Audit Process —

Understanding HIPAA Business Associate Agreements (BAAs)

HIPAA BAAs ensure vendors protect PHI, define breach duties, and support third-party risk alignment with ISO and SOC 2.

Share this article

Contents

No headings found on page

Understanding HIPAA Business Associate Agreements (BAAs)

A missing or inadequate Business Associate Agreement is one of the easier compliance gaps to fix and one of the most consistently penalized by OCR — not usually as the sole cause of a settlement, but as the finding that turns a contained incident into a much larger one. The regulatory basis sits across 45 CFR §§ 164.308, 164.314, 164.502, and 164.504, spanning the Security, Privacy, and Breach Notification Rules together — which is part of why a BAA gap tends to implicate more than one rule at once when OCR investigates.

When a BAA Is Required

A BAA is required whenever a person or company outside your own workforce creates, receives, maintains, or transmits PHI on your behalf — cloud hosting providers, IT vendors, billing services, consultants, and any subcontractor those vendors bring in to touch the same data. This applies regardless of whether anything ever goes wrong with that vendor's handling of the data: operating without a required BAA is itself a violation, independent of any breach.

What 45 CFR 164.504(e) Actually Requires

The regulation specifies the provisions a compliant BAA must contain:

  • Permitted uses and disclosures — defining exactly what the business associate can and can't do with the PHI it receives

  • Required safeguards — obligating the business associate to implement protections consistent with the Security Rule

  • Breach and security incident reporting — with an actual deadline and a defined point of contact, not vague language

  • Subcontractor flow-down — extending the same obligations to any subcontractor the business associate engages

  • Individual rights support — cooperating with access, amendment, and accounting requests under the Privacy Rule

  • HHS access — allowing HHS to review the business associate's relevant records for compliance verification

  • Return or destruction of PHI at termination — with an extension of protections if return or destruction isn't feasible

  • Termination for cause — the covered entity's right to end the agreement if the business associate violates a material term

A BAA missing one or more of these isn't a complete agreement, even if it's signed and on file.

Where Real Settlements Have Turned on This

Center for Children's Digestive Health, $31,000 (2017). CCDH had disclosed PHI to a records storage vendor since 2003, but neither party could produce a signed BAA covering that relationship until years later. This is the clearest illustration that a missing BAA is its own violation — there wasn't a breach driving this case, just the absence of the agreement itself.

A hospital system, $400,000 (settlement predating 2017 Omnibus enforcement focus). This case involved BAAs that existed but hadn't been updated to include terms the 2013 Omnibus Rule added — a reminder that a BAA signed years ago and never revisited can be just as deficient as no BAA at all.

MedEvolve, $350,000 (2023). A business associate itself, fined after a breach exposing over 200,000 individuals' data, where OCR's investigation found MedEvolve had both failed to conduct a risk assessment and failed to enter into a BAA with one of its own subcontractors — illustrating that the BAA chain has to extend through every subcontractor layer, not stop at the first vendor relationship.

Providence Medical Institute, $240,000 (2024). A Security Rule case where failure to restrict PHI access and failure to maintain a proper BAA were cited together — consistent with the broader pattern that BAA gaps rarely appear in isolation; they tend to surface alongside other safeguard failures once OCR starts investigating.

What a BAA Doesn't Do

A signed BAA is not automatic protection against liability. If a covered entity fails to perform reasonable due diligence on a business associate's actual HIPAA compliance before signing, and a breach later occurs through that business associate's negligence, the covered entity can still be found liable — the agreement shifts contractual obligation, not all legal risk. This is also worth knowing for cloud vendor relationships specifically: major providers' standard BAAs often include their own conditions and carve-outs. AWS's Business Associate Addendum, for example, conditions its compliance obligations on the customer correctly configuring covered services, enabling audit logging, and encrypting PHI placed in the environment — meaning the BAA's protections depend on the customer holding up its end, not just the vendor's.

Keeping BAAs Current, Not Just Signed

The recurring pattern across enforcement cases isn't usually that organizations never thought about BAAs — it's that agreements went stale: signed years ago, never revisited after a regulatory update, or never extended to a new subcontractor added later. A BAA inventory that's checked only when a new vendor relationship starts, rather than reviewed on a recurring schedule, is exactly the gap that tends to surface during a breach investigation rather than a routine audit.

Treating BAA management as part of ongoing third-party risk management — rather than a one-time contract signing — also creates natural overlap with ISO 27001 and SOC 2 vendor management requirements, both of which require their own ongoing vendor risk assessment. Conducting a HIPAA Risk Assessment covers the broader risk analysis process a BAA inventory should feed into, rather than sit apart from.

In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.

HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.

Read more about HIPAA compliance with DSALTA.

Stop losing deals to compliance.

Get compliant. Keep building.

Join 100s of startups who got audit-ready in days, not months.