In 2024, OCR settled with a New England dermatology practice for $300,000 after discovering that protected health information had been disclosed to a vendor operating without a proper agreement in place. The vendor had access to patient scheduling data for over two years — and not a single signed document governed how that PHI could be used. If your organization shares any protected health information with an outside party, understanding what constitutes a valid HIPAA agreement isn't optional. It's a regulatory requirement with real financial consequences.

What Is a HIPAA Agreement — and Why People Search for "HIPPA Agreement"

Let's address the elephant in the room first. The term "HIPPA agreement" is one of the most common misspellings in healthcare compliance. The correct acronym is HIPAA — the Health Insurance Portability and Accountability Act. But whether you typed "HIPPA agreement" or "HIPAA agreement," the document you're looking for is almost certainly a Business Associate Agreement (BAA).

A BAA is a legally binding contract required under the HIPAA Privacy Rule (45 CFR § 164.502(e)) and the HIPAA Security Rule (45 CFR § 164.314). It governs the relationship between a covered entity — such as a hospital, clinic, or health plan — and any business associate that creates, receives, maintains, or transmits protected health information on the covered entity's behalf.

Without this HIPAA agreement in place, even routine data sharing becomes a potential HIPAA violation.

Who Must Sign a HIPAA Agreement Under Federal Law

The Omnibus Rule of 2013 dramatically expanded who qualifies as a business associate. Before Omnibus, subcontractors who handled PHI on behalf of a business associate existed in a regulatory gray area. That loophole closed permanently.

Today, your organization must execute a HIPAA agreement with any entity that performs functions involving PHI access, including:

  • IT service providers and cloud hosting companies
  • Medical billing and coding services
  • Shredding and document destruction vendors
  • Legal and accounting firms reviewing patient records
  • EHR and practice management software vendors
  • Answering services that handle patient calls

If a subcontractor of your business associate also touches PHI, that subcontractor needs its own BAA with the business associate. The chain of accountability doesn't end at your front door.

The Required Elements of a Valid HIPAA Agreement

OCR has made clear — through both enforcement actions and published guidance — that a vague or incomplete BAA offers no real protection. Under 45 CFR § 164.504(e), a valid HIPAA agreement must include specific provisions:

  • Permitted uses and disclosures: The agreement must specify exactly how the business associate may use or disclose PHI, consistent with the minimum necessary standard.
  • Safeguard requirements: The business associate must agree to implement appropriate administrative, physical, and technical safeguards to protect PHI.
  • Breach reporting obligations: The agreement must require the business associate to report any breach of unsecured PHI to the covered entity without unreasonable delay — and no later than 60 days after discovery, per the Breach Notification Rule.
  • Subcontractor accountability: The BAA must require the business associate to ensure that any subcontractors with PHI access agree to the same restrictions and conditions.
  • Return or destruction of PHI: Upon termination of the agreement, the business associate must return or destroy all PHI, if feasible.
  • Right to terminate: The covered entity must retain the right to terminate the contract if the business associate violates a material term of the agreement.

Omitting any of these elements puts your organization at risk during an OCR investigation or audit.

The Costly Mistake of Operating Without a HIPAA Agreement

Healthcare organizations consistently struggle with BAA management — particularly when vendor relationships predate their compliance programs. In my work with covered entities, I've seen organizations with 40+ vendors and fewer than half covered by a signed HIPAA agreement.

OCR has levied penalties ranging from $50,000 to over $4 million for BAA failures alone. In one high-profile case, Raleigh Orthopaedic Clinic paid $750,000 for providing a business associate with access to X-rays of over 17,000 patients without executing a BAA. The PHI wasn't even breached in the traditional sense — the mere absence of the agreement was the violation.

Penalties under 45 CFR § 160.404 are tiered based on the level of negligence, but "I didn't know we needed one" has never been an accepted defense.

How a Risk Analysis Connects to Your HIPAA Agreements

A thorough risk analysis — required under the Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) — should identify every point where PHI flows outside your organization. That inventory becomes your BAA checklist.

If your risk analysis doesn't account for third-party access to PHI, it's incomplete. And if it's incomplete, every HIPAA agreement gap becomes an unaddressed vulnerability that OCR will scrutinize.

Start by mapping your PHI data flows: who sends it, who receives it, where it's stored, and how it's transmitted. Then verify that every external touchpoint is covered by a current, compliant BAA.

Workforce Training: The Other Agreement Your Staff Needs to Understand

A signed BAA protects your organization on paper. But your workforce needs to understand why these agreements exist and what happens when they're ignored. Staff members who share PHI with a vendor — even informally, even by email — without confirming a BAA is in place can trigger a reportable violation.

Under 45 CFR § 164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. That training should explicitly cover how your organization manages business associate relationships, how to escalate vendor requests that involve PHI, and what your Notice of Privacy Practices communicates to patients about third-party disclosures.

Investing in HIPAA training and certification ensures every member of your team understands the regulatory obligations tied to HIPAA agreements — not just your compliance officer.

Three Steps to Strengthen Your HIPAA Agreement Process Today

1. Audit Your Existing Vendor Relationships

Pull a complete list of every vendor, contractor, and service provider with potential PHI access. Cross-reference it against your signed BAAs. Any gap is an immediate compliance risk.

2. Standardize Your BAA Template

Use a template that includes every element required under 45 CFR § 164.504(e). Have legal counsel review it annually to ensure it reflects current OCR guidance and any state-specific requirements.

3. Build Compliance Into Your Culture

HIPAA agreements don't enforce themselves. Your workforce needs to know the role they play in protecting PHI at every stage. Comprehensive workforce HIPAA compliance programs turn regulatory requirements into daily practice — reducing risk and building the kind of compliance culture OCR expects to see.

If your organization handles protected health information — and if you're reading this, it almost certainly does — the HIPAA agreement isn't a formality. It's the legal backbone of every third-party relationship you maintain. Treat it accordingly.