A Missing Signature That Cost $4.3 Million
In 2016, the U.S. Department of Health and Human Services settled with Advocate Health Care for $5.55 million after a series of breaches affecting nearly four million patients. One of the core findings? The organization failed to obtain satisfactory business associate agreements before handing PHI to its vendors. That wasn't a technicality — it was the centerpiece of the enforcement action.
If you're searching for guidance on HIPAA and BAA requirements, you're already asking the right question. A Business Associate Agreement isn't just a checkbox document. It's a legally binding contract that dictates how your vendors handle protected health information — and without one, your organization is exposed to the kind of penalty that ends careers and closes practices.
I've reviewed hundreds of BAAs across hospitals, clinics, SaaS vendors, and billing companies. Here's what I've learned: most organizations either don't have them when they should, or they have ones so generic they might as well not exist.
What Is a Business Associate Agreement Under HIPAA?
A Business Associate Agreement is a written contract required by the HIPAA Privacy Rule and the HIPAA Security Rule whenever a covered entity shares PHI with a business associate. The regulation lives at 45 CFR Part 164, Subpart E, and the specific BAA requirements are spelled out in 45 CFR § 164.504(e).
In plain language: if another company touches your patients' data on your behalf — whether they're shredding paper records, hosting your EHR, processing your claims, or transcribing clinical notes — you need a BAA in place before a single record changes hands.
Who Counts as a Business Associate?
This is where organizations trip up constantly. A business associate is any person or entity that performs a function or activity involving the use or disclosure of PHI on behalf of a covered entity. That includes:
- IT service providers and cloud hosting companies
- Medical billing and coding firms
- Law firms handling PHI-related matters
- Answering services that take patient calls
- Shredding and document destruction companies
- AI tools and platforms that process ePHI
- Consultants who access patient data during audits
If you're deploying AI-powered tools that interact with patient records, the stakes are even higher. Our course on Using AI Tools & PHI walks through exactly how these newer vendor relationships trigger BAA requirements most organizations haven't considered yet.
The $1.5 Million Mistake: No BAA, No Defense
In 2018, OCR settled with Advanced Care Hospitalists (ACH) for $500,000 after a breach involving a business associate that had been given access to PHI without a signed BAA. The organization also failed to conduct a proper risk analysis. What made it worse? ACH didn't even discover the breach on its own — a patient's data ended up on a public website.
North Memorial Health Care paid $1.55 million in 2016 for a similar failure. An unencrypted laptop was stolen from a business associate's workforce member, and there was no BAA in place between the two organizations. OCR was blunt in its resolution agreement: the lack of a BAA was a direct violation of federal law. You can review OCR's enforcement actions directly at the HHS breach settlement page.
The pattern in these cases is always the same. An organization assumes a vendor relationship doesn't require a BAA, never executes one, and then a breach happens. Without the BAA, there's no contractual framework limiting liability, no required breach notification timeline, and no defined security obligations. OCR treats the absence of a BAA as an independent violation — separate from whatever breach triggered the investigation.
What Your BAA Must Include: The Non-Negotiable Elements
I've seen BAAs that run two pages and BAAs that run forty. Length doesn't determine quality. Here's what the HIPAA regulations require every BAA to address:
Permitted Uses and Disclosures of PHI
The BAA must specify exactly what the business associate can and cannot do with PHI. Vague language like "business associate will handle data appropriately" doesn't cut it. You need explicit boundaries: what functions they perform, what data they access, and under what circumstances they can use it.
Safeguards and Security Requirements
The agreement must require the business associate to use appropriate safeguards — including administrative, physical, and technical measures — to prevent unauthorized use or disclosure of PHI. For ePHI, that means compliance with the HIPAA Security Rule.
Breach Notification Obligations
Your BAA must require the business associate to report any breach of unsecured PHI to you without unreasonable delay. The HIPAA Breach Notification Rule requires notification within 60 days at the outside, but your BAA can — and should — set a tighter window. I recommend 10 business days or fewer.
Subcontractor Requirements
If your business associate uses subcontractors who will access PHI, the BAA must require the business associate to execute downstream BAAs with those subcontractors. This chain-of-custody requirement was strengthened by the HITECH Act and the 2013 Omnibus Rule.
Return or Destruction of PHI
When the contract ends, the BAA must specify that the business associate will return or destroy all PHI. If that's not feasible, the agreement must extend protections to any retained data indefinitely.
Right to Terminate
The covered entity must have the right to terminate the BAA if the business associate violates a material term. This isn't optional language — it's a regulatory requirement.
Where Most Organizations Get HIPAA and BAA Compliance Wrong
After years of consulting, I can tell you the five most common BAA failures I encounter:
1. Not identifying all business associates. Your shredding company is a business associate. Your cloud fax provider is a business associate. That AI transcription tool your physicians started using last month? Business associate. Most organizations have a BAA gap because they haven't done a thorough vendor inventory.
2. Using a template from 2012. The Omnibus Rule in 2013 changed BAA requirements significantly. If your template predates that rule, it's missing subcontractor provisions, direct liability language, and updated breach notification requirements.
3. Signing but not reviewing. I've worked with organizations that signed whatever BAA the vendor sent over without reading it. Some of those agreements shifted all breach liability onto the covered entity. Your legal team needs to review every BAA your organization signs.
4. Forgetting to track expiration dates. BAAs aren't forever documents. They expire, contracts get renewed, and services change scope. If your BAA expired two years ago and your vendor is still processing PHI, you have a violation on your hands right now.
5. No workforce training on vendor relationships. Your staff members are the ones inviting vendors into your environment. If they don't understand when a BAA is required, they'll create compliance gaps faster than your privacy officer can close them. Our HIPAA Introduction Training 2026 covers workforce responsibilities around PHI disclosures and business associate relationships.
Do Subcontractors Need Their Own BAAs?
Yes. Since the 2013 Omnibus Rule, subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate are themselves considered business associates. They must have their own BAA with the business associate that hired them.
This means your cloud hosting provider's data center partner, your billing company's offshore coding team, and your EHR vendor's analytics subprocessor all need BAAs in place. The chain doesn't stop at the first handoff. If you can't verify that your business associate has executed downstream agreements, you're carrying risk you haven't accounted for.
State Laws That Add Another Layer
Several states impose requirements beyond what HIPAA demands. Texas is a prime example — the Texas Medical Records Privacy Act (HB 300) creates additional obligations for entities handling Texas residents' health data, including stricter training requirements and expanded definitions of covered information. If your organization operates in or serves patients from these states, your BAAs may need state-specific language.
How to Audit Your BAA Program in 2026
Here's the process I walk organizations through when they ask me to evaluate their BAA compliance:
- Step 1: Build a complete vendor inventory. Every vendor that touches PHI goes on the list — no exceptions.
- Step 2: Cross-reference the inventory against existing BAAs. Flag any vendor without a current, signed agreement.
- Step 3: Review each BAA against the requirements in 45 CFR § 164.504(e). Check for subcontractor provisions, breach notification timelines, termination clauses, and return/destruction language.
- Step 4: Verify that BAAs reflect current service scopes. If the vendor's role has expanded since the BAA was signed, the agreement needs updating.
- Step 5: Document everything. OCR doesn't just want to see the BAA — they want evidence that you actively manage the program.
This isn't a one-time exercise. I recommend running this audit annually, with quarterly spot checks when new vendors are onboarded.
Your BAA Is Only as Good as Your Compliance Culture
A perfectly drafted BAA sitting in a filing cabinet doesn't protect patients. It protects you legally — but only if the practices it describes are actually happening. Your business associates need to implement the safeguards they agreed to. Your workforce needs to understand why BAAs exist and what triggers the need for one.
That's why training matters as much as the contract itself. If your team can't identify a business associate relationship when they see one, no BAA template will save you. Explore the full HIPAACertify training catalog to make sure your workforce understands both the regulatory requirements and the real-world risks.
OCR has made it clear through enforcement action after enforcement action: the relationship between HIPAA and BAA compliance isn't optional, and it isn't theoretical. It's the mechanism that keeps PHI protected when it leaves your four walls. Get it right, or get ready to explain to HHS why you didn't.