What is the difference between a BAA and a BASA?

A BAA and a BASA are both HIPAA-related agreements, but they apply to different relationships and responsibilities. A BAA, or business associate agreement, is an agreement between a covered entity and a business associate. A business associate subcontractor agreement (BASA) is one between a business associate and a business associate’s subcontractor. They both ensure HIPAA compliance, but with different parties.

Understanding HIPAA roles

To understand the difference between a BAA and a BASA, it’s important to first clarify the roles HIPAA defines. A covered entity under HIPAA is any organization that is involved in the electronic creation, receipt, maintenance, or transmission of protected health information (PHI). The primary categories include health plans, healthcare clearinghouses, and specific healthcare providers that electronically transmit PHI for designated transactions.

The US Department of Health and Human Services (HHS) defines a business associate as a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Their “functions and activities” include “claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.”

A subcontractor, on the other hand, is “a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information,” writes the HHS. Both the business associate and the subcontractor are required to adhere to HIPAA regulations under their respective agreements.

Business associate agreement (BAA)

A BAA is required under HIPAA when a business associate handles PHI on behalf of a covered entity. As the HHS states, “The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.”

Purpose of a BAA

The BAA ensures that when a covered entity shares PHI with a vendor, that vendor:

• Uses PHI only for permitted purposes
• Implements appropriate safeguards
• Complies with HIPAA Privacy and Security Rules
• Accepts liability for HIPAA violations

Without a valid BAA, a covered entity cannot legally share PHI with a vendor, even if the vendor claims to be HIPAA compliant.

Go deeper: What is the purpose of a business associate agreement?

Who it applies to

• Covered entities: healthcare providers, health plans, healthcare clearinghouses
• Business associates: vendors or service providers that create, receive, maintain, or transmit PHI

Examples of business associates

• Email and cloud service providers like Paubox
• Billing companies
• IT and managed service providers (MSPs)
• Medical transcription services
• Legal, accounting, or consulting firms handling PHI

What a BAA does

According to the HHS, a BAA “serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.”

The BAA must:

• Defines permitted and required uses and disclosures of PHI
• Prohibits use or disclosure of PHI outside the contract or legal requirements
• Requires administrative, physical, and technical safeguards, including HIPAA Security Rule compliance
• Mandates reporting of unauthorized uses, disclosures, and PHI breaches
• Requires assistance with individual rights (access, amendments, and accountings)
• Obligates compliance with Privacy Rule requirements when performing covered entity functions
• Requires making PHI-related records available to HHS for compliance reviews
• Requires return or destruction of PHI upon contract termination, where feasible
• Ensures subcontractors agree to the same HIPAA restrictions and safeguards
• Allows contract termination for material violations by the business associate

When is it required?

A BAA is mandatory whenever PHI is involved.

Business associate subcontractor agreement (BASA)

A BASA applies when a business associate hires another vendor, also known as a subcontractor, who will also have access to PHI.

Why BASAs exist

HIPAA recognizes that business associates often rely on other vendors to deliver services. Without BASAs, PHI could pass through multiple hands without consistent protection.

HIPAA closed this gap by making subcontractors:

• Directly subject to HIPAA, and
• Contractually bound through a BASA

Who it applies to

• This agreement applies to the relationship between a business associate and its subcontractor.
• The BASA does not apply directly to the covered entity.

Examples of subcontractors

• A cloud hosting provider used by an MSP
• An email delivery service used by a healthcare marketing platform
• A data storage or backup provider used by a billing company

What a BASA does

According to the HHS, “Contracts between business associates and business associates that are subcontractors are subject to these [BAA] same requirements.”

This means a BASA:

• Extends HIPAA obligations downstream
• Ensures subcontractors follow the same PHI protections
• Requires breach reporting back to the business associate

When it’s required

Mandatory whenever a subcontractor can access PHI.

Read also: How to handle subcontractors under HIPAA

Why both agreements are critical for HIPAA compliance

• They prevent compliance gaps: Without a BASA, a business associate may unintentionally expose PHI to a subcontractor that has no legal obligation to protect it.
• They reduce breach risk: Many healthcare breaches originate from third-party vendors. Clear contractual safeguards reduce ambiguity around security responsibilities.
• They assign clear accountability: BAAs and BASAs establish:
  • Who must report incidents
  • How quickly breaches must be disclosed
  • What safeguards must be in place
• They are required by law: Failing to execute the appropriate agreement is itself a HIPAA violation, even if no breach occurs.

Consequences of not having a BAA or BASA

Failing to have a BAA or a BASA in place can have serious legal, financial, and operational consequences under HIPAA, even if no data breach ever occurs. The consequences include:

Automatic HIPAA violation

HIPAA explicitly requires BAAs and BASAs when PHI is involved. Not having one in place is itself a violation of the HIPAA Privacy Rule. Overall, it’s important to remember that:

• A covered entity may not share PHI with a vendor without a BAA
• A business associate may not share PHI with a subcontractor without a BASA

It’s important to note that no breach is required for enforcement action to occur.

Read more: Case studies: HIPAA violations and their consequences

Civil monetary penalties (fines)

The U.S. Department of Health and Human Services (HHS) can impose significant fines for noncompliance. Penalties range from $147 to over $2 million.

Fines are based on:

• Level of negligence
• Duration of noncompliance
• Whether corrective action was taken

Go deeper: Higher HIPAA penalties announced

Increased liability after a data breach

If a breach occurs and no BAA or BASA exists:

• The organization that shared PHI may be fully liable
• Responsibility cannot be contractually shifted
• Regulators often treat the absence of agreements as an aggravating factor

This frequently results in:

• Higher fines
• Longer investigations
• Stricter corrective action plans

Enforcement actions and audits by HHS

HHS may require:

• Formal investigations
• Compliance audits
• Mandatory corrective action plans
• Ongoing reporting and monitoring

Contract termination and business disruption

Many healthcare organizations may:

• Refuse to onboard vendors without BAAs
• Terminate relationships once noncompliance is discovered

For vendors and subcontractors, this can mean:

• Loss of clients
• Ineligibility for healthcare contracts
• Reputational damage within regulated industries

Read also: Can HIPAA violations lead to termination?

Breach notification complications

Without a BAA or BASA:

• Breach reporting responsibilities are unclear
• Notification timelines may be missed
• Regulatory expectations may not be met

This can result in additional violations, even if the breach itself was limited.

Reputational damage and loss of trust

Healthcare organizations are trusted with sensitive patient data. Noncompliance can lead to:

• Public breach disclosures
• Media coverage
• Loss of patient and partner trust

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Can a vendor refuse to sign a BAA or BASA?

A vendor may refuse, but the covered entity or business associate cannot legally share PHI with that vendor. Continuing the relationship would be a HIPAA violation.

Can a BAA or BASA be signed after PHI has already been shared?

Signing an agreement retroactively does not eliminate the original HIPAA violation. However, executing the agreement promptly and documenting corrective action may reduce penalties during an HHS investigation.

Do international vendors need BAAs or BASAs?

Yes. Geographic location does not exempt vendors from HIPAA requirements. Any vendor, domestic or international, that accesses PHI must sign the appropriate agreement.

Can one agreement serve as both a BAA and a BASA?

Ideally, no. While the clauses may be similar, the agreement must reflect the correct legal relationship. Using the wrong agreement can create compliance gaps.