Question 1

What is a Business Associate Agreement?

Accepted Answer

A Business Associate Agreement (BAA) is a written contract required by the HIPAA Privacy and Security Rules under 45 CFR 164.502(e) and 45 CFR 164.504(e). A covered entity must have an executed BAA in place before disclosing protected health information to a vendor that creates, receives, maintains, or transmits PHI on its behalf. The BAA must include specific provisions: permitted uses and disclosures, safeguard requirements aligned with the Security Rule, breach notification obligations, subcontractor flow-down requirements, audit and access rights, and termination triggers. Disclosing PHI to a vendor without a BAA is itself a HIPAA violation, separate from any breach the vendor may cause.

Question 2

What is a Data Processing Addendum?

Accepted Answer

A Data Processing Addendum (DPA) is the state-privacy-law equivalent of a BAA. Under laws like CPRA (Cal. Civ. Code 1798.140(ag)), VCDPA, Colorado CPA, and Connecticut CTDPA, a controller must have a written contract with each processor or service provider before sharing personal information. Required terms include: defined processing purposes, confidentiality, end-of-engagement deletion or return, audit rights, sub-processor flow-down, assistance with consumer rights requests, and assistance with security incidents. Without a compliant DPA, the vendor may be reclassified as a third party, which triggers sale or sharing disclosure obligations under CCPA. Many vendors maintain a standard DPA that you can countersign.

Question 3

Do all vendors need a BAA?

Accepted Answer

No. A BAA is only required for vendors who meet the HIPAA definition of business associate under 45 CFR 160.103, meaning they create, receive, maintain, or transmit PHI on behalf of a covered entity. Vendors who never touch PHI (such as an office cleaning service that does not access patient files, or a marketing agency working only with de-identified data) do not need a BAA. The HHS Conduit Exception, narrowly applied, can also exclude pure transmission services that only transport encrypted PHI without storing or accessing it. When in doubt, get a BAA. Many practices use a vendor-risk inventory to classify every vendor as in-scope or out-of-scope. North Privacy Advisors offers vendor risk reviews that include BAA scoping.

Question 4

What happens if my vendor has a breach?

Accepted Answer

Under 45 CFR 164.410, a business associate must notify the covered entity of any breach of unsecured PHI without unreasonable delay and no later than 60 days from discovery. The covered entity then has its own notification obligations under 45 CFR 164.404 (to affected individuals), 45 CFR 164.408 (to HHS), and 45 CFR 164.406 (to media if 500 or more residents of a state or jurisdiction are affected). The covered entity can be held liable even when the vendor caused the breach, especially if the BAA was missing, incomplete, or contained inadequate safeguard requirements. State privacy laws have parallel processor notification and controller-side disclosure rules.

Question 5

How do I conduct a vendor risk assessment?

Accepted Answer

A vendor risk assessment typically follows five steps. First, inventory every vendor who touches PHI or regulated personal data. Second, classify each vendor by data type, access level, and criticality. Third, request and review the vendor's security documentation: SOC 2 Type II report, HITRUST certification, ISO 27001 certificate, penetration test summaries, and a completed security questionnaire. Fourth, review and negotiate the BAA or DPA to confirm safeguard standards, breach notification timelines, sub-processor controls, and audit rights. Fifth, document the assessment, set a re-assessment cadence (annual is typical for high-risk vendors), and maintain a vendor register. OCR auditors often ask for the vendor register and the BAA log first.

Question 6

What is a sub-processor under HIPAA?

Accepted Answer

Under 45 CFR 164.502(e)(1)(ii) and 45 CFR 164.504(e)(5), a sub-processor (sometimes called a subcontractor business associate) is any vendor that a business associate engages to create, receive, maintain, or transmit PHI on the business associate's behalf. The business associate must enter into a written contract with each sub-processor that imposes the same restrictions and conditions as the upstream BAA. This is called flow-down. Common sub-processors include cloud hosting providers, email infrastructure, data backup services, and offshore support teams. A covered entity should request a list of material sub-processors from each business associate and verify that flow-down BAAs are in place.

Vendor Risk Review & Business Associate Agreement Patterns

Why vendor risk is the most-overlooked source of HIPAA and state-privacy exposure

The same risk exists in state privacy laws

What audit-ready vendor governance looks like

All articles in this topic

BAA vs DPA: What's the Difference and When Do You Need Each?

Case Study: Building a Privacy-Compliant Vendor Program for a Multi-Location Hospitality Business