A medical billing company in Tennessee exposed the records of 300,000 patients — and the hospital that hired them paid the price. Not because the hospital leaked anything. Because the hospital never signed a proper HIPAA business associate agreement with the vendor handling its claims. I've watched this pattern repeat for over a decade: organizations focus on internal compliance, then get blindsided by a partner who treats PHI like scrap paper.

If your organization shares protected health information with any outside entity — an IT vendor, a shredding company, a cloud storage provider, a billing service — you need a business associate agreement (BAA) that actually holds up under scrutiny. Not a template you downloaded in 2019 and forgot about. A living, enforceable contract.

This post walks through what a HIPAA business associate agreement must include, what OCR actually penalizes, and the mistakes I see covered entities make every single week.

What Is a HIPAA Business Associate Agreement?

A HIPAA business associate agreement is a legally required contract between a covered entity (like a hospital, health plan, or provider) and a business associate — any person or organization that creates, receives, maintains, or transmits PHI on behalf of the covered entity. The BAA spells out exactly what the business associate can and cannot do with that data.

The requirement comes directly from the HIPAA Privacy Rule at 45 CFR § 164.504(e). Without one in place, both parties face enforcement action. Period.

Who Qualifies as a Business Associate?

More vendors than you think. Here's a partial list I run through with clients:

  • IT service providers and managed security firms
  • Cloud hosting and data storage companies
  • Medical billing and coding services
  • Transcription vendors
  • Shredding and document destruction companies
  • Answering services that handle patient calls
  • Consultants who access PHI for operational analysis
  • Attorneys whose legal work involves PHI access
  • Accountants who access patient billing data

If an outside party touches PHI in any form — paper, electronic, verbal — they're likely a business associate. And you need a signed BAA before they access a single record.

The $4.3 Million Mistake: Skipping or Botching Your BAA

In 2016, HHS settled with Advocate Health Care for $5.55 million after multiple breaches, including failures tied to business associate oversight. The investigation found that Advocate failed to obtain BAAs for some of its business associates and didn't perform adequate risk assessments on those relationships. You can read the full resolution on HHS.gov.

More recently, OCR has continued to hammer organizations that treat BAAs as paperwork formalities. In my experience, the organizations that get caught fall into two camps: those with no BAA at all, and those with a BAA so vague it might as well not exist.

What OCR Actually Looks For

During a compliance review or breach investigation, OCR doesn't just check whether you have a signed document. They evaluate:

  • Whether the BAA includes all required provisions under the HIPAA Rules
  • Whether the covered entity monitored the business associate's compliance
  • Whether the BAA was updated after the 2013 Omnibus Rule changes
  • Whether breach notification obligations are clearly assigned

A boilerplate agreement missing any of these elements gives OCR exactly what they need to pursue a corrective action plan — or a financial penalty.

What Every HIPAA Business Associate Agreement Must Include

I've reviewed hundreds of BAAs across healthcare systems, dental groups, behavioral health clinics, and community health organizations. The good ones share specific characteristics. Here's what your BAA must address:

Permitted Uses and Disclosures of PHI

The agreement must specify exactly what the business associate is allowed to do with PHI. Vague language like "business associate may use data as needed" is a red flag. Define the scope tightly — for payment processing, for IT maintenance, for claims adjudication. Nothing more.

Safeguards the Business Associate Must Implement

Your BAA should require the business associate to use appropriate administrative, physical, and technical safeguards to protect ePHI. Reference the Security Rule standards explicitly. Don't leave it to interpretation.

Breach Notification Responsibilities

Under the Breach Notification Rule, business associates must report breaches of unsecured PHI to the covered entity without unreasonable delay — no later than 60 days after discovery. Your BAA must spell this out, including the format and timeline for notification. I've seen agreements that omit this entirely. That's an instant compliance gap.

Subcontractor Requirements

If your business associate uses subcontractors who will access PHI, the BAA must require the business associate to sign downstream BAAs with those subcontractors. This chain-of-custody requirement was reinforced by the 2013 Omnibus Rule. Miss it, and you've got an uncontrolled data flow.

Return or Destruction of PHI at Termination

When the contract ends, what happens to the data? Your BAA must address this. The business associate must return or destroy all PHI — or, if that's not feasible, extend protections indefinitely. I always push clients to include specific destruction timelines and certification requirements.

Individual Rights

The BAA should acknowledge that individuals retain their rights under HIPAA — access, amendment, accounting of disclosures — and clarify how the business associate supports the covered entity in fulfilling those requests.

Three BAA Mistakes I See Covered Entities Make Every Month

1. Using the Same Template for Every Vendor

Your cloud hosting provider and your medical transcription service have completely different risk profiles. A one-size-fits-all BAA ignores this. Tailor the permitted uses, the safeguard requirements, and the breach notification logistics to the actual relationship.

2. Signing and Filing — Then Never Looking Again

A BAA isn't a set-it-and-forget-it document. You need to review it annually. Did the vendor change its subcontractors? Did your organization expand the data it shares? Did new regulations take effect? If anything changed, the BAA needs an amendment.

3. Failing to Train Your Own Workforce on BA Relationships

Your staff needs to understand what a business associate is, why BAAs exist, and what to do if they suspect a vendor is mishandling PHI. Without that awareness, breaches go unreported for weeks or months. If your workforce includes community-facing roles, consider enrolling them in HIPAA training for community health workers — it covers exactly these scenarios in plain language.

Does Your Organization Actually Track Its Business Associates?

Here's a question I ask every new client: can you give me a complete list of every vendor that touches PHI? Roughly 60% of the time, the answer is "not really." That's terrifying.

You need a business associate inventory. It should include:

  • Vendor name and contact information
  • Type of PHI accessed (electronic, paper, verbal)
  • Date BAA was signed and last updated
  • Subcontractor status
  • Last risk assessment date for that relationship

Without this inventory, you can't manage what you can't see. And OCR will expect you to produce it during an investigation.

The 2013 Omnibus Rule Changed Everything — Are You Current?

The 2013 Omnibus Rule made business associates directly liable for HIPAA Security Rule compliance and certain Privacy Rule provisions. Before 2013, enforcement pressure fell mostly on covered entities. Now, business associates face their own penalties.

If your BAA was drafted before January 2013 and hasn't been updated since, it's out of compliance. I still encounter pre-Omnibus BAAs in the wild — especially at smaller practices and community health organizations. It's one of the easiest problems to fix and one of the most expensive to ignore.

How a BAA Fits Into Your Broader Compliance Program

A HIPAA business associate agreement doesn't work in isolation. It's one piece of a compliance ecosystem that includes workforce training, risk analysis, policies and procedures, and incident response planning. If you invest in airtight BAAs but your staff can't recognize a phishing email, you're still vulnerable.

Build your compliance program from the inside out. Start with practical HIPAA training that gives your workforce real-world scenarios — not just legal jargon. Then make sure your vendor management process matches that same level of rigor.

A Quick Checklist Before You Sign Your Next BAA

  • Does the BAA specify permitted uses and disclosures?
  • Does it require Security Rule-compliant safeguards?
  • Does it address breach notification timelines?
  • Does it require downstream BAAs with subcontractors?
  • Does it include PHI return/destruction provisions?
  • Has it been reviewed and updated since 2013?
  • Is the business associate listed in your vendor inventory?

If you can't check every box, you have work to do. And it's better to do it now than after OCR comes knocking.

I've spent years helping organizations untangle vendor relationships that should have been locked down from day one. The HIPAA business associate agreement isn't glamorous. It isn't the part of compliance that gets headlines — until it fails. Get this one right, and you've eliminated one of the most common entry points for enforcement actions and avoidable breaches.