BAA (Business Associate Agreement)
Business Associate Agreement
A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Acronym for
- Business Associate Agreement
- Primary sources
- 3
- Workspace handoff
- templates →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
A Business Associate Agreement extends HIPAA obligations to vendors that touch PHI. 45 CFR 164.504(e) specifies the contract terms that must appear: scope of permitted uses, safeguards, subcontractor flow-down, breach reporting, and termination.
How it shows up in your practice
If a vendor stores chart data, sends appointment reminders, hosts your EHR, processes claims, or even ships paper shredding off-site with patient labels, you need a BAA on file before they receive PHI. Cloud storage providers (e.g., Microsoft 365, Google Workspace) sign HIPAA BAAs only on specific business plans — not the consumer tier. Keep your BAA inventory current; OCR settlements regularly cite missing or stale BAAs.
Sources
- 45 CFR 164.504 — Business associate contractshttps://www.ecfr.gov/current/title-45/section-164.504
- HHS — Sample BAA Provisionshttps://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- HHS — Business Associateshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Use the BAA template in the Templates engine
Open templates →Related terms
- HIPAA & PrivacyBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- HIPAA & PrivacyCovered EntityA health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a HIPAA transaction.
- HIPAA & PrivacyHIPAA Omnibus RuleThe 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
- HIPAA & PrivacySubcontractor Business AssociateA business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate.
- SecurityVendor Risk AssessmentThe process of evaluating a vendor's security and privacy posture before sharing PHI or granting system access.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- GlossarySubcontractor Business AssociateA business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate.
- GlossaryHIPAA Omnibus RuleThe 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
- GlossaryVendor Risk AssessmentThe process of evaluating a vendor's security and privacy posture before sharing PHI or granting system access.
- RegulationHIPAA Business Associate Agreements (45 CFR 164.504(e))Required contract elements for any business associate that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
- ComplianceBusiness Associate Agreement Template (2026) + Counterparty TrackerA 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.