What is a Business Associate Agreement and Why is it Important for HIPAA?

Software and cloud providers are becoming a major part of healthcare infrastructure. As demands for data storage, analytics, collaboration, and telehealth treatment increase, healthcare providers are relying on MSPs and CSPs to help them stay up-to-date and compliant while respecting the privacy of their patients. 

If you’re a vendor who wants to work in the healthcare industry as a Business Associate, it’s not enough for your partners to stay compliant. Under HIPAA rules, you must have an agreement in place with any healthcare provider you partner with that places you under HIPAA regulations as well. 

Covered Entities and Business Associates in HIPAA Regulations

The Privacy Rule outlines the specifics of HIPAA compliance: what protected data is, the responsibilities of healthcare organizations handling that data, and what steps they need to take to manage their compliance and assess risk. 

Another important aspect of this rule, and from the introductory material of HIPAA in general, is how it defines responsible parties. In this case, the two most prominent parties in any HIPAA compliance situation are Covered Entities and Business Associates. 

• Covered Entities (CEs): CEs are defined by HIPAA as Health plans, healthcare clearinghouses, and healthcare providers who collect, store, or transmit Personal Health Information (PHI). Any manner of data handling or transmission that includes PHI situates these organizations as CEs. They use PHI for treatment, research, insurance provisioning, and billing.
  
• Business Associates (BAs): These organizations supplement for or partner with CEs but do similar work. So, for example, a hospital might be a CE handling patient data, and they work with a billing and finance firm that handles their PHI for payments. That firm is considered a BA with specific legal responsibilities. 

 These definitions can be somewhat fluid. A healthcare logistics or IT company will most likely not be a Covered Entity like a hospital. A hospital, or parts of a provider, can offer additional services to other CEs, in which case they are also a Business Associate. 

Any company that enters into a working relationship with a Covered Entity as a Business Associate must have a working Business Associate Agreement (BAA).

What is a Business Associate Agreement?

For HIPAA compliance, all CEs must have a BAA with any Business Associates that will handle, store, or come into contact with PHI.

In general terms, a BAA creates a legal relationship between CAs and BAs that is enforceable under HIPAA regulations. Any third-party company or professional that does not work for a CE but that works with a CE handling PHI must sign a BAA. Failure to have one in place can result in extensive finds and other penalties for both the CE and the BA. 

Who can fall under the designation of “Business Associate”?

• A financing and payments processing company handling patient payment and billing information on behalf of a hospital or clinic.
  
• A managed service provider (MSP) hosting technical utilities that manage PHI for a hospital, clinic, or insurance company.
  
• A cloud service provider (CSP) serving as a backup storage solution for patient records with a hospital network.
  
• Contract website developers building intranet websites who may come into contact with PHI.
  
• Email providers hosting or transmitting emails outside a hospital firewall infrastructure.

While these are some examples, they are by no means exhaustive. If your business comes into contact with PHI, you are essentially functioning as a business associate.

The HIPAA Omnibus Rule

Before 2013, Business Associates had certain legal liabilities under a BAA, including their responsibility to secure and protect PHI under the HIPAA Privacy, Security, and Breach Notification Rules.

In 2013, however, the Department of Health and Human Services (HHS) published the final revision of the Omnibus rule, which fundamentally reshaped several portions of HIPAA regulations. One of the biggest changes to HIPAA was the impact on Business Associates and BAAs. 

After the Omnibus rule tool effect, the following changes were made part of HIPAA guidelines:

• All CEs and BAs had to revise their BAAs to incorporate the new requirements.
  
• All Business Associates faced new requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. Part of this was including extended breach notification rules for BAs, namely notifying any CE they worked with of a data breach.
  
• The definition of a Business Associate was also expanded to include companies that support Covered Entities in any capacity that discloses PHI. That is, prior to the Omnibus Rule, only companies that actively managed PHI was considered BAs, whereas after 2013 any associated firm that even touched PHI as part of their operation were subject to HIPAA compliance.
  
• Following those extensions of definition, liabilities, responsibilities, and penalties for HIPAA compliance and non-compliance were subsequently extended to cover BAs under their Business Associate Agreements.
  
• Finally, subcontractors for BAs were defined as subject to HIPAA requirements as well and had to enter individual agreements with the Business Associate independent of the CE.

The Use and Impact of Business Associate Agreements

Business Associate Agreements are a necessary part of doing business in the healthcare industry. Consider the following examples:

1. Service providers like Microsoft and Google provide enterprise-level products (email, cloud storage) that are incredibly important for healthcare businesses large and small. Both Microsoft and Google have BAAs that they require of any CE they enter into an agreement with. This includes any CE or BA using email, cloud storage, or productivity tools that in any way come into contact with PHI.
   
2. Pharmacies using POS software on a cloud platform or processing patient information through a third-party supplier must have BAAs in place for those relationships.
   
3. A law firm representing a hospital or clinic must have a BAA in place with each client they serve if they are to use or disclose PHI as part of their job. 

The BAA outlines the fact that the Business Associate is bound by the Privacy, Security, and Breach Notification Rules of HIPAA. That means that they must:

1. Protect the privacy, security, and integrity of PHI in their custody. 
2. Provide adequate physical, administrative, and technical safeguards for any PHI they store or transmit. 
3. Notify their associated CE in the event of a data breach involving PHI.
4. Assess risk related to their data infrastructure as it relates to HIPAA compliance. 

This means that BAs are liable under HIPAA for penalties and other punishments for non-compliance. These penalties can range from $100 per incident to a minimum of $50,000 per incident involving willful neglect.

These agreements can also include additional liabilities, requirements, and responsibilities that fall under different legal jurisdictions. 

Likewise, CEs and BAs can still face penalties for not having a BAA on file. In 2017, the Center for Children’s Digestive Health, a small clinic for-profit clinic in Chicago, was hit with over $30,000 in fines when a compliance audit of their Business Associate showed that neither party had a BAA on file. 

Conclusion

HIPAA compliance is a serious issue and maintaining compliance when working with Business Associates can get tricky. Make sure that you have a clear understanding of your Business Associates, that you trust their compliance efforts, and that those efforts are spelled out in a BAA for your protection and the protection of your patients’ PHI.

Lazarus Alliance supports companies working in the healthcare industry with expert audits of HIPAA compliance, as well as additional consulting and support for continued HIPAA maintenance. To learn more on how Lazarus Alliance can help you pursue your NIST 800-66 HIPAA attestation, please call us at 1-888-896-7580 or through the form below.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→