Chat with us
Back to HIPAA Hub
Business Associate Agreements

HIPAA BAA Guide
Requirements & Best Practices

A Business Associate Agreement (BAA) is a contract required by HIPAA between a Covered Entity and any third party that will create, receive, maintain, or transmit PHI on their behalf.

What is a Business Associate?

A Business Associate is any person or entity that performs functions or activities involving PHI on behalf of a Covered Entity. This includes:

  • IT service providers and cloud hosts
  • Medical billing companies
  • Claims processors
  • Practice management consultants
  • Data analytics vendors
  • EHR/EMR vendors
  • Transcription services

Indian Companies as Business Associates

Indian healthcare IT, BPO, and SaaS companies serving US healthcare clients are Business Associates and must:

  • • Sign BAAs with US Covered Entities
  • • Implement HIPAA Security Rule safeguards
  • • Ensure subcontractors also sign BAAs
  • • Report breaches to Covered Entity

Required BAA Provisions

Every BAA must include these HIPAA-mandated provisions:

Permitted Uses

Specify how the BA may use and disclose PHI

Safeguards

BA must use appropriate safeguards to prevent unauthorized use/disclosure

Reporting

Report any unauthorized use, disclosure, or security incident

Subcontractor Assurances

Ensure subcontractors agree to same restrictions

Access to PHI

Make PHI available to individual for access requests

Amendment

Make PHI available for amendment

Accounting

Make information available for accounting of disclosures

HHS Compliance

Make practices available to HHS for compliance review

Return/Destroy

Return or destroy PHI at termination

Termination

Authorize termination if BA violates the agreement

Cloud Provider BAAs

Major cloud providers offer BAAs for HIPAA-eligible services:

☁️

AWS

BAA Available

Sign via AWS Artifact. Covers most HIPAA-eligible services.

🔷

Microsoft Azure

BAA Available

Sign via Azure Portal. Online Services Terms include BAA.

🌐

Google Cloud

BAA Available

Sign via Cloud Console. Covers all HIPAA-eligible services.

☁️

Salesforce

BAA Available

Available for Health Cloud and Shield products.

Need Help with BAA Compliance?

Our experts can help you review, negotiate, and implement BAA requirements for your organization.

Get Expert HelpBack to HIPAA Hub