Data Processing Agreements: What Is a DPA?

September 16, 2025

In today’s digital world, handling personal and health-related data responsibly isn’t just best practice – it’s the law. If you’re a hospital, a healthcare vendor, or even a small medical practice using third-party services, understanding what a Data Processing Agreement (DPA) is, and why it matters, can protect your organization from hefty penalties and reputational damage. Under HIPAA (Health Insurance Portability and Accountability Act), DPAs typically appear as Business Associate Agreements (BAAs) and are required anytime protected health information (PHI) is shared with outside vendors.

This guide breaks down what a DPA is, how it intersects with HIPAA, and why these agreements play such a pivotal role in keeping patient data secure and your organization compliant.

What Is a DPA and Why Does It Matter?

A Data Processing Agreement (DPA) is a legally binding contract between two main parties: the data controller – usually the healthcare provider – and the data processor, such as a vendor or service provider who handles data on the controller’s behalf. The DPA outlines rules around how that data is stored, accessed, shared, and protected.

In the HIPAA ecosystem, a DPA takes the form of a Business Associate Agreement (BAA). Whenever a business associate—like a billing service, cloud storage provider, or IT consultant—has access to PHI, HIPAA requires that a BAA be in place (HHS). 

Here’s why these agreements are essential:

• They clarify legal responsibilities for both parties.
• They ensure PHI is handled according to HIPAA regulations.
• They offer protection in case of audits or investigations.
• They define how breaches are reported and mitigated.
• They establish expectations for subcontractor compliance.

Are DPAs and BAAs the Same Thing?

In casual use, yes – but technically, not always. A DPA is a general term used in global data protection laws (like the GDPR), while a BAA is specific to HIPAA and the U.S. healthcare industry. However, both serve the same function: they define how data processors can handle personal information.

What do these agreements usually contain?

• Boundaries on how data is used and disclosed
• Security controls for data protection
• Breach notification processes
• Rules for data deletion after service termination
• Language about subcontractor oversight

DPAs and BAAs are essentially the gatekeepers of patient data in the modern healthcare system.

What Should Be in a DPA or BAA?

To be compliant with HIPAA, your agreement must include certain legal clauses and operational standards.

Required Elements:

• A clear description of the services involving PHI.
• Restrictions on data usage beyond the scope of services.
• A list of required technical and administrative safeguards.
• Protocols for notifying covered entities of breaches.
• Terms on data return or destruction at the end of the contract.
• Permission for government audits and access to documentation.
• Responsibilities for managing subcontractors.

These components collectively ensure that all parties are aligned on how sensitive health data is handled.

Common Scenarios That Require a DPA

DPAs aren’t just for IT companies. If you’re in healthcare and you use third-party services, chances are you need a DPA.

Situations that require a DPA include:

• Storing patient records in the cloud
• Using an external billing company
• Employing an email provider to send patient reminders
• Contracting shredding services for document disposal
• Offering telehealth via a third-party platform
• Outsourcing customer support to a call center

The Privacy Rights Clearinghouse explains that even services that could potentially access PHI – like a helpdesk – should be covered by a DPA.

What Happens If You Don’t Have One?

Skipping the DPA or BAA can lead to major setbacks:

• Fines: HIPAA violations can cost hundreds of thousands to millions.
• Loss of patient trust: People expect their data to be handled securely.
• Legal risks: Lack of a clear contract opens the door to disputes.
• Compliance issues: You may fail audits or lose certifications.

Regulators take documentation seriously. Even if you’ve followed privacy best practices, not having a contract in place could still result in penalties.

The Role of Telehealth and Communication Platforms

Telehealth platforms exploded in popularity during the COVID-19 pandemic. But with new technology comes new compliance questions.

For instance, during the public health emergency, the HHS allowed providers to use tools like FaceTime or Skype, even if they weren’t fully HIPAA compliant. This was known as “enforcement discretion” that ended on May 11, 2023, when the Public Health Emergency officially expired.

That policy was temporary. Today, using those same tools without a BAA could land you in hot water.

Examples:

• HIPAA-compliant: Zoom for Healthcare, Doxy.me, Google Meet (Workspace edition)
• Not HIPAA-compliant: Standard FaceTime, Facebook Messenger, WhatsApp

Before using any tool for telehealth, confirm whether it provides a BAA.

Key Responsibilities of the Data Processor

Once a DPA is signed, the processor takes on several responsibilities:

• Act only as directed by the data controller
• Implement encryption and other safeguards
• Notify of any breach or suspected incident
• Keep audit trails
• Train staff and monitor compliance internally

A contract is just the beginning – ongoing oversight is equally important.

Best Practices for Managing DPAs

Managing multiple agreements across vendors can get messy. Here’s how to stay organized and compliant:

• Use a centralized system to track all DPAs and BAAs
• Update agreements regularly to reflect service changes
• Assign a compliance officer or legal team to review contracts
• Set calendar reminders for contract renewals
• Train all relevant staff on HIPAA obligations

Final Thoughts

A DPA isn’t just another legal form – it’s a frontline defense for your organization and your patients. If you’ve ever wondered “What is a DPA?,” now you know it’s a required step for HIPAA compliance that holds everyone accountable for safeguarding health data.

By properly structuring and managing these agreements, you demonstrate your organization’s commitment to privacy, transparency, and the law. And that’s something patients – and regulators – will appreciate.