processing Agreement (DPA)

GDPR-required written contract between a controller and processor of personal data of individuals in the EU. Specifies processing scope, technical and organizational measures, and subprocessor terms.

GDPR Art. 28
  • Required by GDPR Article 28.
  • Applies whenever a vendor processes EU personal data on behalf of a controller.
  • Often includes Standard Contractual Clauses for international transfer.
Legal regime
BAAHIPAA (US)
DPAGDPR (EU)
Data scope
BAAProtected Health Information
DPAPersonal data of individuals in the EU
Required content
BAAUse/disclosure limits, safeguards, subcontractor BAAs, breach reporting, return of PHI
DPAProcessing scope, technical/organizational measures, subprocessor terms, controller audit rights
Both can apply
BAAYes — a US health entity with EU patient data may need both
DPAYes — a single vendor relationship may need a BAA plus a DPA with SCCs

When to use Business Associate Agreement (BAA)

  • Contracting with a vendor that creates, receives, maintains, or transmits PHI — BAA required before sharing data.

When to use Data Processing Agreement (DPA)

  • Contracting with a processor handling personal data of EU individuals — DPA required.
  • Practice that treats EU patients (telehealth across borders) — DPA may apply in addition to BAA.

Common mistakes

  • Assuming a SaaS vendor's DPA covers HIPAA obligations — it usually does not; you still need a separate BAA.
  • Signing only a BAA when EU data is also processed.
  • Allowing a vendor to use PHI for general product improvement (e.g., model training) — BAA must restrict use.

Sources

Take it into the workspace

Track vendor BAAs in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.