← Glossary·Governance

BAA (Business Associate Agreement)

HIPAA

HIPAA contract between a covered entity and a business associate handling PHI; mandatory under 45 CFR §164.504(e).

A Business Associate Agreement is a HIPAA-required contract between a covered entity (or another business associate) and a business associate, establishing the permitted uses and disclosures of PHI and the safeguards the BA must apply.

Why it matters
Providing services that involve PHI without a signed BAA is a per se HIPAA violation, regardless of any actual breach.

Related terms

HIPAA
US law protecting PHI; Privacy, Security, and Breach Notification Rules apply to covered entities and business associates.
PHI (Protected Health Information)
Individually identifiable health information held or transmitted by a HIPAA covered entity or business associate.
ePHI
PHI in electronic form — the scope of the HIPAA Security Rule (45 CFR §164.302–318).

Does your program actually cover BAA (Business Associate Agreement)?

Run a free ComplianceIQ audit against HIPAA and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free HIPAA auditBack to glossary