If The Pitt has taught us anything, it’s that making life-saving decisions is only half the battle. The other half is managing the sensitive data that follows. At the heart of this effort is the Health Insurance Portability and Accountability Act (HIPAA), a legal framework designed to keep patient data safe.
Contents:
The stakes have never been higher. According to a recent report from IBM, healthcare data breaches cost an average of $7.42 million per incident, with over 9,200 recorded cases. Even more concerning is that business associates now account for nearly 36% of all reported HIPAA breaches, leading to massive financial losses and reputational damage.
That’s why a HIPAA Business Associate Agreement (BAA) is indispensable for any partnership between a healthcare provider and its vendors. A BAA is a vendor’s legal promise to maintain HIPAA compliance on your behalf.
This guide explains what a BAA is, why it is important for the safety of Protected Health Information (PHI), and the essential components required for each agreement.
What is a HIPAA BAA?
A HIPAA Business Associate Agreement (BAA) is a mandatory legal contract between a covered entity, such as a clinic, hospital, or health plan, and a third-party vendor (business associate) that handles Protected Health Information (PHI).
Under the HIPAA Security Rule, both parties are legally responsible for protecting that data. Specifically, a BAA:
Enforces compliance. It ensures that all third-party vendors handling PHI comply with HIPAA.
Limits PHI usage. It explicitly outlines the permitted uses of PHI and obligates the business associate to never handle data beyond its intended scope.
Mitigates risks. It protects both parties from the massive federal fines and legal exposure.
When do you need a HIPAA Business Associate Agreement?
A HIPAA Business Associate Agreement (BAA) is legally required whenever a covered entity hires a third party to perform services that involve the creation, receipt, maintenance, or transmission of PHI. Even if the service provider doesn’t “read” PHI, their access to the storage or transmission of that data makes the agreement mandatory.
To help you identify potential gaps in your compliance strategy, here are the most common service providers that require a BAA:
Cloud storage providers.
IT service providers
Medical billing services
Electronic health record (EHR) systems
Legal and financial counsel
Transcription services
Document shredding services
Claim processing companies
Health benefits management
Exceptions: when a BAA is not needed
There are specific scenarios where a BAA is not legally mandated:
Treatment exchanges
Communication between two covered entities for the purpose of patient care.
For example, a specialist and a primary care physician can share a patient’s medical history to coordinate a treatment plan together without needing a BAA.
“Conduit” services
Data transporters that merely transmit PHI without ever storing or accessing it, such as the postal service or an ISP, are generally exempt from BAAs.
For instance, the US Postal Service, private couriers like FedEx, and internet service providers (ISPs) are considered “conduits” because they transport PHI without ever accessing, storing, or viewing its content.
Treatment, payment, and operations (TPO)
Certain provider referrals falling under TPO allow for PHI sharing without an additional agreement.
A common example is when a doctor’s office provides a patient’s insurance information to a laboratory to ensure the laboratory can process payment for a blood test.
Who says business security has to be hard?
Protect your company from cyber threats without sacrificing convenience
The 10 key elements of a HIPAA-compliant Business Associate Agreement
To be legally valid, a BAA must include these specific clauses required by the HHS.
1. Permitted uses and disclosures of PHI
A BAA must clearly define how a vendor handles PHI. For instance, a password manager like NordPass uses data solely to facilitate secure access—never for marketing or external resale.
Usage limits ensure that business associates cannot disclose PHI beyond the specific terms of the contract, unless required by law.
2. Administrative, physical, and technical safeguards
The Security Rule requires covered entities and business associates to implement policies that allow only authorized persons to access PHI, and these include:
Administrative safeguards, such as policies, training, and audits.
Physical safeguards like secure facilities and locked access.
Technical safeguards that include audit logs, advanced encryption like XChaCha20, user authentication, and secure access.
3. Breach notification
The Business Associate Agreement should define what constitutes a breach. For example, it should define a breach as when an unauthorized user gains access to your password manager and views credentials that lead to a database containing PHI.
The timeline for reporting the breach and the person responsible for notification should also be included in the BAA.
If the breach affects fewer than 500 people, you don’t have to report it immediately—you can keep a log and notify the HHS once a year, within 60 days of the end of the calendar year. But, if the breach affects more than 500 people, you must notify not only the HHS, but also the media.
4. Supporting patient rights
Business associates must assist healthcare providers in fulfilling patient rights. This includes:
Viewing medical records
Correcting errors
Providing disclosures (a clear history of how their data has been shared)
6. HHS access for audits
A valid Business Associate Agreement should state that the Department of Health and Human Services (HHS) holds the right to audit the vendor’s security practices and PHI records. This guarantees transparency and accountability for both healthcare providers and third parties.
7. PHI return or destruction upon termination of the BAA
When a contract ends, the vendor can’t just keep the data. They must either return all PHI to the provider or securely destroy it according to HIPAA guidelines. This prevents sensitive information from being abandoned or stored after the contract terminates.
8. Vetting the whole chain (subcontractors)
If your vendor uses other partners (subcontractors)—like a cloud hosting provider—that also handle PHI, those partners must also sign their own BAAs. This approach ensures the safety of PHI at every level.
9. The right to terminate
Healthcare providers must have the right to end the partnership immediately if the vendor violates HIPAA. This prevents providers from being legally tied to a noncompliant partner.
10. Liability and enforcement
A strong BAA defines exactly who is financially responsible if a data breach occurs. This often includes requirements for indemnification, which ensure the party at fault covers the costs of resolving the incident and notifying patients.
5 reasons why your business needs a Business Associate Agreement (BAA)
One of the benefits of a BAA is avoiding high regulatory fines. However, that’s not the only benefit. Even with the best technology, if you don’t sign the contract, your organization will still be noncompliant under HIPAA.
Here is why your organization needs a Business Associate Agreement:
1. Ensuring HIPAA compliance
Failing to have a signed BAA is a direct violation of both the HIPAA Privacy and Security Rules. The Office for Civil Rights (OCR), which is the HIPAA enforcement agency, can impose civil monetary penalties of up to $1.5 million per violation category per year.
2. Stopping data breaches
By setting high security standards defined in a Business Associate Agreement, you can lower the risk of a costly, widespread data breach. A BAA should cover:
Specific protocols for sharing data to minimize the risks of exposure
HIPAA-compliant methods for storing all data
The use of encryption and firewalls to keep attackers out
Dos and don’ts for handling PHI
3. Clear liability protection
A BAA describes the scope of responsibility and ensures that if a vendor is negligent, the legal and financial liability is clearly attributed to them rather than your organization.
4. Building client and stakeholder trust
A Business Associate Agreement sends a clear signal to your clients and stakeholders that you take safeguarding PHI seriously.
By offering a BAA, you can:
Attract customers who value security and privacy
Boost your reputation
Gain a competitive edge in sectors where breaches are common
5. Incident response
The BAA defines how both parties must collaborate to contain damage and notify affected individuals during a crisis. An effective incident response plan (IRP) must also include an investigation of the incident, mitigation of its harmful effects, and documentation of the incident to ensure HIPAA compliance.
Why a Business Associate Agreement is mandatory for your password manager
Cloud-based password managers are the central entry point for systems containing PHI. If an employee stores an EHR system login in a tool that lacks a signed Business Associate Agreement, the organization is in violation of HIPAA.
Using a password manager without a BAA creates dangerous gaps:
Without a BAA, the provider has no legal requirement to follow specific HIPAA breach notification timelines or undergo required security audits.
A BAA serves as the vendor’s legal promise to maintain specific safeguards like audit logs, automatic logoffs, and unique user identifications.
Credential managers like NordPass use advanced algorithms, such as XChaCha20, to encrypt vaults, which eliminates the risks associated with shared passwords and unauthorized access.
Secure your signed Business Associate Agreement with NordPass
NordPass offers a signed BAA for all customers on annual plans to ensure their organization is protected from day one.
Signed BAAs are available for both Business and Enterprise yearly plans.
Contact the NordPass sales or support team during your annual plan onboarding.
The team will initiate the signing process to ensure your sensitive credentials and access points remain protected and HIPAA-compliant.
Contact us today to secure your workflow.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk, and consider consulting a licensed professional for legal matters. Content may not be up to date or applicable to your jurisdiction and is subject to change without notice.