Is a HIPAA BAA Required Between Covered Entities? (w/Examples) + FAQs

No, a HIPAA Business Associate Agreement (BAA) is generally not required between two covered entities when they exchange Protected Health Information (PHI) for treatment, payment, or health care operations. The U.S. Department of Health and Human Services (HHS) built this rule into the HIPAA Privacy Rule at 45 CFR 164.506, which lets covered entities share PHI with each other without a separate contract for most direct care and billing work. The catch is that a BAA is required any time one covered entity performs a business associate function for another covered entity, such as billing, claims processing, legal, or IT services.

This question matters because the penalty for missing a required BAA can be severe. The Office for Civil Rights (OCR) has collected millions in settlements for BAA failures, including the well-known $5.55 million North Memorial settlement tied to a missing BAA with a contractor. Covered entities that guess wrong about when a BAA is needed often face civil money penalties under the HITECH Act tiered structure.

Knowing the right answer saves money, saves patient trust, and saves the compliance team from long OCR audits. The rules shift based on why the two entities are sharing data, what role each party plays, and how the data flows. This guide walks through every common fact pattern so your next vendor contract or referral is built the right way.

Here is what you will learn in this guide:

• ⚖️ When federal HIPAA rules require a BAA between two covered entities
• 🏥 How treatment, payment, and operations (TPO) disclosures avoid BAAs
• 📝 How Organized Health Care Arrangements (OHCAs) and Data Use Agreements (DUAs) change the rules
• 💸 Real OCR enforcement examples and current 2026 penalty tiers
• 🗺️ State overlays in California, Texas, and New York that add extra duties

The Core Rule Under Federal HIPAA

The HIPAA Privacy Rule is the federal law that controls how PHI moves between providers, plans, and clearinghouses. The rule is built around two main roles. The first role is the covered entity, defined in 45 CFR 160.103 as a health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic form in connection with a covered transaction.

The second role is the business associate, also defined in 45 CFR 160.103 as a person or entity that performs certain functions on behalf of a covered entity that involve PHI. A BAA is only required when one party is acting on behalf of another party. Two covered entities doing their own jobs with their own PHI do not create this relationship.

The plain-English version is that a BAA is a vendor contract. If neither side is a vendor to the other, no BAA is needed. The consequence of skipping a needed BAA is serious because OCR treats the missing contract as a standalone violation under 45 CFR 164.502(e). A common misconception is that any PHI exchange needs paperwork, but the rule is narrower than that.

Why HHS Wrote the Rule This Way

HHS wrote the BAA requirement to plug a gap. Before HIPAA, a hospital could send PHI to an outside billing company with no privacy duty attached to that billing company. The BAA requirement pulls the vendor into HIPAA by contract, so patient data stays protected even when it leaves the covered entity’s walls.

The rule does not apply to entities that already have direct HIPAA duties. A second hospital is already bound by HIPAA on its own, so the contract is not needed to protect the data. The consequence of applying BAAs to every exchange would be paperwork paralysis across the health system.

A real-world example makes this clear. Dr. Alicia Romero, a cardiologist, sends a patient’s EKG to Mercy General Hospital for a second opinion. Both are covered entities, both are doing treatment, and no BAA is needed. A common misconception is that Dr. Romero’s practice must sign a BAA with Mercy General just because PHI moved, but that is wrong under 45 CFR 164.506(c)(2).

The “On Behalf Of” Test

The single most important test is whether one covered entity is doing work on behalf of another. If yes, the first entity is acting as a business associate, and a BAA is required even if both parties are covered entities. HHS confirmed this reading in its official BAA guidance page.

The consequence of missing this test is a Tier 2 or Tier 3 violation. A Tier 3 willful neglect penalty under the 2024 HHS annual adjustment can reach over $71,000 per violation. A real-world example is a hospital that hires another hospital’s in-house lab to process specimens for a fee. That arrangement triggers a BAA, even though both sides are covered entities.

A common misconception is that two hospitals in the same health system never need a BAA. That is only true if they are part of an Affiliated Covered Entity or OHCA, which is explained below.

When a BAA IS Required Between Two Covered Entities

A BAA is required between two covered entities whenever one of them steps outside its own role and performs a service for the other using PHI. The HHS BAA guidance lists billing, claims processing, utilization review, quality assurance, legal, accounting, consulting, data aggregation, and practice management as typical triggers. When a covered entity performs any of these for another covered entity, it wears the business associate hat.

The consequence of treating these deals as simple provider-to-provider sharing is a direct OCR violation. A real-world example is a large academic medical center that offers transcription services to a small rural clinic for a fee. Even though both are covered entities, the academic medical center is now a business associate of the clinic.

A common misconception is that a fee or invoice is the only trigger. In reality, the trigger is the function, not the money. A free service can still create a business associate relationship if PHI is handled on the other party’s behalf.

Billing and Claims Services

Billing is the most common function that turns a covered entity into a business associate. When Harborview Clinic hands its billing over to Regional Health System’s central billing office, Regional becomes a business associate. A signed BAA is required under 45 CFR 164.502(e)(1)(ii).

The consequence of skipping the BAA is both regulatory exposure and state-law breach-notice headaches. A real-world example is a small practice that relies on a hospital’s revenue cycle team but has no BAA in place. If the hospital’s billing team has a breach, the small practice can still be named in the OCR breach portal.

IT and Hosting Services

If one covered entity hosts the electronic health records (EHR) of another covered entity, a BAA is required. This often happens when a hospital system sells EHR access to an independent physician group. HHS addressed this directly in its Cloud Computing Guidance.

The consequence of no BAA here is a Security Rule violation layered on top of the Privacy Rule violation. A real-world example is Peak Valley Health, which leases EHR space to three outside clinics. Peak Valley must sign BAAs with each clinic, plus keep its own Security Rule safeguards.

Legal, Accounting, and Consulting

Professional service lines also trigger BAAs when PHI is involved. A covered entity’s in-house legal department that takes on outside hospital clients becomes a business associate to those outside hospitals. The rule flows from 45 CFR 160.103.

The consequence of missing this is often discovered during mergers and due diligence. A real-world example is an accounting group housed inside a hospital that audits a separate medical group’s books. That accounting group is a business associate, even though its parent hospital is a covered entity.

When a BAA is NOT Required Between Two Covered Entities

A BAA is not required when the two covered entities are exchanging PHI for their own treatment, payment, or health care operations (TPO) purposes. This carve-out lives in 45 CFR 164.506(c). The logic is that each entity is doing its own HIPAA job with its own PHI.

The consequence of adding unneeded BAAs is slower care and wasted legal spend. A real-world example is Dr. Chen referring a patient to St. Luke’s Orthopedics for surgery. No BAA is needed because both are doing treatment. A common misconception is that a referral letter, records release, or imaging transfer needs its own contract, but TPO disclosures are already authorized by the Privacy Rule.

Treatment Disclosures

Treatment is defined broadly in 45 CFR 164.501 and includes the provision, coordination, or management of health care by one or more providers. A hospital sending records to a specialist for a consult falls inside this definition. No BAA is required.

The consequence of treating this as a BAA event would slow emergency care. A real-world example is an ER sending a trauma patient’s imaging to a tertiary burn center for transfer. That exchange is pure treatment and does not require a BAA or even patient authorization.

Payment Disclosures

Payment includes the activities of a health plan to obtain premiums, determine coverage, and process claims. It also includes a provider’s activities to get paid for services. A provider sending claims data to a health plan, both covered entities, does not need a BAA with that plan.

The consequence of asking a plan to sign a BAA in this setting is often a flat refusal. A real-world example is a primary care group submitting claims to BlueStar Health Plan. Both are covered entities, both are doing payment work, and no BAA is needed.

Operations Disclosures

Health care operations include quality improvement, credentialing, training, and fraud detection. 45 CFR 164.506(c)(4) allows two covered entities with their own relationship with the patient to share PHI for operations without a BAA. The exchange is capped by the minimum necessary rule.

The consequence of exceeding the operations carve-out is a Privacy Rule violation. A real-world example is Coastal Medical Group sharing de-identified care quality metrics with Coastal Hospital, a sister hospital where the patients also receive care. That exchange fits the operations carve-out.

Special Exceptions That Change the Rule

Several structures inside HIPAA let covered entities share PHI without a BAA and sometimes without any agreement at all. These structures include Organized Health Care Arrangements (OHCAs), Affiliated Covered Entities (ACEs), and hybrid entities. Each one has a specific definition in 45 CFR 164.103 and 45 CFR 164.105.

The consequence of missing these structures is paying for BAAs that the law does not require. A real-world example is a hospital with 40 affiliated practices that signs 40 separate BAAs when an ACE designation could have covered the whole group. A common misconception is that these structures are only for giant systems, but small groups use them as well.

Organized Health Care Arrangement (OHCA)

An OHCA is a clinically integrated care setting where multiple covered entities hold themselves out to the public as participating in joint care. A classic example is a hospital and its medical staff. Under 45 CFR 164.506(c)(5), the members can share PHI for the joint operations of the OHCA without a BAA.

The consequence of failing to document the OHCA is that OCR may treat the parties as separate covered entities. A real-world example is a hospital that shares a joint Notice of Privacy Practices with its independent medical staff, a move HHS allows under the OHCA rule. A common misconception is that an OHCA removes HIPAA duties, but each entity stays fully responsible for its own compliance.

Affiliated Covered Entity (ACE)

An ACE is a group of legally separate covered entities under common ownership or control that agree to act as one covered entity for HIPAA purposes. 45 CFR 164.105(b) requires common ownership or control and written documentation of the designation.

The consequence of skipping the written designation is loss of the benefit. A real-world example is Northlake Health, a system with five hospitals under one parent, that files one ACE designation so that the hospitals can share PHI as a single covered entity.

Hybrid Entities

A hybrid entity is a single legal entity that performs both covered and non-covered functions. The entity designates its health care components in writing and applies HIPAA only to those components. 45 CFR 164.105(a) sets the rules.

The consequence of no written designation is that HIPAA applies to the whole company. A real-world example is a university that runs a student health clinic. The university designates the clinic as its health care component and keeps HIPAA out of its general academic operations.

Data Use Agreements vs. BAAs

A Data Use Agreement (DUA) is a lighter contract used for a limited data set, defined in 45 CFR 164.514(e). A limited data set strips 16 direct identifiers but keeps dates and some geographic detail. A DUA is used for research, public health, and health care operations.

The consequence of using a BAA where a DUA is the right tool is extra cost and misplaced duties. A real-world example is a research network that shares dates of service across hospitals for a diabetes study. A DUA is the right contract, not a BAA.

A common misconception is that a DUA and a BAA are interchangeable. They are not. A DUA does not create a business associate, and the data set allowed under a DUA is narrower than the data set allowed under a BAA.

Three Common Scenarios

The fastest way to see the rule in action is to walk through three common fact patterns that come up in hospitals, plans, and clinics every day. Each scenario below shows the PHI flow and the right answer under federal HIPAA.

State Law Overlays

Federal HIPAA sets the floor, not the ceiling. Several states add extra duties that look like BAAs but go beyond federal law. Ignoring these state laws is a common trap for multi-state health systems and health-tech startups.

The consequence of ignoring state law is state attorney general enforcement on top of OCR action. A real-world example is a telehealth startup that moves into California without reviewing the California Confidentiality of Medical Information Act (CMIA) and gets sued for CMIA violations that HIPAA did not even reach.

California CMIA

California’s CMIA applies to providers, contractors, and corporations that offer software or hardware to providers, including mobile apps that collect medical information. CMIA reaches more parties than HIPAA. A California provider may need a CMIA-compliant contract even when HIPAA does not require a BAA.

The consequence of a CMIA violation is private litigation with statutory damages of $1,000 per violation without proof of actual harm. A real-world example is a health app sharing data with a covered entity in California that signs a BAA but not a CMIA-compliant agreement. A common misconception is that a HIPAA BAA automatically satisfies CMIA.

Texas HB 300

Texas HB 300 expanded the definition of covered entity in Texas far beyond HIPAA’s definition. Any person or business that handles PHI in Texas is a covered entity under state law. Texas also requires training within 90 days of hire and every two years thereafter.

The consequence of a violation includes civil penalties up to $1.5 million per year. A real-world example is a Texas startup that treats HIPAA as the full rulebook and misses HB 300 training. A common misconception is that HB 300 is just a training rule, when it actually changes who counts as a covered entity.

New York SHIELD Act

The New York SHIELD Act adds data security duties for any business that holds the private data of New York residents, including health data. Even if HIPAA applies, the SHIELD Act’s safeguards apply on top. The Act requires reasonable administrative, technical, and physical safeguards.

The consequence of a SHIELD Act violation is New York Attorney General enforcement and civil penalties. A real-world example is a New York hospital that meets HIPAA but has not written a separate SHIELD Act safeguard policy.

Enforcement and Penalties

The HITECH Act created the four-tier penalty system that OCR uses today. Tiers run from lack of knowledge to willful neglect, and each tier has an adjusted minimum and maximum that HHS updates each year for inflation.

The consequence of any tier is a civil money penalty plus a corrective action plan. A real-world example is the $2.175 million Sentara Hospitals settlement for breach notification failures. A common misconception is that small providers face small fines, but Tier 3 penalties can still be severe.

2026 Penalty Tiers

The four tiers, as updated by HHS in November 2024, remain the controlling numbers into 2026. Tier 1 covers unknowing violations. Tier 2 covers reasonable cause. Tier 3 and Tier 4 cover willful neglect that is corrected or not corrected.

The consequence of Tier 4 is a per-violation penalty that can reach over $2.1 million in the aggregate for identical violations in a calendar year. A real-world example is a repeat offender that ignored OCR’s prior warnings and paid Tier 4 penalties.

Key OCR Enforcement Examples

OCR publishes resolution agreements that show exactly what went wrong. The North Memorial Health Care settlement of $5.55 million involved a missing BAA. The Raleigh Orthopaedic Clinic paid $750,000 after handing PHI to a vendor with no BAA in place.

The consequence of these cases is public shaming on the OCR breach portal along with the cash penalty. A real-world example is a covered entity that loses hospital contracts after appearing on the portal.

Mistakes to Avoid

Covered entities repeat the same errors year after year. The OCR audit program has flagged each of these mistakes in past cycles, and each one maps to a specific Privacy Rule or Security Rule citation.

• Signing a BAA for a treatment disclosure, which adds duties the law does not require and can confuse audit trails.
• Skipping a BAA for in-house billing services provided to another covered entity, which triggers a direct 45 CFR 164.502(e) violation.
• Treating an OHCA as a BAA substitute when the two structures serve different purposes and need separate documentation.
• Failing to file an ACE designation in writing, which voids the ACE benefit and exposes each member to separate OCR action.
• Ignoring state overlays like CMIA, HB 300, and SHIELD Act, which lead to state attorney general enforcement even if HIPAA is met.
• Using a BAA where a DUA is the right contract, which misassigns duties and can expose research data to unnecessary rules.
• Letting BAAs go stale after the Omnibus Rule, since the 2013 Omnibus Final Rule added new duties that old BAAs do not reflect.
• Forgetting subcontractor BAAs, which have been required from business associates since the Omnibus Rule went live.
• Missing the breach notification chain, which requires a business associate to notify the covered entity without unreasonable delay under 45 CFR 164.410.
• Assuming that common ownership equals an ACE, when the written designation step is still required.

Do’s and Don’ts

The do’s and don’ts below come straight from OCR guidance and audit protocols. Each point has a short reason attached so the reader can remember the why, not just the rule.

Do:

• Do map each vendor relationship to a HIPAA role, because role drives contract choice.
• Do review BAAs every two years, because the Omnibus Rule and state laws keep changing.
• Do train staff on TPO disclosures, because most day-to-day PHI moves fall inside TPO.
• Do document OHCA and ACE structures in writing, because OCR asks for the paper in every audit.
• Do align BAAs with breach notification timelines, because late notice is its own violation.

Don’t:

• Don’t sign a BAA for every data exchange, because extra contracts create extra duties.
• Don’t rely on oral agreements, because 45 CFR 164.504(e) requires written contracts.
• Don’t copy old BAA templates without review, because pre-2013 forms miss Omnibus updates.
• Don’t ignore state laws that stack on top of HIPAA, because state AGs bring their own cases.
• Don’t delay breach reports past the 60-day outer limit, because OCR treats the delay as willful neglect.

Pros and Cons of Signing a BAA Between Covered Entities

Even when a BAA is not strictly required, some covered entities still sign one. The choice carries tradeoffs that deserve a careful look.

Pros:

• Clear risk allocation, because the BAA spells out who reports a breach.
• Insurance alignment, because many cyber policies reward written BAAs.
• Audit readiness, because OCR will not push back on an extra contract.
• Simpler vendor management, because one template covers many relationships.
• Stronger patient trust, because contracts signal care for data.

Cons:

• Extra legal spend, because unneeded contracts still take lawyer time.
• Misaligned duties, because a BAA may impose duties that do not fit a pure TPO exchange.
• False sense of coverage, because a BAA does not replace OHCA or ACE documentation.
• Slower deal cycles, because negotiation stalls referral or payment relationships.
• Possible OCR confusion, because an unneeded BAA can make a covered entity look like a business associate in an audit.

Key Entities in the BAA Landscape

Several federal and state entities shape how BAAs work. The U.S. Department of Health and Human Services (HHS) writes the rules. The Office for Civil Rights (OCR) enforces the rules. The Centers for Medicare and Medicaid Services (CMS) oversees the transaction and code set rules under HIPAA.

On the state side, state attorneys general have concurrent HIPAA enforcement power under the HITECH Act. The Federal Trade Commission (FTC) handles non-HIPAA health data under its Health Breach Notification Rule. These entities often coordinate on large breaches.

The 2025 HIPAA Security Rule NPRM

In January 2025, HHS published a Notice of Proposed Rulemaking to update the HIPAA Security Rule for the first time since 2013. The proposal would remove the difference between required and addressable specifications. It would also require covered entities and business associates to keep written inventories of technology assets and to test security plans every year.

The consequence of the proposal, if finalized, is a much stricter Security Rule for every BAA that references that rule. A real-world example is a hospital that signs a BAA today with soft security language that would need to be rewritten once the rule is final. A common misconception is that the NPRM only affects vendors, but covered entities face the same new duties.

The proposed rule is housed at the HHS OCR proposed rules page. Public comments closed in early 2025, and a final rule is expected by late 2026. Covered entities should begin aligning BAA templates now.

Named Example Walkthroughs

Here are three named fact patterns that pull the rules together. Each uses a common provider type and shows when a BAA is needed and when it is not.

Example 1: Dr. Marcus Lee, a family physician, refers his patient Sandra to Midwest Cardiology for a stress test. Both offices are covered entities and both are treating Sandra. No BAA is needed under 45 CFR 164.506(c)(2).

Example 2: Valley Surgery Center pays Lakeside Hospital’s billing office $4 per claim to process its insurance claims. Lakeside is providing a billing service to Valley, so Lakeside is a business associate. A signed BAA is required under 45 CFR 164.502(e).

Example 3: Evergreen Health Plan pays a provider network, which includes Pineridge Medical Group, for services rendered to a member. That is a payment disclosure between two covered entities. No BAA is needed.

Process for Deciding Whether to Sign a BAA

A repeatable process helps avoid mistakes on close-call deals. The process below maps every common fact pattern to the right contract.

• Step 1: Identify each party’s HIPAA role. If either party is not a covered entity or business associate, HIPAA may not apply at all.
• Step 2: Describe the PHI flow. Write one sentence that states what PHI moves, from whom, to whom, and why.
• Step 3: Apply the TPO test. If the flow is pure treatment, payment, or operations, no BAA is needed.
• Step 4: Apply the on-behalf-of test. If one party performs a business associate function for the other, a BAA is needed.
• Step 5: Check OHCA or ACE status. If the parties share a joint structure, document that structure in writing.
• Step 6: Choose the right contract. Pick BAA, DUA, OHCA documentation, or ACE designation.
• Step 7: Layer state law. Apply CMIA, HB 300, SHIELD Act, or other state rules on top of the federal contract.

The consequence of skipping any step is a misfit contract. A real-world example is a clinic that signed a BAA with its EHR vendor but never checked that the vendor uses subcontractors with their own BAAs.

Court Rulings That Shape BAA Practice

Two court rulings have shaped how OCR and the industry read BAA rules. The first is Ciox Health, LLC v. Azar, a 2020 decision from the U.S. District Court for the District of Columbia. The court struck down HHS’s third-party directive fee limit for PHI disclosures, which changed how business associates handle medical records requests.

The consequence of Ciox is that records companies can charge market rates for third-party directives but must still cap fees for patient direct requests. A real-world example is a business associate that now bills third-party law firm requests at higher rates without a HIPAA violation.

The second case is Byrne v. Avery Center for Obstetrics and Gynecology, P.C., a Connecticut Supreme Court ruling. The court held that HIPAA does not preempt state negligence claims tied to PHI disclosures. The consequence is that patients can sue providers directly in state court for HIPAA-style duties, even though HIPAA itself has no private right of action.

FAQs

Is a BAA required between two hospitals sharing a patient’s chart for treatment?

No. Federal HIPAA allows treatment disclosures between covered entities under 45 CFR 164.506(c)(2), so no BAA is needed for care coordination.

Is a BAA required when a hospital does billing for another hospital?

Yes. The billing hospital acts as a business associate of the other hospital, so a written BAA is required under 45 CFR 164.502(e).

Is a BAA required between a health plan and a provider for payment?

No. Payment disclosures between covered entities are authorized by the Privacy Rule, so no BAA is needed for routine claim payment.

Is a BAA required inside an Organized Health Care Arrangement?

No. OHCA participants may share PHI for the joint operations of the arrangement without a BAA, though written documentation of the OHCA is strongly recommended.

Is a BAA required for Affiliated Covered Entity members?

No. Members of a properly designated ACE act as one covered entity, so no internal BAAs are needed, but the written ACE designation is required.

Is a BAA the same as a Data Use Agreement?

No. A DUA applies only to limited data sets, carries fewer duties, and does not create a business associate relationship under HIPAA.

Is a BAA required under California’s CMIA even when HIPAA does not require one?

Yes. CMIA reaches more parties and more functions than HIPAA, so a California-specific agreement may be required even when a federal BAA is not.

Is a BAA required for a covered entity’s outside legal counsel?

Yes. Outside counsel that reviews PHI for a covered entity acts as a business associate, so a BAA is required before PHI is shared.

Is a BAA required for an electronic health information exchange (HIE)?

Yes. An HIE that holds PHI on behalf of participating covered entities is a business associate of each, so BAAs with the HIE are required.

Is a BAA required between a covered entity and the U.S. Postal Service?

No. The Privacy Rule treats the Postal Service and similar conduits as mere transmitters of PHI, so no BAA is required.

Is a BAA required when one covered entity buys de-identified data from another?

No. Properly de-identified data under 45 CFR 164.514 is not PHI, so no BAA is required.

Is a BAA required between members of an Accountable Care Organization?

Yes. ACO participants often need BAAs with the ACO itself because the ACO performs operations on behalf of its participants under CMS ACO program rules.