Business associate agreement (BAA)

What is a BAA?

A business associate agreement or BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect personal health information (PHI) and comply with the guidelines provided by HIPAA.

BAAs require that:

  • A company dealing with PHI obtains sufficient assurances from its business associates
  • The business associate will safeguard the PHI on the company’s behalf

Under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), any HIPAA business associate automatically becomes subject to audits performed by the U.S. Department of Health and Human Services (HHS) and can be held accountable for any data breaches or improper handling of data.

What should be in a BAA?

HIPAA requires that every BAA contains certain elements. As we can read on the HHS website, the contract must:

  • Describe the business associate’s permitted and required uses of protected health information.
  • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.
  • Require the business associate to use appropriate safeguards to prevent the use or disclosure of protected health information other than as provided for by the contract.

You may also like:


  • PHI and PII

    PHI and PII: How they impact HIPAA compliance and your marketing strategy

    Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information. Keeping HIPAA compliant and protecting patient information requires…

  • How can healthcare organizations benefit from using a customer data platform (CDP)

    Like many industries, healthcare has been undergoing significant change and is under immense pressure. Patients expect personalized healthcare experiences, but are increasingly aware of their privacy rights and demand that their data is safe and not misused. Healthcare providers have been seeking ways to connect, scale, and leverage customer data more effectively to meet consumers’…