This is common for general liability (i.e. if you do not postpone the end of your underlying contract), but unusual for violations where the normal practice is unlimited compensation. This is not as serious as it appears, as the types and amounts of costs associated with responding to violations are reasonably foreseeable and insurable. The following guide provides the basics of BAAs, including who needs them, when they are needed, what should be included in one of them, and a sample HIPAA Business Partnership Agreement (PDF) for 2017. HIPAA requires covered entities to only work with trading partners who provide comprehensive protection for PHI. These assurances must be made in writing in the form of a contract or other agreement between the covered entity and the BA.1 Whenever a business partner relationship exists between two parties, they are required to perform a BAA. (Note that a BAA doesn`t have to be a standalone agreement.