A Business Associate Agreement, commonly called a BAA, is a contract required under HIPAA between a covered entity, such as a hospital, health plan, or healthcare clearinghouse, and any third-party vendor that creates, receives, maintains, or transmits protected health information on the covered entity's behalf. The agreement legally obligates the vendor to safeguard PHI in accordance with HIPAA standards and specifies what happens in the event of a breach.
The category of vendors who qualify as business associates is broad. It includes cloud providers, electronic health record vendors, billing services, analytics platforms, AI tool providers, and any other company that touches PHI in the course of providing services to a covered entity. Importantly, a business associate that shares PHI with a subcontractor must also obtain a BAA from that subcontractor, creating a chain of accountability that extends through the technology stack.
For technology companies selling into healthcare, the ability to sign a BAA is often a gating requirement. Enterprise health systems will not onboard a vendor that cannot execute a BAA, regardless of how compelling the product is. Most major cloud infrastructure providers, including AWS, Google Cloud, and Microsoft Azure, offer BAA coverage for specific services under specific configurations. The BAA covers the infrastructure, but the application built on top of it remains the customer's responsibility.
Signing a BAA is not the same as being HIPAA compliant. It is a contractual agreement to handle PHI appropriately, but the actual compliance work, technical safeguards, access controls, audit logging, breach notification procedures, and workforce training, must be implemented and maintained independently. A signed BAA with no underlying compliance program provides legal exposure, not protection.