Skip to main contentChat with us

HIPAA · Business Associate Agreements

HIPAA BAA Guide
Requirements & Best Practices

A Business Associate Agreement (BAA) is a contract required by HIPAA between a Covered Entity and any third party that will create, receive, maintain, or transmit PHI on their behalf.

Required clauses are defined at 45 CFR 164.504(e) — and a BAA is a contract, not a certificate: HIPAA has no official certification.

Get a BAA ReviewExplore the HIPAA Hub
10Required BAA clauses
4Cloud provider BAAs compared
500+Audits delivered

45 CFR 164.504(e) · U.S. Dept. of Health & Human Services (OCR) · Last reviewed June 2026

Direct Answer

A Business Associate Agreement (BAA) is the HIPAA-required written contract that must be in place before a covered entity shares PHI with a vendor — or before a business associate shares PHI with a subcontractor — that handles that data on its behalf. The required clauses are defined at 45 CFR 164.504(e) by the HHS Office for Civil Rights (hhs.gov/hipaa). For Indian IT, BPO, and SaaS firms serving US healthcare clients, signing a BAA is mandatory because they are business associates handling US PHI — but a BAA is a contract, not a certificate: HIPAA has no official certification.

Definitions

What is a Business Associate?

A Business Associate is any person or entity that performs functions or activities involving PHI on behalf of a Covered Entity. This includes:

  • IT service providers and cloud hosts
  • Medical billing companies
  • Claims processors
  • Practice management consultants
  • Data analytics vendors
  • EHR/EMR vendors
  • Transcription services

Indian Companies as Business Associates

Indian healthcare IT, BPO, and SaaS companies serving US healthcare clients are Business Associates and must:

  • • Sign BAAs with US Covered Entities
  • • Implement HIPAA Security Rule safeguards
  • • Ensure subcontractors also sign BAAs
  • • Report breaches to Covered Entity

45 CFR 164.504(e)

Required BAA Provisions

Every BAA must include these HIPAA-mandated provisions (45 CFR 164.504(e)):

Required clauseWhat the business associate must do
Permitted UsesSpecify how the BA may use and disclose PHI
SafeguardsBA must use appropriate safeguards to prevent unauthorized use/disclosure
ReportingReport any unauthorized use, disclosure, or security incident
Subcontractor AssurancesEnsure subcontractors agree to same restrictions
Access to PHIMake PHI available to individual for access requests
AmendmentMake PHI available for amendment
AccountingMake information available for accounting of disclosures
HHS ComplianceMake practices available to HHS for compliance review
Return/DestroyReturn or destroy PHI at termination
TerminationAuthorize termination if BA violates the agreement

Cloud Coverage

Cloud Provider BAAs

Major cloud providers offer BAAs for HIPAA-eligible services:

AWS

BAA Available

Sign via AWS Artifact. Covers most HIPAA-eligible services.

Microsoft Azure

BAA Available

Sign via Azure Portal. Online Services Terms include BAA.

Google Cloud

BAA Available

Sign via Cloud Console. Covers all HIPAA-eligible services.

Salesforce

BAA Available

Available for Health Cloud and Shield products.

Before You Share PHI

Vendor Due-Diligence Checklist

Before sharing PHI with any business associate, work through these steps:

Verify vendor handles PHI (Business Associate status)
Request and review vendor's HIPAA compliance documentation
Review vendor's security certifications (SOC 2, ISO 27001)
Execute BAA before sharing any PHI
Verify BAA covers all required HIPAA provisions
Document vendor due diligence process
Establish incident reporting procedures
Plan for annual vendor compliance reviews

Frequently Asked Questions

Common questions on HIPAA Business Associate Agreements, required clauses, and cloud BAAs.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a HIPAA-required written contract between a covered entity (or an upstream business associate) and a vendor that creates, receives, maintains, or transmits PHI on its behalf. The BAA legally binds the business associate to safeguard PHI, limit its use and disclosure, report incidents, and flow the same obligations down to subcontractors. Required BAA elements are set out at 45 CFR 164.504(e); see https://www.hhs.gov/hipaa.

When is a BAA required?

A BAA is required before a covered entity shares PHI with any business associate, and before a business associate shares PHI with a subcontractor. It is not required for the covered entity's own workforce, for disclosures to the individual, or for conduits that merely transport data without routine access (for example, the postal service). If a vendor will create, receive, maintain, or transmit PHI as part of its service, a BAA must be signed first.

Are Indian outsourcing and SaaS companies required to sign BAAs?

Yes. An Indian IT, BPO, analytics, or SaaS firm that handles US patient PHI on behalf of a US covered entity is a HIPAA business associate and must sign a BAA with that covered entity, implement the Security Rule safeguards, and ensure its own subcontractors sign back-to-back BAAs. HIPAA applies based on the handling of US PHI, not the vendor's location, so geography does not exempt Indian business associates.

Does signing a BAA make a company "HIPAA certified"?

No. There is no official "HIPAA certification" — HIPAA is a compliance obligation, not a certificate. A BAA is a contract that allocates HIPAA responsibilities; it does not certify compliance. A business associate evidences its compliance through implemented safeguards, a Security Risk Assessment, policies, training, and often an independent attestation such as SOC 2 or ISO 27001 — but no document, including the BAA, constitutes government certification.

Do cloud providers like AWS, Azure, and Google Cloud sign BAAs?

Yes. AWS, Microsoft Azure, and Google Cloud all offer BAAs covering their HIPAA-eligible services (signed via AWS Artifact, the Azure/Microsoft terms, and the Google Cloud console respectively). Signing the cloud provider's BAA is necessary but not sufficient: the customer remains responsible for configuring those services securely and for its own administrative, physical, and technical safeguards over the PHI it places in the cloud.

Continue your HIPAA research

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

HIPAA

HIPAA Knowledge Hub

Privacy Rule, Security Rule, BAAs, cloud guides and penalties.

Read more
HIPAA

HIPAA Privacy Rule

Use and disclosure standards for protected health information.

Read more
HIPAA

HIPAA Security Rule

Administrative, physical and technical safeguards for ePHI.

Read more
HIPAA

HIPAA Cloud Compliance

Running PHI workloads on AWS, Azure and GCP compliantly.

Read more
Service

HIPAA Consulting in India

HIPAA programs for Indian healthtech and BPO business associates.

Read more
HIPAA

HIPAA Compliance

US health-data rules for healthtech and business associates.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations