In 2024, OCR settled with a New England dermatology practice for $300,000 after an investigation revealed it had allowed a business associate to access protected health information without a compliant agreement in place. The practice had worked with the vendor for years — but never executed a proper business associates agreement HIPAA requires under 45 CFR §164.502(e). It's a mistake I see covered entities make repeatedly, and the financial consequences keep escalating.

What the Business Associates Agreement HIPAA Rules Actually Require

The HIPAA Privacy Rule mandates that a covered entity may not disclose PHI to a business associate, and may not allow a business associate to create, receive, maintain, or transmit PHI on its behalf, unless a written business associate agreement (BAA) is in place. This requirement is codified at 45 CFR §164.502(e) and §164.504(e).

A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involve access to protected health information. Common examples include billing companies, cloud hosting providers, EHR vendors, shredding services, and IT consultants. If they touch PHI, they need a BAA — no exceptions.

The Omnibus Rule of 2013 expanded this further by making business associates directly liable for compliance with certain provisions of the HIPAA Security Rule and Privacy Rule. Your business associate can now be independently penalized by OCR, but that does not relieve your organization of responsibility for having the agreement in place.

Mandatory Clauses Every BAA Must Contain

The regulatory text at 45 CFR §164.504(e)(2) specifies what a business associates agreement HIPAA deems satisfactory. In my work with covered entities, I find many organizations use outdated templates that miss critical provisions. Here's what must be included:

  • Permitted uses and disclosures: The BAA must establish specifically what the business associate is authorized to do with PHI, consistent with the minimum necessary standard.
  • Safeguards requirement: The agreement must require the business associate to use appropriate safeguards — including implementing the Security Rule's administrative, physical, and technical safeguards — to prevent unauthorized use or disclosure.
  • Reporting obligations: The business associate must agree to report any security incident or breach of unsecured PHI to the covered entity without unreasonable delay.
  • Subcontractor flow-down: If the business associate uses subcontractors who will access PHI, the BAA must require the business associate to execute compliant agreements with those subcontractors.
  • Individual rights access: The agreement must ensure the business associate will make PHI available to satisfy an individual's right of access under 45 CFR §164.524.
  • Termination provisions: The BAA must authorize the covered entity to terminate the contract if the business associate violates a material term of the agreement.
  • Return or destruction of PHI: Upon termination, the business associate must return or destroy all PHI — or, if not feasible, extend the protections of the agreement indefinitely.

The Enforcement Gap That Puts Covered Entities at Risk

OCR's enforcement actions consistently reveal two patterns with business associate agreements. First, many organizations simply don't have them. Second, organizations that do have them often fail to update agreements after regulatory changes or when the scope of services changes.

Between 2019 and 2024, OCR resolved dozens of cases involving BAA failures, with penalties ranging from $50,000 to over $4 million. The agency has made clear that a missing or deficient BAA is one of the first things investigators examine during a breach investigation or compliance audit.

Healthcare organizations consistently struggle with vendor inventory management. You can't execute a BAA if you don't know who your business associates are. I strongly recommend maintaining a centralized vendor register that maps every third party to the PHI they access, the BAA execution date, and the next review date.

Conducting a Risk Analysis of Your Business Associate Relationships

Your HIPAA risk analysis — required under the Security Rule at 45 CFR §164.308(a)(1)(ii)(A) — must account for risks introduced by business associates. A BAA alone does not constitute adequate risk management. Your organization must verify that business associates are actually implementing the safeguards they've contractually committed to.

Practical steps include requesting evidence of the business associate's own risk analysis, reviewing their security policies, and including audit rights in your BAA. Some covered entities conduct annual vendor security assessments; others require business associates to provide SOC 2 reports or HITRUST certifications.

Don't Forget Your Notice of Privacy Practices

Your Notice of Privacy Practices must accurately describe how your organization uses and discloses PHI, including disclosures to business associates. If your vendor relationships change materially, your notice may need updating. This is a detail many compliance officers overlook until an OCR investigation forces the issue.

Workforce Training on Business Associate Requirements

A BAA is only as strong as your workforce's understanding of it. Staff members who manage vendor relationships, process invoices, or share PHI with third parties must understand when a BAA is required, what constitutes a HIPAA violation related to business associates, and how to escalate concerns about vendor non-compliance.

Investing in comprehensive HIPAA training and certification ensures that your team can identify business associate relationships before PHI is ever shared. This is especially critical for procurement teams and department managers who may engage vendors without involving the compliance office.

If your organization hasn't reviewed its workforce training program recently, HIPAA Certify's workforce compliance platform provides structured training modules that cover business associate obligations, breach notification procedures, and the minimum necessary standard — all aligned to current regulatory expectations.

Five Steps to Strengthen Your BAA Program Today

Based on enforcement trends and my experience advising covered entities, here are five immediate actions your organization should take:

  • Audit your vendor inventory. Identify every entity that creates, receives, maintains, or transmits PHI on your behalf.
  • Review every existing BAA. Confirm each agreement includes all clauses required under 45 CFR §164.504(e) and reflects post-Omnibus Rule requirements.
  • Close gaps immediately. If any business associate relationship lacks a compliant agreement, execute one before another day of PHI exchange occurs.
  • Establish a review cadence. BAAs should be reviewed at least annually and whenever the scope of services changes.
  • Document everything. OCR expects to see evidence that your organization took reasonable steps to ensure BAA compliance. Maintain records of execution dates, review dates, and any corrective actions taken with non-compliant vendors.

A compliant business associates agreement HIPAA program isn't optional — it's one of the foundational obligations for every covered entity. The organizations that treat BAAs as a living compliance function, rather than a one-time paperwork exercise, are the ones that avoid the enforcement actions and breach consequences that continue to make headlines.