Business associate agreement (BAA)

What is a BAA?

A business associate agreement or BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect personal health information (PHI) and comply with the guidelines provided by HIPAA.

BAAs require that:

  • A company dealing with PHI obtains sufficient assurances from its business associates
  • The business associate will safeguard the PHI on the company’s behalf

Under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), any HIPAA business associate automatically becomes subject to audits performed by the U.S. Department of Health and Human Services (HHS) and can be held accountable for any data breaches or improper handling of data.

What should be in a BAA?

HIPAA requires that every BAA contains certain elements. As we can read on the HHS website, the contract must:

  • Describe the business associate’s permitted and required uses of protected health information.
  • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.
  • Require the business associate to use appropriate safeguards to prevent the use or disclosure of protected health information other than as provided for by the contract.

You may also like:


  • Life after GA4: Why EU organizations are going local

    When Universal Analytics was phased out in 2023, and GA4 rolled out with complexity, many European organisations were forced to rethink how they measure success. For more and more, the solution is clear: use analytics built for Europe, by Europe. Why sovereignty matters Data sovereignty isn’t just a buzzphrase. Under GDPR and the Schrems II…

  • Telehealth analytics: Optimizing virtual care experiences in a HIPAA-compliant way

    As patients increasingly turn to digital platforms for medical care, healthcare organizations must understand user behavior and tailor their responses to meet these expectations. Patients want flexible, digital-first options, while providers seek to optimize efficiency, reduce costs, and expand care to more people.