OnlyHIPAA

Business Associate Agreement (BAA)

Last updated: June 3, 2026

Already a customer? A signed BAA is required before any protected health information (PHI) is stored in OnlyHIPAA and is executed automatically when your account is activated. You can download a counter-signed copy from Settings → Organization at any time.

1. What is a BAA?

A Business Associate Agreement (BAA) is a contract required by the HIPAA Privacy Rule (45 CFR § 164.504(e)) between a HIPAA-covered entity (or business associate) and any vendor that creates, receives, maintains, or transmits protected health information on its behalf.

The BAA legally obligates the business associate to safeguard PHI in accordance with HIPAA and limits how PHI may be used and disclosed.

2. When You Need a BAA

You need a BAA in place with any vendor that will handle PHI on your behalf, including:

  • Cloud-hosting and SaaS providers (e.g., compliance platforms, EHR vendors)
  • Email and messaging platforms that route PHI
  • Managed-IT providers and MSPs with access to systems containing PHI
  • Billing, transcription, and revenue-cycle services
  • Legal, accounting, and consulting firms that access PHI

3. What a HIPAA-Compliant BAA Must Include

At minimum, a valid BAA must address each of the following requirements from 45 CFR § 164.504(e)(2):

  • Permitted and required uses and disclosures of PHI by the business associate
  • Prohibition on use or disclosure beyond what the contract permits or HIPAA requires
  • Implementation of appropriate safeguards (administrative, physical, technical) for PHI
  • Reporting of any improper use or disclosure, security incident, or breach of unsecured PHI
  • Flow-down requirements to subcontractors that handle PHI
  • Making PHI available for individual access, amendment, and accounting of disclosures
  • Making internal practices, books, and records available to HHS for compliance investigations
  • Return or destruction of PHI at the termination of the contract, where feasible
  • Authorization for the covered entity to terminate the contract for a material breach

4. Free Template

The HHS Office for Civil Rights publishes sample BAA provisions you can adapt as a starting point. We strongly recommend having any BAA reviewed by qualified legal counsel before signing.

OnlyHIPAA customers can manage all of their executed BAAs - including ours - from the Business Associates page in the dashboard.

5. OnlyHIPAA’s BAA

We are happy to execute our standard BAA with all customers on plans that store PHI. Our BAA covers all of the regulatory minimums above plus additional commitments around encryption, breach-notification timelines, and subprocessor management.

Need a copy before signing up? Email [email protected] and we’ll send one over.

Disclaimer. This page is provided for informational purposes only and does not constitute legal advice. The BAA template and guidance referenced here do not create an attorney-client relationship. Consult qualified legal counsel for advice specific to your situation.