Business Associate Agreement (BAA)

A Business Associate Agreement is a HIPAA-required contract between a covered entity and any vendor that creates, receives, maintains, or transmits Protected Health Information on the covered entity's behalf.

What a BAA does

A BAA is the contract by which HIPAA obligations flow from a covered entity (healthcare provider, health plan, healthcare clearinghouse) to a business associate (any vendor that handles PHI on its behalf). The required terms are specified in 45 CFR 164.504(e): permitted uses and disclosures of PHI, safeguards consistent with the Security Rule, sub-contractor flow-down, breach notification, individual access support, and termination procedures including return or destruction of PHI. Without a current BAA in place, the covered entity is in violation of HIPAA the moment PHI flows to the business associate.

AI vendor BAA considerations

AI vendors that touch PHI must sign a BAA. The signature alone is not sufficient — the vendor must actually meet the Security Rule's technical safeguards (access controls, audit logging, integrity, transmission security, encryption) and the Privacy Rule's use limitations. Mature healthcare AI vendors offer a standard BAA template (often based on the HHS model) and resist customer-specific edits beyond identifying information. Resistance to standard BAA terms is itself a procurement signal.

Common BAA gaps

Common BAA issues: vendors that sign a BAA but do not flow it down to their AI sub-processors (e.g., the foundation model provider must also be under BAA, or the data must be de-identified before reaching them); BAAs that exclude metadata or de-identified data without saying so explicitly; BAAs that permit training on PHI without specific covered-entity authorization; BAAs whose breach notification SLA exceeds 60 days (HIPAA's outer limit) or excludes the business associate's sub-contractor breaches. Each of these is worth verifying explicitly in diligence.