Do I need a BAA?
Answer a few quick questions and find out if you're a business associate, or if you need a signed BAA with a vendor. See your answer free, no sign-up needed.
These questions are about your organization, not patients. Please don't enter patient information (PHI).
Tool
Common questions about business associates and BAAs
What is a HIPAA business associate?
A business associate is a person or company that creates, receives, maintains, or transmits patient information (PHI) on behalf of a covered entity. A covered entity is a healthcare provider, health plan, or clearinghouse. Common examples include billing companies, IT and cloud vendors, shredding services, and consultants who touch PHI to do their work. If your work involves PHI for a covered entity, you may fall under HIPAA as a business associate.
Do I need a business associate agreement (BAA)?
You generally need a signed BAA whenever a vendor will handle PHI on your behalf, or whenever you handle PHI for someone else. The BAA is a written contract that sets out how each side protects PHI and what happens if there's a breach. Covered entities sign BAAs with their vendors, and business associates sign BAAs with their own subcontractors who touch PHI. If no PHI changes hands, a BAA usually isn't required.
What is the difference between a covered entity and a business associate?
A covered entity delivers or pays for healthcare directly, while a business associate works for a covered entity and handles PHI to do so. Covered entities are healthcare providers, health plans, and clearinghouses. Business associates are the outside vendors and service providers they rely on. Both have HIPAA obligations, but the rules apply a little differently to each role.
Is a cloud or IT vendor automatically a business associate?
It depends on whether the vendor actually creates, receives, maintains, or transmits PHI for you. A vendor that stores or processes PHI is usually a business associate and should sign a BAA. A vendor that only moves PHI from point to point with brief, incidental access and never stores it may qualify as a "mere conduit," which is a narrow exception. If the vendor stores PHI, the conduit exception generally does not apply.
What happens if I handle PHI without a signed BAA?
Handling PHI without a required BAA is a common HIPAA gap that can expose both sides to enforcement risk. Without a BAA, there's no written agreement spelling out safeguards or breach responsibilities, which regulators look for. The practical fix is to identify every vendor that touches PHI, get a signed BAA in place before sharing PHI, and keep your own subcontractor BAAs current too. This is general guidance, not legal advice.