HIPAA & Privacy

BAA (Business Associate Agreement)

Business Associate Agreement

A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.

1 min read · Last reviewed May 23, 2026

At a glance

Category
HIPAA & Privacy
Acronym for
Business Associate Agreement
Primary sources
3
Workspace handoff
templates

Where this comes up

Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.

Full definition

What it is in practice

A Business Associate Agreement extends HIPAA obligations to vendors that touch PHI. 45 CFR 164.504(e) specifies the contract terms that must appear: scope of permitted uses, safeguards, subcontractor flow-down, breach reporting, and termination.

How it shows up in your practice

If a vendor stores chart data, sends appointment reminders, hosts your EHR, processes claims, or even ships paper shredding off-site with patient labels, you need a BAA on file before they receive PHI. Cloud storage providers (e.g., Microsoft 365, Google Workspace) sign HIPAA BAAs only on specific business plans — not the consumer tier. Keep your BAA inventory current; OCR settlements regularly cite missing or stale BAAs.

Sources

Take it into the workspace

Use the BAA template in the Templates engine

Open templates
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.