What Is a Business Associate Agreement (BAA) and Why Your Organization Needs One

If your healthcare organization works with any third-party vendors who touch patient data, you need to understand the Business Associate Agreement (BAA). It is not optional. Under HIPAA, failing to have a BAA in place with the right vendors can result in fines reaching $1.5 million per year, damage to your reputation, and legal liability that your organization cannot afford to ignore.

This guide breaks down exactly what a BAA is, who needs one, what it must contain, and how modern tools like text messaging platforms fit into the picture. Whether you are a healthcare provider, a practice manager, or a software vendor working with healthcare clients, this is what you need to know.

The Simple Definition of a Business Associate Agreement

A Business Associate Agreement (BAA) is a legally binding contract between a HIPAA-covered entity and a business associate. It establishes the rules for how the business associate can use, handle, and protect Protected Health Information (PHI) that the covered entity shares with them.

In plain language: if your healthcare organization shares patient data with a third party in order to get a service done, you need a written agreement spelling out how that third party will keep that data safe.

The BAA defines:

• What the business associate is and is not allowed to do with PHI

• What safeguards they must have in place

• How they must respond to a data breach

• What happens to PHI when the relationship ends

BAA vs Business Associate Contract: Are They the Same Thing?

Yes. The terms Business Associate Agreement (BAA), Business Associate Contract (BAC), and Business Associate Addendum are all used interchangeably in the industry. They refer to the same type of legally required document under HIPAA. The most commonly used term is BAA.

Why HIPAA Requires a BAA

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, created the framework for protecting patient health information in the United States. The HIPAA Privacy Rule, which took effect in 2003, specifically required covered entities to obtain written assurances from any third party handling PHI on their behalf.

This requirement was significantly strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, which made business associates directly liable under HIPAA, not just the covered entity.

The History Behind the BAA Requirement

Before the HITECH Act, covered entities would often share PHI with business associates based on nothing more than a verbal assurance that data would be kept safe. If a data breach occurred due to a vendor's negligence, the covered entity could sometimes escape penalties by pointing to those verbal assurances.

The BAA requirement closed that loophole. Now, both covered entities and business associates can be audited, fined, and held directly accountable by the HHS Office for Civil Rights (OCR).

What Happens If You Do Not Have a BAA

The consequences of missing a BAA are serious. The HHS OCR has issued financial penalties to numerous organizations specifically for BAA failures. Some notable examples include:

• $2,700,000 - Oregon Health and Science University (2016)

• $2,175,000 - Sentara Hospitals (2019)

• $1,550,000 - North Memorial Health Care of Minnesota (2016)

• $1,500,000 - Athens Orthopedic Clinic PA (2020)

• $500,000 - Advanced Care Hospitalists (2018)

• $240,000 - Providence Medical Institute (2024)

  
  

These penalties were issued either because no BAA was in place at all, or because the BAA in place was incomplete or outdated. In several cases, the BAA failure was the sole reason for the penalty, no data breach was even required.

Who Is a Covered Entity Under HIPAA

Under HIPAA, a covered entity is any organization that electronically transmits health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards.

Types of Covered Entities

There are three main types:

• Health Plans: Health insurance companies, HMOs, company health plans, and government programs such as Medicare and Medicaid.

• Healthcare Clearinghouses: Organizations that process nonstandard health information and convert it into a standard format. This includes billing services, repricing companies, and community health information systems.

• Healthcare Providers: Any provider that transmits health information electronically in connection with covered transactions. This includes doctors, clinics, dentists, psychologists, chiropractors, nursing homes, and pharmacies.

  
  

A hybrid entity, such as a university with an academic medical center, may also qualify as a covered entity for the portions of its operations that conduct covered transactions.

If your organization falls into any of these categories, you are responsible for ensuring that every vendor you work with who touches PHI has signed a BAA with you.

Who Qualifies as a Business Associate

A business associate is any person or organization that performs a service for or on behalf of a covered entity, where that service involves creating, receiving, maintaining, or transmitting PHI. The key factor is access to PHI, not whether the organization is formally part of the healthcare industry.

Common Business Associate Examples

Almost any vendor could qualify as a business associate if PHI passes through their systems. Common examples include:

• IT service providers and managed service providers (MSPs) who access your systems

• Medical billing companies and third-party administrators

• Cloud storage providers that store patient records

• Email and messaging platforms used to communicate PHI

• Electronic health record (EHR) software vendors

• Medical transcription services

• Law firms and accounting firms that access patient data

• Practice management software providers

• SMS and text messaging platforms used in patient communication

Who Is NOT a Business Associate

Not every vendor requires a BAA. Exclusions include:

• Employees of the covered entity (they are covered by workforce policies, not BAAs)

• Healthcare providers who receive PHI for treatment purposes (a hospital referring a patient to a specialist, for example)

• Conduit services that only briefly transmit PHI without storing it (such as a postal service delivering physical mail)

• Organizations performing services unrelated to covered transactions, such as a landscaping company

  
  

The distinction can be subtle. A financial institution processing a one-time payment is generally not a business associate. But a software platform where PHI is stored persistently, even if encrypted, almost certainly is.

The Subcontractor Rule

Here is something many organizations overlook: the BAA requirement flows downstream through the entire vendor chain.

If your business associate uses a subcontractor to perform part of the service, and that subcontractor will have access to PHI, then the business associate must have a separate BAA with that subcontractor as well. The subcontractor is treated as a downstream business associate and is directly liable under HIPAA.

You, as the covered entity, are responsible for confirming that your business associates have these downstream agreements in place. If they do not, that is a compliance gap that can be traced back to you.

What Must a Business Associate Agreement Include

A BAA is not just any contract. HIPAA specifies the elements it must contain in order to be compliant.

Required Elements of a BAA

• Permitted and required uses of PHI: The BAA must describe exactly what the business associate is allowed to do with PHI and what they are required to do.

• Prohibition on unauthorized use: The business associate must agree not to use or disclose PHI in any way not permitted by the agreement or required by law.

• Appropriate safeguards: The business associate must implement technical, physical, and administrative safeguards as required by the HIPAA Security Rule.

• Breach reporting obligations: The BAA must require the business associate to report any breach or unauthorized use of PHI to the covered entity, typically within 60 days of discovery.

• Subcontractor agreements: The BAA must require the business associate to ensure that any of their subcontractors who access PHI agree to the same restrictions.

• Access and amendment rights: The business associate must support the covered entity in meeting patients' rights to access, amend, and receive an accounting of disclosures of their PHI.

• Return or destruction of PHI: Upon termination of the agreement, the business associate must return or destroy all PHI received from or on behalf of the covered entity.

• Termination clause: The covered entity must have the right to terminate the agreement if the business associate violates any material term.

Optional Clauses Worth Adding

Beyond the required elements, covered entities often add optional provisions to strengthen protection:

• A right-to-audit clause that lets you monitor the business associate's HIPAA compliance

• An indemnification clause that holds each party financially responsible for their own failures

• Requirements for specific security measures beyond HIPAA's minimums, such as two-factor authentication

• Expiration dates to force regular review and renewal of the agreement

• State-specific privacy law requirements that may go beyond federal HIPAA standards

BAA vs NDA: Understanding the Difference

A Non-Disclosure Agreement (NDA) and a Business Associate Agreement are not interchangeable, and having one does not replace the need for the other.

An NDA is a general contract that protects any confidential business information you define: trade secrets, pricing, marketing plans, and similar data. It is based on general contract law and can be tailored to any kind of business relationship.

A BAA is a very specific, federally mandated contract under HIPAA that exists for one purpose: protecting PHI. Its terms, required provisions, and consequences are all governed by federal law.

The penalties are also dramatically different. Breaching an NDA results in civil liability under contract law. Violating a BAA can result in HIPAA penalties, which can reach millions of dollars, plus potential criminal charges for intentional violations.

In practice, you may need both an NDA and a BAA with the same vendor. The NDA covers general business confidentiality, while the BAA specifically covers PHI. Do not assume one covers the other.

Does Your Text Messaging Platform Need a BAA

This is a question that many healthcare organizations miss entirely — and it is becoming increasingly important as more providers adopt digital communication tools.

SMS Platforms as Business Associates

If your healthcare organization uses a text messaging or SMS platform to communicate with patients, schedule appointments, send appointment reminders, or share any health-related information, that platform is almost certainly a business associate.

Why? Because the text messages pass through the platform's servers. Even if the content is encrypted, the platform has what HIPAA calls "persistent access" to PHI. This is the same standard applied to cloud storage providers and email platforms.

Under this definition, your SMS provider is a business associate, and you are required to have a BAA in place with them before using the platform to communicate any PHI.

This is not a gray area. The HHS has clarified that cloud service providers and software vendors that create, receive, maintain, or transmit ePHI — even in an encrypted form — are business associates and must sign a BAA.

Healthcare organizations that use consumer-grade SMS apps, basic email tools, or any communication platform without a signed BAA are in violation of HIPAA, even if no breach ever occurs.

Falkon SMS is HIPAA-Compliant and It Includes BAA

If your practice is looking for a HIPAA-compliant text messaging solution, Falkon SMS is built for exactly that need. Falkon SMS is a HIPAA-compliant business texting platform that offers a BAA plan for healthcare providers and other covered entities.

With Falkon SMS, you can text patients using your existing business or landline number, send appointment reminders, handle two-way conversations, and manage patient communication, all within a framework designed to protect PHI and meet HIPAA requirements.

Having a BAA in place with your SMS provider is not just a compliance checkbox. It is a foundational protection for your patients and your organization. Falkon SMS makes it straightforward by offering the BAA as part of its healthcare-specific plan.

Common BAA Compliance Mistakes to Avoid

Even organizations that know they need BAAs often make errors that create compliance exposure. Here are the most frequent mistakes:

• Not having a BAA at all: Some organizations simply do not realize that a specific vendor qualifies as a business associate. Every vendor relationship involving PHI requires a BAA, with no exceptions.

• Using an outdated template: HIPAA requirements have evolved significantly since 2003, particularly after the HITECH Act in 2009 and the HIPAA Omnibus Rule in 2013. Templates that predate these changes may be missing required provisions.

• Ignoring the subcontractor chain: Your business associate may use subcontractors who also access PHI. Your BAA must address this, and you need assurance that downstream agreements exist.

• Vague language around permitted uses: Ambiguity in the BAA creates risk. The more specific you are about what the business associate can and cannot do with PHI, the better protected you are.

• Assuming a signed BAA means full compliance: A signed BAA is a starting point, not a guarantee. You are still responsible for conducting due diligence on your business associates and monitoring their ongoing compliance.

• Not updating BAAs when services change: If the scope of a vendor's services changes, the BAA should be reviewed and updated to reflect the new arrangement.

• Requiring every vendor to sign a BAA: The flip side also applies. Requiring a BAA from vendors who do not qualify as business associates (such as landscapers or couriers) creates unnecessary administrative work and can muddy the legal picture.

How Often Should You Review Your BAA

HIPAA does not set an expiration date for BAAs, which means an agreement can technically remain in force indefinitely. However, best practice is to review all BAAs at least annually.

During your review, you should:

• Confirm that the scope of services described in the BAA still matches what the vendor actually does

• Check for any changes to HIPAA regulations or applicable state laws

• Verify that the business associate has updated policies and procedures in place

• Request a copy of the business associate's most recent risk assessment

• Confirm that all subcontractor agreements are still current

  
  

Any time a vendor changes the services they provide, onboards new subcontractors who may access PHI, or when there is a significant change in applicable law, the BAA should be revisited and amended as needed.

Frequently Asked Questions About BAA

Is a BAA required by law?

Yes. A Business Associate Agreement is legally required under HIPAA. Any covered entity that shares PHI with a business associate must have a BAA in place before doing so. There are no exceptions for small organizations or informal arrangements.

What happens if you don't have a BAA?

Failing to have a BAA when one is required is a HIPAA violation. The HHS Office for Civil Rights can issue financial penalties ranging from $100 per violation for unknowing violations up to $50,000 per violation for willful neglect. Annual penalties for a single violation category can reach $1.5 million.

Can a covered entity be a business associate?

Yes. A covered entity can serve as a business associate to another covered entity. For example, if a hospital contracts with another healthcare provider to perform a service that involves sharing PHI, the second provider may need to sign a BAA for that specific arrangement.

Does a text messaging platform need to sign a BAA?

Yes, in most cases. If a text messaging platform creates, receives, maintains, or transmits PHI on behalf of a covered entity, it is a business associate and must sign a BAA before being used for any PHI-related communication. HIPAA-compliant platforms like Falkon SMS offer BAA agreements as part of their healthcare plans.

How is a BAA different from a standard vendor contract?

A standard vendor contract covers general business terms such as pricing, service levels, and liability. A BAA is a federally mandated, HIPAA-specific document that must include specific provisions related to PHI protection. You may need both for the same vendor relationship.

What must be included in a business associate agreement?

At minimum, a BAA must describe permitted uses of PHI, prohibit unauthorized disclosures, require appropriate safeguards, mandate breach reporting, address subcontractor agreements, support patient rights, provide for return or destruction of PHI at termination, and include a termination clause for non-compliance.

Does a BAA need to be updated?

Yes. While BAAs do not technically expire, they should be reviewed at least annually and updated any time the scope of services changes, new HIPAA regulations take effect, or subcontractors are added.

What is the minimum necessary rule?

The HIPAA minimum necessary standard requires that both covered entities and business associates use, disclose, and request only the minimum amount of PHI needed to accomplish the task at hand. This principle applies to both the covered entity and the business associate, and should be reflected in the terms of the BAA.

Conclusion

A Business Associate Agreement is not a formality or a piece of administrative paperwork to tick off a list. It is a core pillar of HIPAA compliance and patient data protection. It establishes who is responsible for PHI at every stage of your vendor relationships, defines the rules for handling sensitive health information, and creates a legal framework that protects your organization in the event of a breach.

For healthcare organizations operating today, the range of potential business associates has expanded well beyond billing companies and IT providers. Any platform your team uses to communicate with patients — including text messaging platforms — may qualify as a business associate requiring a signed BAA.

Falkon SMS is a HIPAA-compliant texting solution designed for healthcare providers who need secure, reliable patient communication with the proper safeguards and a BAA available for covered entities. If your organization is using or considering SMS for patient outreach, make sure your platform can back it up with a compliant BAA.