Business associate agreement (BAA)

What is a BAA?

A business associate agreement or BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect personal health information (PHI) and comply with the guidelines provided by HIPAA.

BAAs require that:

  • A company dealing with PHI obtains sufficient assurances from its business associates
  • The business associate will safeguard the PHI on the company’s behalf

Under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), any HIPAA business associate automatically becomes subject to audits performed by the U.S. Department of Health and Human Services (HHS) and can be held accountable for any data breaches or improper handling of data.

What should be in a BAA?

HIPAA requires that every BAA contains certain elements. As we can read on the HHS website, the contract must:

  • Describe the business associate’s permitted and required uses of protected health information.
  • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.
  • Require the business associate to use appropriate safeguards to prevent the use or disclosure of protected health information other than as provided for by the contract.

You may also like:


  • Introducing new pricing: More analytics value and privacy compliance as you grow

    Businesses have transformed the way they collect and utilize data. Modern organizations are seeking trusted datasets, full visibility into the customer journey, and ethical data collection, all within a seamless platform that offers comprehensive analytics and data activation capabilities.  To meet these evolving needs, we’re excited to share some important updates about our platform. Over…

  • The comparison of 9 HIPAA-compliant web analytics platforms

    Selecting a HIPAA-compliant web analytics platform is critical for any healthcare organization. With the increasing reliance on digital tools to improve patient care, streamline operations, and drive strategic decisions, the need to analyze web and patient data securely has never been greater.  Choosing a platform that doesn’t match your needs or available resources can put…