What Your Business Associate Agreement Doesn’t Cover — And Should

If your organization handles protected health information and uses cloud storage, a signed Business Associate Agreement is a legal requirement — not a differentiator. What determines whether your PHI is actually protected is everything that comes after the signature.

Many covered entities treat the BAA as the end of their due diligence on a cloud vendor. It isn’t. The BAA establishes legal accountability in the event of a breach, but it doesn’t verify that the vendor’s systems are configured to prevent one. Understanding what a BAA does and doesn’t cover is essential to making informed vendor decisions.

What the BAA Actually Does

A Business Associate Agreement is a contract required by HIPAA that establishes the permitted uses of PHI by a business associate, the safeguards the business associate must implement, and the obligations the business associate has in the event of a breach. It creates legal liability and defines the reporting chain — if the BA causes a breach, they’re contractually obligated to notify you within 60 days and may share in regulatory exposure.

That legal accountability is real and meaningful. A vendor willing to sign a BAA is acknowledging HIPAA obligations and accepting consequences for violations. A vendor who refuses to sign a BAA is telling you, explicitly, that they will not be handling your PHI in a compliant manner — which means you should not use them for any PHI at all.

What the BAA Doesn’t Do

Signing a BAA does not mean the vendor has implemented the Technical Safeguards required under the HIPAA Security Rule. It doesn’t guarantee their infrastructure meets your specific requirements for encryption, access controls, or audit logging. It doesn’t verify that their staff have received HIPAA training. And it doesn’t mean their system is configured correctly for your use case.

A BAA is a contract that says “we will be compliant.” It is not evidence that they are. The distinction matters enormously when evaluating vendors.

The Due Diligence That Should Follow the BAA

After receiving a signed BAA, a thorough evaluation should include several additional steps.

Request their Security and Privacy documentation. Reputable vendors will have written policies covering access controls, encryption standards, incident response, and employee training. Ask to see them. Vague or unavailable documentation is a red flag.

Ask about their most recent third-party security audit. SOC 2 Type II reports are the standard for cloud service providers. A Type II report covers a period of time (typically 6-12 months) and evaluates whether the vendor’s controls are operating effectively, not just whether they exist. A vendor who hasn’t completed a SOC 2 Type II in the past year should give you pause.

Clarify the subcontractor chain. Your vendor likely uses sub-processors — other cloud services that handle data on their behalf. Under HIPAA, each of these relationships also requires a BAA. Ask your vendor which subprocessors will have access to PHI and whether downstream BAAs are in place for each. This is a common gap.

Understand breach notification timelines in practice. The BAA will state a notification obligation, but ask how breaches are detected and escalated internally. A vendor without a defined incident response process may technically meet the BAA’s contractual language while being practically unprepared to detect a breach in time to notify you.

Key Contract Provisions to Negotiate

Standard BAA templates favor the vendor. Before signing, several provisions are worth scrutinizing or negotiating. Ensure the permitted uses of PHI are narrowly defined — the BA should only be using PHI to perform services on your behalf, not for their own purposes like product improvement or analytics. Confirm data deletion obligations are specific: when the relationship ends, PHI should be returned or provably destroyed within a defined timeframe. And verify indemnification provisions — who bears the cost if the vendor’s breach results in regulatory fines against your organization.

Ongoing Monitoring, Not a One-Time Check

The BAA obligation doesn’t end at signing. HIPAA requires covered entities to have ongoing oversight of their business associates. That means periodic reviews of the vendor’s compliance posture, not just annual contract renewals. Build vendor review checkpoints into your compliance calendar. If a vendor has a publicly disclosed breach, even one that doesn’t involve your data, treat it as a signal to re-evaluate whether their security program meets your requirements.

The BAA is the foundation. What you build on top of it — through due diligence, contract negotiation, and ongoing monitoring — determines whether your PHI is actually protected.