HIPAA Business Associate Agreements: Requirements, Risks, & What Auditors Actually Find

A covered entity in the middle of a HIPAA compliance audit discovers that a billing platform and a patient scheduling tool, both systems that process protected health information (PHI) daily, were put in place years ago without executed contracts governing how that data could be used. The responsible party is not surprised that BAAs are required. They are surprised they never noticed the gap. In most cases, no one was ignoring the requirement intentionally; the business had simply grown faster than its compliance program.

This scenario is more common than most organizations expect, and it is becoming more consequential. The Office for Civil Rights (OCR) collected over $9.9 million in HIPAA settlements across 22 enforcement actions in 2024 alone, with business associate agreement deficiencies cited as a contributing factor in numerous cases. At the same time, organizations are introducing AI-powered tools into clinical and administrative workflows without a clear understanding of whether those vendors qualify as business associates. The first proposed update to the HIPAA Security Rule since 2013, published in the Federal Register on January 6, 2025, carries significant implications for how covered entities and business associates must structure and maintain their BAA programs. This post covers what a HIPAA business associate agreement requires, who needs one, what the current landscape means for your organization, and what we commonly find during HIPAA compliance audits.

What Is a HIPAA Business Associate Agreement & Who Needs One?

A HIPAA business associate agreement (BAA) is a legally required contract between a covered entity (such as a health plan, healthcare provider, or healthcare clearinghouse) and any vendor or individual that performs services on its behalf involving access to PHI. The regulatory foundation for BAA requirements sits at 45 CFR §§ 164.308, 164.314, 164.502, and 164.504, spanning the Privacy Rule, Security Rule, and Breach Notification Rule. Unlike a standard Non-Disclosure Agreement (NDA), which is a broad contract used to protect general confidential business information or trade secrets, a BAA is specifically designed to promote HIPAA compliance, mandating strict safeguards, breach reporting protocols, and federal liability that a standard NDA does not cover.

According to HHS guidance on business associates, a business associate (BA) is any person or organization that creates, receives, maintains, or transmits PHI when performing functions or services for a covered entity. Common examples include billing companies, electronic health record (EHR) vendors, cloud storage providers, IT support firms, and data analytics companies. Understanding the full scope of which entities qualify as business associates is the necessary starting point for any BAA program.

Which Vendors Don’t Require a HIPAA BAA?

Not every vendor that comes into contact with your systems requires a BAA. Members of your workforce are not business associates. Other covered entities exchanging PHI for treatment purposes generally do not require a BAA for that exchange. Vendors with only incidental access to PHI (such as a janitorial crew that might glimpse a printed report) typically fall outside the definition. The key question is whether the vendor is performing a function or service that involves PHI on the covered entity’s behalf.

The Subcontractor Chain: A Frequently Missed BAA Obligation

The BAA requirement does not end at the first tier. According to [45 CFR § 164.308(b)(4)], a business associate must execute BAAs with any subcontractors who will create, receive, maintain, or transmit PHI on the BA’s behalf. This downstream chain is one of the most frequently overlooked aspects of BAA compliance, and it is addressed directly in the proposed Security Rule changes discussed later in this post.

What Must a HIPAA BAA Include?

A compliant BAA is more than a signature page. The HHS sample BAA provisions outline the mandatory elements, which fall into several categories.

• Permitted and Required Uses of PHI: The BAA must describe specifically how the business associate is permitted to use or disclose PHI and must confirm that the BA will not use or further disclose PHI beyond those defined purposes or as required by law. Vague language here is the most common BAA deficiency we encounter during HIPAA compliance audits.
• Appropriate Safeguards: The agreement must require the BA to implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule. For electronic PHI (ePHI), this means the Security Rule’s requirements apply directly to the BA.
• Breach and Incident Reporting: The BAA must require the BA to report to the covered entity any use or disclosure of PHI not provided for under the contract, including any breaches of unsecured PHI as defined under the HIPAA Breach Notification Rule. Reporting timelines should be defined clearly in the contract.
• Patient Rights Support: The BA must support the covered entity in meeting its obligations to patients, including honoring HIPAA authorization requirements, responding to access requests, and providing accounting of disclosures.
• Termination and Return or Destruction of PHI: The BAA must specify what happens to PHI at the conclusion of the contract. The default requirement is that all PHI is returned to the covered entity or destroyed. If return or destruction is not feasible, the protections must continue in force.
• Right to Terminate: If the covered entity discovers a material breach of the BAA, the agreement must provide for the opportunity to cure the breach or terminate the contract.

Do AI Tools & Cloud Vendors Need a HIPAA BAA?

This is the question we hear most often. Healthcare organizations are adopting AI-powered transcription tools, clinical documentation assistants, scheduling platforms, and analytics dashboards at a rapid pace. The HIPAA analysis is straightforward: if a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity, it is a business associate, and a BAA is required before PHI can flow to that vendor.

General-purpose AI tools present a particular risk. Public versions of tools such as ChatGPT, Google Gemini, and similar consumer-facing platforms do not execute HIPAA BAAs. Inputting PHI into these platforms (patient names, diagnoses, appointment details, or anything that could identify an individual in connection with healthcare) is a HIPAA violation. The enterprise or API versions of some of these products do offer BAA arrangements, but the availability of a BAA is vendor- and product-specific. OpenAI, for example, makes a BAA available for qualifying API customers, but the agreement must be reviewed to confirm it explicitly addresses how patient data will or will not be used for model training.

Do Cloud Providers Need a HIPAA BAA?

Major cloud providers, including AWS, Microsoft Azure, and Google Cloud Platform, offer BAAs as part of their enterprise agreements. However, a signed BAA with AWS does not mean all AWS services are covered. Each provider maintains a list of HIPAA-eligible services. Any deployment of ePHI within a cloud environment should be confirmed against that list. For more on this topic, the HIPAA and HITRUST cloud compliance guide covers cloud-specific considerations in depth.

What to Look for in an AI Vendor’s BAA

When evaluating an AI vendor’s BAA, several clauses require close attention. The agreement should explicitly prohibit the vendor from using PHI to train, improve, or refine its AI models unless the covered entity has provided explicit authorization. It should disclose any sub-processors that will have access to the data and confirm that those sub-processors are also bound by HIPAA-equivalent obligations. Breach notification timelines should be clearly specified, and the BAA should address data deletion at contract termination. A vendor that declines to sign a BAA when PHI is involved is not a viable option under HIPAA.

How the Proposed 2025 HIPAA Security Rule Update Affects BAA Obligations

On January 6, 2025, the Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) proposing the most significant modifications to the HIPAA Security Rule since its original publication in 2003. The comment period closed March 7, 2025. As of this writing, a final rule has not yet been issued, though HHS has indicated one could be published in the summer of 2026.

The proposed changes carry direct implications for BAA programs.

• Annual Business Associate Verification: The NPRM proposes a requirement that business associates verify, at least once every twelve months, that they have deployed the technical safeguards required by the Security Rule. This verification must be performed by a subject-matter expert and documented in writing, with the BA certifying in writing that the analysis is accurate. This would represent a meaningful shift from the current approach, where BA security practices are largely self-attested.
• Mandatory Technical Controls: The proposal would convert several currently addressable specifications into required ones, including multifactor authentication (MFA), encryption of ePHI at rest and in transit, audit logging, and vulnerability scanning. These obligations would flow directly to business associates.
• 24-Hour Contingency Plan Notification: Business associates would be required to notify covered entities within 24 hours of activating a contingency plan, such as during a system outage or security incident. Current rules do not specify this timeline.
• BAA Transition Period: For covered entities and business associates that need to update existing BAA language to reflect the final rule’s requirements, the proposal provides a transition period extending one year beyond the rule’s effective date.

The practical takeaway for organizations today: even before the final rule is published, a review of existing BAAs to assess alignment with the proposed requirements is worthwhile. Contracts that do not address BA security verification, sub-processor controls, or incident notification timelines may need updating regardless. Adding an annual BAA review to your HIPAA risk assessment cycle is a concrete step you can take now. For an overview of how HIPAA compliance works more broadly, see our blog “What is HIPAA compliance?”

Common BAA Deficiencies We See During HIPAA Audits

When we conduct HIPAA compliance audits, the BAA program is one of the first areas we examine. The most persistent deficiencies we observe are consistent across organizations of varying sizes and sectors.

• Vague Scope: The most common finding is a BAA that is technically present but functionally weak because the permitted uses of PHI are described in broad, generic terms. Language such as “business associate may use PHI as necessary to perform services” provides little actual constraint and leaves significant ambiguity if a dispute or investigation arises. Specificity matters: the BAA should describe the actual services being performed, the categories of PHI involved, and the purposes for which the BA is permitted to use that data.
• Missing BAAs with Active Vendors: Organizations often have a solid BAA process for new vendor onboarding, but miss vendors that were engaged before a formal process was in place, or vendors added informally at the department level. A complete inventory of all vendors with access to PHI, cross-referenced against executed BAAs, is the only reliable way to identify gaps. The HIPAA gap analysis post covers this and other common compliance gaps.
• Stale BAAs That Have Never Been Updated: A BAA signed in 2018 may not address cloud storage, AI tools, or sub-processor notification requirements that are now relevant. Contracts should be reviewed whenever services change, new subcontractors are introduced, or regulations are updated.
• No Subcontractor Flow-Down: As noted above, business associates are required to execute BAAs with their own subcontractors. In practice, covered entities frequently do not verify whether this downstream chain exists.
• Missing Termination Clauses: Some BAAs omit clear provisions for what happens to PHI when the contract ends. Absent explicit language, covered entities may have no contractual basis to demand the return or destruction of PHI in a vendor’s possession.

Building a HIPAA BAA Program That Holds Up to Scrutiny

Maintaining a HIPAA BAA program that holds up under scrutiny requires more than a one-time signature. The following considerations reflect what we observe in well-run compliance programs.

• Maintain a BAA Inventory: Every vendor that creates, receives, maintains, or transmits PHI on the organization’s behalf should appear in a centralized inventory that tracks the vendor name, services performed, BAA execution date, next review date, and the individual responsible for managing the relationship.
• Schedule Annual BAA Reviews: BAAs should be reviewed at least once per year and whenever vendor services change, a vendor introduces new sub-processors, or there is a material regulatory update. The proposed annual verification requirement in the 2025 NPRM reflects what well-managed programs already do in practice.
• Use the HHS Template as a Baseline, Not a Final Product: The HHS sample BAA provisions are a useful starting point, but they should be tailored to reflect the actual services being performed, the specific PHI involved, and any organization-specific requirements. Legal counsel should review BAAs, particularly for vendors handling large volumes of sensitive data.
• Integrate BA Risk Into Your Overall HIPAA Risk Analysis: Business associates represent a significant portion of the attack surface for most covered entities. Your IT risk assessment should account for BA relationships, and high-risk vendors should be subject to more rigorous security review. For SaaS vendors that serve as business associates, a thorough review of security controls is particularly important.
• Do Not Conflate HITRUST with HIPAA Compliance: Some organizations assume that a BA holding HITRUST certification is automatically HIPAA-compliant or that HITRUST replaces the BAA requirement. It does not. HITRUST vs. HIPAA covers the distinction in detail. A BAA is still required regardless of a vendor’s certification status.

A HIPAA compliance audit evaluates whether your BAA program, alongside all other administrative, physical, and technical safeguards, meets the requirements of the Security, Privacy, and Breach Notification Rules. For organizations that have never had an independent review of their program, or whose last review predates significant changes to their vendor landscape, an audit provides both a compliance assessment and a practical roadmap for remediation.

HIPAA BAA Questions We Hear Most Often

These are some of the most common questions we receive from clients regarding HIPAA business associate agreements.

What Happens if I Do Not Have a BAA with a Business Associate?

Operating without a required BAA is a violation of HIPAA, regardless of whether a breach occurs. The OCR can assess civil monetary penalties ranging from $141 per violation to over $71,000 per violation, depending on culpability, with annual caps reaching into the millions. In practice, missing BAAs frequently surface during breach investigations and OCR audits, compounding the original compliance deficiency with documented evidence of a systemic gap in the organization’s program.

Can I Use the HHS Sample BAA As-Is?

The HHS sample BAA provisions are a solid framework, but they are not a complete, ready-to-sign agreement. They require customization to address the specific services being performed, the particular categories of PHI involved, and jurisdiction-specific legal requirements. Using the sample language verbatim may leave important gaps, particularly around sub-processor obligations, breach notification timelines, and AI or cloud-specific data handling provisions.

Does My EHR Vendor Automatically Have a BAA in Place with Me?

Most major EHR vendors include BAA language in their standard contracts or offer a BAA as part of the customer agreement process. However, “automatically” is not the right assumption. You should verify that a signed BAA is on file, that it covers the specific services and data flows in your implementation, and that it has been updated to reflect any changes in services or sub-processors since it was originally signed.

Do I Need a BAA with My Email Provider?

It depends on whether PHI flows through the email platform. If your staff routinely sends messages containing PHI using a third-party email service, that provider likely qualifies as a business associate, and a BAA is required. Major providers such as Microsoft (for Microsoft 365 in healthcare) and Google (for Google Workspace) offer HIPAA BAAs. Standard consumer email services do not. Encrypted email services purpose-built for healthcare typically include a BAA as part of the product offering.

Do BAAs Expire & How Often Should They Be Updated?

BAAs do not have a statutory expiration date, but at a minimum, they should be reviewed annually. They should also be updated whenever the vendor begins performing new services involving PHI, introduces new sub-processors, or when a regulatory change creates new BAA requirements. The proposed 2025 NPRM, if finalized, would create explicit new obligations around annual verification that existing BAA language may not address.

Is a Subcontractor of a Business Associate Also a Business Associate?

Yes. Under 45 CFR § 164.308(b)(4), if a business associate engages a subcontractor to perform services that involve PHI, that subcontractor is also a business associate and is subject to HIPAA’s requirements. The BA is responsible for obtaining a BAA from its subcontractors. Covered entities should ask their business associates to confirm that downstream BAAs are in place, particularly for cloud infrastructure providers and any third-party processors handling ePHI.

BAA Compliance Is a Program, Not a One-Time Checkbox

The HIPAA business associate agreement is one of the more straightforward compliance requirements in theory and one of the more frequently deficient in practice. The gap is rarely intentional. It reflects the pace at which healthcare organizations adopt new vendors, the assumption that a vendor’s general contract covers HIPAA obligations, and the absence of a systematic review process. The current regulatory environment adds new complexity: AI tools that blur the line between productivity software and covered functionality, cloud deployments that span multiple HIPAA-eligible and non-eligible services, and a proposed Security Rule update that will eventually require updated BAA language and formal annual verification of BA security controls.

The organizations that handle this well share a common trait: they treat BAA management as a continuous program, not a one-time legal exercise. A vendor inventory, an annual review cycle, and clear internal ownership of the BA relationship are the practical foundation. What the proposed NPRM adds is a formalization of BA accountability that the strongest programs already reflect in their day-to-day operations.

Work with a HIPAA Compliance Audit Team That Has Seen the Gaps Firsthand

If your organization needs an independent assessment of its HIPAA compliance program, including a review of BAA coverage, subcontractor obligations, and alignment with the proposed Security Rule changes, Linford & Company offers HIPAA compliance audits and assessments conducted under AT-C Section 315 by experienced IT audit professionals. If you are a SaaS vendor or cloud provider operating as a business associate and need to understand your obligations under HIPAA, our team can help you assess your current controls and identify areas for remediation.

If you have questions about your BAA program or would like to discuss a HIPAA engagement, please feel free to contact John directly. He is happy to answer your questions and help you build a compliance program that holds up under scrutiny.

This article was originally published on 12/6/2017 and was updated on 4/8/2026.