In 2024, OCR settled with a New England dermatology practice for $300,640 after investigators found that protected health information had been disclosed to a vendor without a signed business associate agreement in place. The practice had worked with the vendor for years. The relationship was informal, the trust was real — and the HIPAA BAA was nonexistent. If you've ever searched for "hippaa baa" trying to understand what's required, you're asking the right question at the right time.

What a HIPAA BAA Actually Requires Under Federal Law

A Business Associate Agreement — commonly called a HIPAA BAA — is a written contract required under 45 CFR §164.502(e) and §164.504(e) any time a covered entity shares protected health information with a business associate. No handshake, verbal agreement, or implied understanding satisfies this requirement.

The Omnibus Rule of 2013 extended direct liability to business associates, meaning your vendors are independently responsible for HIPAA compliance. But that doesn't relieve your organization of the obligation to execute a proper agreement before any PHI changes hands.

At minimum, a compliant HIPAA BAA must specify:

  • The permitted and required uses of PHI by the business associate
  • A prohibition against unauthorized uses or disclosures beyond the contract's scope
  • Requirements to implement appropriate safeguards under the Security Rule
  • Obligations to report breaches or security incidents to the covered entity
  • Requirements for the business associate to ensure its own subcontractors agree to the same restrictions
  • Terms for return or destruction of PHI at contract termination

If any of these elements are missing, OCR considers the agreement noncompliant — which is functionally the same as having no BAA at all.

The Subcontractor Chain Most Organizations Overlook

Here's where compliance breaks down in practice. Your organization signs a HIPAA BAA with a billing company. That billing company uses a cloud hosting provider to store claims data containing PHI. Under the Omnibus Rule, that hosting provider is a subcontractor business associate — and a BAA must exist between the billing company and the hosting provider.

Your covered entity needs to verify that your business associates are managing their downstream relationships with the same rigor. In my work with covered entities, I've found that fewer than half have ever asked a vendor about subcontractor agreements. OCR doesn't accept ignorance of your vendor's supply chain as a defense.

When a BAA Is Required — and When It Isn't

Not every vendor relationship triggers the HIPAA BAA requirement. The key question is whether the vendor creates, receives, maintains, or transmits protected health information on your behalf. A janitorial company cleaning your office typically doesn't need one. A shredding company that handles paper records containing PHI does.

Common business associate relationships that require a signed BAA include:

  • EHR and health IT vendors
  • Medical billing and coding services
  • Cloud storage providers handling PHI
  • Answering services that take patient messages
  • Attorneys who access PHI for legal services
  • Consultants performing utilization review or quality assurance

A frequent mistake is assuming that a vendor's own HIPAA compliance program eliminates the need for a BAA. It doesn't. The agreement is a standalone legal requirement under the Privacy Rule, regardless of how secure the vendor claims to be.

OCR Enforcement Patterns Around Missing BAAs

OCR has made clear through its enforcement actions that missing or deficient business associate agreements are among the most common HIPAA violations. Between 2016 and 2024, multiple seven-figure settlements have cited the absence of BAAs as a contributing factor — including the $4.3 million settlement with Cignet Health and the $1.55 million resolution with North Memorial Health Care.

What makes BAA violations particularly dangerous is that they're easy for investigators to verify. During a compliance review or breach investigation, OCR requests your vendor inventory and corresponding agreements. A gap in documentation is an instant finding — no complex forensic analysis required.

Building a Defensible BAA Management Process

Compliance isn't just about having BAAs on file. Your organization needs a repeatable process to manage the full lifecycle of these agreements. That means:

  • Maintaining a current inventory of every business associate with access to PHI
  • Reviewing BAAs at least annually to ensure terms reflect current regulatory requirements and actual data practices
  • Tracking expiration and renewal dates so agreements never lapse during active vendor relationships
  • Documenting due diligence — evidence that you evaluated the vendor's ability to safeguard PHI before executing the agreement

This process should be part of your broader risk analysis under the Security Rule. If your risk analysis doesn't account for third-party access to PHI, it's incomplete.

The Workforce Training Requirement That Supports BAA Compliance

Your workforce needs to understand when a business associate relationship exists and why a HIPAA BAA matters. Front-line staff are often the first to engage new vendors — scheduling a new courier service, signing up for a transcription platform, or sharing records with a consultant. Without proper training, these decisions create unmanaged risk.

Investing in HIPAA training and certification ensures that everyone from intake coordinators to department heads can recognize when PHI is being shared and escalate for proper BAA execution. This is a direct requirement under 45 CFR §164.530(b) — workforce members must be trained on policies and procedures relevant to their job functions.

Stop Treating BAAs as Paperwork

Healthcare organizations consistently struggle with viewing business associate agreements as administrative busywork rather than enforceable legal instruments. A HIPAA BAA defines the boundaries of permissible PHI use, establishes breach notification timelines, and gives your covered entity contractual recourse when a vendor fails to protect patient data.

If your organization hasn't audited its BAA inventory in the past 12 months, that's your next action item. Map every vendor with PHI access, verify a current and compliant agreement exists for each one, and close gaps immediately.

Building a culture of compliance starts with understanding the rules — and applying them consistently. HIPAA Certify's workforce compliance program gives your team the knowledge to identify business associate relationships, apply the minimum necessary standard, and maintain the documentation that protects your organization when OCR comes knocking.