What Is a HIPAA BAA? What It Requires and What It Doesn't Cover
Last updated: March 2026
One note before we start: this page is for informational purposes only. Aptible is not a law firm, and nothing here is legal advice. For questions about specific contracts or compliance obligations, consult an attorney.
A BAA (business associate agreement) is a required legal contract under HIPAA between a covered entity or business associate and any vendor that creates, receives, transmits, or maintains protected health information on their behalf. Without a BAA, sharing PHI with a vendor is not legally permitted under HIPAA, regardless of whether that vendor is otherwise secure. The BAA does two things simultaneously: it satisfies the HIPAA regulatory requirement, and it creates direct contractual liability between the parties. If either obligation is missing or violated, both parties may face federal enforcement action, not just the non-compliant one.
BAAs are sometimes called "business associate contracts" in the HIPAA regulations. Same thing.
What Is a Business Associate?
The most common type of business associate is a person or organization that creates, receives, transmits, or maintains PHI on behalf of a covered entity or another business associate.
In practice: if you handle identifiable patient data for any reason on behalf of a healthcare company, most covered entities will consider you a business associate and require a BAA. This includes hosting providers, SaaS platforms, analytics vendors, logging services, and any other third party your application sends PHI to.
What counts as handling PHI "on behalf of" another entity? HHS defines it broadly. If another entity pays you or directs you in how you handle PHI, that relationship likely qualifies. When in doubt, treat the relationship as one requiring a BAA.
Employees are not business associates. Members of your workforce (paid employees, volunteers, trainees, and temporary staff under your direct control) are not business associates. You are responsible for training them and supervising their PHI access, but they don't sign BAAs. Independent contractors and consultants typically are business associates and should sign one.
When Is a BAA Required?
Any time a business associate relationship exists. This includes two scenarios:
A covered entity and a business associate
A business associate and a subcontractor business associate
BAAs work like a chain. If you sell software that handles PHI and host it on Aptible:
You are a business associate of your covered entity customer
Aptible is your business associate
AWS is Aptible's business associate
Neither you nor your customer are required to have a BAA with AWS unless you also use AWS directly
Your covered entity customer doesn't need a BAA with every vendor in your stack, only with you. You're responsible for the chain below you.
What a BAA Must Contain
HHS publishes sample BAA provisions and guidance. The full requirements are in 45 CFR §§164.314 and 164.504. In summary, a BAA must:
Define permitted uses and disclosures of PHI. Anything not explicitly permitted is prohibited. Subcontractor use and disclosure must comply with the same restrictions.
Require the business associate to comply with the Security Rule. Because it's in the contract, a failure also constitutes a breach of the BAA, not just a potential regulatory violation.
Require the business associate to report unauthorized uses and disclosures. This includes breaches under the Breach Notification Rule and "security incidents" as defined by HIPAA.
Allow the upstream entity to terminate if material BAA terms are violated. The BAA and the underlying service agreement are often linked: BAA termination may trigger contract termination.
Address data lifecycle events. Amendments to PHI, patient requests for their PHI, and the return or destruction of PHI at the end of the agreement.
Require subcontractors to meet the same restrictions. A business associate can't end-run privacy restrictions by contracting out to a third party.
What a BAA Does Not Do
This is the most common misunderstanding: a signed BAA doesn't make your application HIPAA compliant.
A BAA is a legal agreement: it establishes who is responsible for what and creates liability if those responsibilities aren't met. It doesn't automatically implement security controls, configure encryption, set up audit logging, or enforce access controls. Those are implementation requirements that you build.
Specifically, a BAA with your hosting provider does not:
Make your application layer compliant (application controls are your responsibility)
Guarantee the provider is actually implementing the security controls the BAA obligates them to
Transfer your HIPAA compliance obligations to the provider
Cover services or data flows outside the scope the BAA defines
Protect you from enforcement if you fail to implement required controls on your side
Getting a BAA from every vendor that touches PHI is necessary. It is not sufficient.
Choosing Vendors: BAAs and Compliance
Some vendors will agree to sign a BAA without having meaningful security controls in place. The conversation goes: customer asks if they're HIPAA compliant, vendor says yes, customer asks for a BAA, vendor says yes. What the vendor hasn't mentioned is that they're not actually meeting the controls the BAA obligates them to implement.
If you know a business associate has materially breached a BAA, HIPAA requires you to correct it or terminate the relationship. Ignoring known non-compliance can expose you to the vendor's failures. That said, HIPAA doesn't require you to audit every vendor proactively. When vendors handle PHI, they become directly liable for their own compliance.
The practical test: ask vendors for their SOC 2 Type II report or HITRUST certification. A signed BAA plus a current security attestation is materially stronger than a signed BAA alone.
How BAA Terms Vary by Platform
Not all BAAs are created equal. Access, process, and cost vary significantly across hosting providers, and so do the terms.
Platform | BAA available | Plan required | How to get it | Key limitation |
|---|---|---|---|---|
Yes | Enterprise + Shield Private Space required | Contact sales for Business Associate Addendum | Enterprise contract only; Shield Private Space costs typically several thousand $/month; all add-ons must also be Shield-tier (Shield Postgres, Shield Redis, etc.) | |
Yes | Organization or Enterprise | Self-serve via dashboard (Workspace Settings → Compliance) | 20% surcharge on all usage; $250/month minimum; workspace upgrade is irreversible | |
Yes | Pro (click-through) or Enterprise (signed) | Pro: Settings → Billing; Enterprise: contact sales | Pro BAA is a click-through agreement, not a signed contract; signed BAA requires Enterprise | |
Yes | Paid plan with minimum spend threshold | Contact team@railway.com | By request only; spend threshold required; Railway staff cannot access your workloads once BAA is active | |
Aptible | Yes | All plans | Included: no separate process, no sales call | No extra cost; covers your entire Aptible environment |
A few things to look for beyond availability:
Scope: Does the BAA cover all services you use, or just specific ones? Heroku's BAA, for example, requires Shield-tier versions of each add-on separately: standard Postgres is not covered, Shield Postgres is.
Signed vs. click-through: A click-through BAA (like Vercel's Pro tier) may not carry the same legal weight as a signed agreement. Know what you're getting.
Subcontractors: Does the BAA extend to the provider's subcontractors who may touch your data?
Incident reporting: What timeline does the provider commit to for breach notification? HIPAA requires ≤ 60 days, but you want much shorter in practice.
BAA Evaluation Checklist
Before signing a BAA, verify these eight items:
[ ] Scope is explicit. The BAA names the specific services you're using, not just the vendor in the abstract.
[ ] Breach notification timeline is defined. HIPAA maximum is 60 days. Push for 72 hours to 10 business days for serious incidents.
[ ] Subcontractor obligations are covered. PHI your vendor passes to their own subcontractors must be subject to equivalent restrictions.
[ ] Shared responsibility is spelled out. Which security controls is the provider responsible for? Which are yours? Ambiguity here creates audit problems.
[ ] Data return/destruction at termination is addressed. What happens to your PHI when you leave? By when? In what format?
[ ] Liability and indemnification are reasonable. Understand breadth (what types of damages) and depth (dollar caps). Get an attorney's review on anything uncapped.
[ ] Agency relationship is disclaimed. Avoid provisions that make the vendor your legal agent. If a vendor is your agent, their breach discovery is legally imputed to you.
[ ] BAA term aligns with the underlying contract. If your service agreement terminates, what happens to the BAA? The relationship between the two should be explicit.
Common BAA Terms to Negotiate
Breach reporting: HIPAA says business associates must report breaches "without unreasonable delay and in no case later than 60 days." Many covered entities push for shorter timelines. Aggregate reporting or advance notice in the BAA itself is reasonable. What's not reasonable: agreeing to report every failed login attempt separately. HIPAA's definition of "security incidents" is broad and includes things like port scans and isolated unsuccessful logon attempts. Negotiate for reporting obligations that reflect meaningful events, not infrastructure noise.
Subcontractor inheritance: Some covered entities misread HIPAA to require that all BAA terms flow identically down the chain. The actual rule (45 CFR §164.314) requires that subcontractors agree to the same restrictions on PHI use and disclosure, not that every security control must be identical. The Security Rule explicitly allows flexibility for controls that are "reasonable and appropriate" to each entity.
Liability: Understand both scope and cap. Scope means the types of damages you could be liable for (breach response costs vs. consequential damages like lost business). Cap means the total dollar amount. Uncapped indemnification for breaches is common and mostly manageable because breach costs are predictable and insurable. Uncapped general liability is more dangerous. If you're a startup, contracts with unlimited general liability will create problems for future acquisitions.
FAQ
When is a BAA required?
Any time a vendor creates, receives, transmits, or maintains PHI on your behalf. This applies to hosting providers, SaaS platforms, analytics tools, logging services, and any other vendor your application sends PHI to. The requirement applies regardless of whether the data is incidental.
Do employees need to sign a BAA?
No. Members of your workforce are not business associates. This includes employees, volunteers, trainees, and temporary staff under your direct control. Independent contractors and consultants typically do need to sign a BAA, because they are generally not under your direct control.
What happens if a vendor doesn't have a BAA?
Sharing PHI with a vendor without a BAA in place is a HIPAA violation. Both parties can face HHS enforcement action. If a vendor won't sign a BAA, keep PHI out of their service entirely. HHS has imposed seven-figure settlements for failure to execute BAAs with vendors who handled PHI.
What's a reasonable breach notification timeline in a BAA?
HIPAA requires business associates to notify covered entities without unreasonable delay and no later than 60 calendar days after discovering a breach. In practice, 10 business days or less for confirmed breaches is a reasonable target. Don't agree to timelines that run from the breach occurrence rather than from discovery: you may not know a breach happened within that window.
Can BAA terms be negotiated?
Yes, with some providers. Standard BAA templates from major cloud providers are largely non-negotiable. Smaller vendors and service providers often have more flexibility. Key items worth negotiating: breach notification timelines, subcontractor disclosure requirements, and liability provisions. For high-volume or high-risk relationships, getting a legal review before signing is worth the cost.
