A business associate agreement is a healthcare contract required under HIPAA when a vendor handles protected health information for a covered entity.
A Business Associate Agreement (BAA) is the HIPAA-required contract between a covered entity (provider, payer, clearinghouse) and any business associate that handles protected health information (PHI) on its behalf. It is the BAA that pulls the business associate into direct HIPAA liability.
Maximum HIPAA fine per violation category annually, with the average US healthcare data breach now costing $10.22M (IBM 2025). About 30% of patient records breaches have involved a business associate. Missing or invalid BAAs are routinely cited as the underlying compliance failure.
HHS Office for Civil Rights 2024 enforcement summary; IBM Cost of a Data Breach Report 2025.
TL;DR
- BAAs are required between covered entities and any vendor that handles PHI on their behalf.
- Business associates have direct HIPAA liability since the HITECH Act, not just contractual liability.
- Subcontractors that handle PHI also need a BAA with the business associate above them.
- Vallor surfaces BAA gaps across your vendor portfolio so PHI cannot flow to vendors without one.
Anatomy of a BAA
Sample clause — HIPAA Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
1. PARTIES. Customer is a 1Covered Entity; Vendor is a 2Business Associate under HIPAA.
2. PERMITTED USES. Vendor may use PHI only as 3necessary to perform the services described in the underlying Agreement.
3. SAFEGUARDS. Vendor shall implement 4administrative, physical, and technical safeguards meeting the HIPAA Security Rule.
4. SUBCONTRACTORS. Vendor shall ensure any subcontractor handling PHI 5signs a BAA with equivalent terms.
5. BREACH NOTIFICATION. Vendor shall report any breach to Customer 6within 24 hours of discovery.
6. TERMINATION. Customer may terminate immediately upon material breach.
1
Covered EntityHealthcare provider, payer, or clearinghouse. Primary HIPAA-regulated party.
2
Business AssociateVendor handling PHI on behalf of a Covered Entity. Direct HIPAA liability since HITECH (2009).
3
Permitted usesDefines the only purposes for which PHI can be used. Anything outside is a breach by definition.
4
SafeguardsSpecific administrative, physical, and technical controls. Encryption at rest and in transit, access control, audit logs.
5
Subcontractor BAAsLiability flows downstream. Each subcontractor handling PHI needs its own BAA.
6
Breach notificationMost BAAs require notification within 24-72 hours of discovery. Late notice itself becomes a violation.
How Vallor handles business associate agreement
1
Identify every PHI-touching vendor in your portfolioVallor reads your vendor agreements, identifies which involve PHI access, and flags any vendor without a current BAA on file.
2
Extract BAA structure into queryable fieldsPermitted uses, safeguards required, breach notification window, subcontractor obligations, audit rights — all citable.
3
Track subcontractor BAA chainsWhere your business associate has its own subcontractors handling PHI, Vallor surfaces the existence (and gaps) of downstream BAAs.
4
Monitor for changes triggering BAA reviewVendor changes its subprocessors, expands its service scope, or has a security incident — Vallor flags it as a BAA review trigger.
Where teams trip up
✗
Treating de-identified data as outside HIPAAIf the data is not truly de-identified under the HIPAA Safe Harbor or Expert Determination standard, it is still PHI. Many 'de-identified' datasets fail the standard.
✗
Missing the 24-72 hour breach notification windowHIPAA gives Covered Entities 60 days from discovery to notify HHS. Business Associates often have only 24-72 hours to notify Covered Entities. Late notice cascades.
✗
Not tracking subcontractor BAAsYour vendor's subcontractor breaching is your problem. If the subcontractor BAA chain is incomplete, primary liability comes back upstream.
✗
Ignoring BAAs from incidental PHI vendorsEmail providers, cloud storage, IT support — vendors that incidentally see PHI still need a BAA. The 'no access' assumption is the most common audit finding.
See also
FAQ
Who needs a BAA?
Any vendor that handles protected health information (PHI) on behalf of a Covered Entity. This includes cloud providers, billing services, IT vendors, contract analytics, and any subcontractor that touches PHI.
What is the difference between a BAA and a DPA?
A BAA is HIPAA-specific and applies to PHI in the US healthcare system. A DPA is GDPR-specific and applies to personal data of EU/UK residents. A vendor serving both can need both contracts.
Are business associates directly liable under HIPAA?
Yes, since the HITECH Act (2009). Business associates can be fined directly by HHS Office for Civil Rights for HIPAA violations, in addition to whatever contractual remedies the Covered Entity has.
How long must I retain BAAs?
HIPAA requires retention for six years from the date of creation or the date last in effect, whichever is later. Most enterprises retain indefinitely as part of vendor records.
How does Vallor handle BAAs for healthcare customers?
Vallor identifies which vendors in the portfolio touch PHI, flags any without a current BAA, structures BAA terms for query, and monitors for changes that should trigger a BAA review.
Last updated: 2026-05-21. Part of Vallor's contract intelligence glossary.
