Skip to main content
HIPAA

Business Associate Agreement (BAA)

A written contract requiring a vendor that handles PHI to protect it under HIPAA.

A Business Associate Agreement (BAA) is a written contract between a HIPAA covered entity (or another business associate) and a vendor that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. The BAA makes the vendor directly accountable for safeguarding PHI, reporting breaches, and meeting the HIPAA Security Rule.

A hosting provider, email service, or other vendor that handles PHI without a signed BAA is itself a HIPAA violation. See our key security measures for HIPAA-compliant hosting.

← Back to glossary