A HIPAA Business Associate Agreement (BAA) is a legally required contract between a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and any business associate that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity’s behalf. Under 45 CFR §164.502(e), a covered entity may not disclose PHI to a business associate without first obtaining a written contract providing “satisfactory assurance” that PHI will be safeguarded. Without a properly executed BAA, both parties face significant regulatory risk — including civil penalties up to $2,190,294 per identical violation per calendar year (HHS Tier-4 cap for willful neglect not corrected, effective January 2026 under the 2025 inflation adjustment) and potential criminal penalties.
This HIPAA compliance checklist covers the required provisions, common oversights, and practical considerations for drafting, reviewing, and managing BAAs. Whether you are a health system vetting a new vendor, a health IT company onboarding a hospital client, or a compliance officer reviewing your existing BAA portfolio, use this as a working reference.
When You Need a BAA
A BAA is required whenever a business associate will handle PHI. The definition of “business associate” under HIPAA is broad. It includes any person or organization that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. Common examples:
- Cloud hosting providers storing PHI (AWS, Azure, GCP — all offer BAAs)
- EHR vendors and health IT software companies
- Integration engine providers and interface consultants
- Medical billing and coding companies
- Data analytics firms processing clinical data
- IT managed service providers with access to systems containing PHI
- Consultants who access PHI during system implementations
- Shredding and disposal companies handling physical PHI
- Attorneys and accountants who receive PHI in the course of their services
The BAA must be signed before any PHI is shared. Not after the project starts. Not after the first data transfer. Before.
Subcontractor BAAs
If your business associate uses subcontractors who will access PHI, those subcontractors are themselves business associates under HIPAA. Your business associate must have BAAs in place with every subcontractor in the chain. This “chain-down” requirement was strengthened by the HITECH Act (§13408) and the 2013 Omnibus Rule. It means the covered entity’s compliance depends on every link in the vendor chain having proper agreements.
Required BAA Provisions
The HIPAA Privacy Rule (45 CFR §164.504(e)) and Security Rule (§164.314(a)) specify what a BAA must contain. The eight provisions below consolidate the requirements in paragraphs (A)–(J) of §164.504(e)(2)(ii).
1. Permitted Uses and Disclosures
The BAA must specify exactly what the business associate is allowed to do with PHI. This includes:
- The specific services or functions the business associate performs
- Whether PHI can be used for the business associate’s own management and administration
- Whether PHI can be used for data aggregation services (combining PHI from multiple covered entities for analytics)
- Whether the business associate can de-identify PHI according to §164.514
Checklist item: Does the BAA clearly define the permitted uses and prohibit all other uses? Avoid broad language like “any purpose related to the services.” Be specific.
2. Safeguard Requirements
The business associate must agree to use appropriate safeguards to prevent unauthorized use or disclosure of PHI. This encompasses:
- Administrative safeguards: Workforce training, access management policies, security officer designation, risk assessments
- Physical safeguards: Facility access controls, workstation security, device and media controls
- Technical safeguards: Access controls, audit controls, integrity controls, transmission security (encryption)
Checklist item: Does the BAA require the business associate to implement safeguards that are “appropriate” as defined by the HIPAA Security Rule? Does it reference compliance with 45 CFR Part 164, Subpart C? For the engineering side of these safeguards, see our HIPAA-compliant software development guide and the HIPAA Security Rule 2026 update.
3. Breach Notification
The business associate must report any breach of unsecured PHI to the covered entity. The 60-day clock comes from §164.410(b) (Breach Notification Rule):
- Timeframe: The business associate must report a breach “without unreasonable delay and in no case later than 60 calendar days after discovery.”
- Content: The notification must include the nature of the breach, the types of PHI involved, the individuals affected, what the business associate has done to mitigate harm, and what steps individuals should take to protect themselves
- Investigation: The business associate must investigate the incident to determine whether a breach occurred
Checklist item: Does the BAA specify a breach notification timeframe? Many organizations negotiate shorter windows (e.g., 5–15 business days) than the HIPAA maximum of 60 days. Does it define what constitutes “discovery” of a breach?
Important distinction: The BAA must also require reporting of unauthorized uses or disclosures that do not rise to the level of a breach (§164.504(e)(2)(ii)(C)). A security incident that does not meet the breach threshold — for example, an unauthorized access that was quickly contained — still must be reported to the covered entity. This reporting obligation is broader than breach notification and is frequently tested in OCR audits.
4. Subcontractor Requirements
The business associate must ensure that any subcontractors who access PHI agree to the same restrictions and conditions that apply to the business associate. In practice, this means:
- The business associate must have BAAs with all subcontractors
- The subcontractor BAAs must contain the same required provisions
- The business associate is responsible for the subcontractor’s compliance
Checklist item: Does the BAA explicitly require the business associate to obtain BAAs from all subcontractors? Does it hold the business associate accountable for subcontractor violations?
5. Individual Rights
The business associate must make PHI available to support the covered entity’s obligations to individuals under the HIPAA Privacy Rule:
- Access (§164.524): The business associate must provide PHI to the covered entity (or directly to the individual) when an individual requests access to their records, within 30 days
- Amendment (§164.526): The business associate must make amendments to PHI as directed by the covered entity
- Accounting of disclosures (§164.528): The business associate must track disclosures of PHI and provide this information to support the covered entity’s obligation to provide an accounting of disclosures
Checklist item: Does the BAA address all three individual rights (access, amendment, accounting of disclosures)? Are timeframes specified?
6. HHS Access
The business associate must make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for compliance investigations (§164.504(e)(2)(ii)(I)).
Checklist item: Is the HHS access provision included? This is a non-negotiable regulatory requirement.
7. Carry-out of Covered Entity Obligations
This often-missed provision (§164.504(e)(2)(ii)(H)) requires that where the business associate is performing a covered entity’s obligation under Subpart E of Part 164 — for example, fulfilling an individual-access request or an accounting-of-disclosures request directly — the business associate must comply with the requirements of Subpart E that apply to the covered entity in performing that obligation. Standard internet templates routinely skip this clause.
Checklist item: If your BA fulfills any individual-rights request directly, does the BAA explicitly bind them to the Subpart E requirements applicable to the covered entity in that activity?
8. Return or Destruction of PHI + Termination for Cause
Upon termination of the BAA, the business associate must return or destroy all PHI received from or created on behalf of the covered entity (§164.504(e)(2)(ii)(J)). If return or destruction is not feasible (e.g., PHI embedded in backups), the BAA must specify that protections extend indefinitely to the retained PHI.
Separately, the covered entity must have the right to terminate the BAA if it determines that the business associate has violated a material term (§164.504(e)(2)(iii)). The BAA should specify what constitutes a material breach, the cure period (if any), and the covered entity’s right to terminate immediately if the breach is not cured.
Checklist item: Does the BAA address PHI disposition at termination? Does it define what happens to PHI in backups and archives where destruction is not feasible? Is the cure period reasonable (typically 30 days)?
Cloud Provider BAAs: AWS, Azure, GCP, and Google Workspace
The four major cloud platforms all offer HIPAA BAAs, but the mechanics differ. This is the most-asked-about category of BAA in practice — for the deeper deployment-architecture story, see our healthcare cloud security and healthcare security practices.
| Provider | How obtained | Scope | Notes |
|---|---|---|---|
| AWS | Self-service via AWS Artifact | 200+ HIPAA-eligible services (per the AWS HIPAA Eligible Services Reference, updated May 2026) | Restrict PHI workloads to eligible services only |
| Azure / M365 | Default-included via Microsoft Products + Services DPA | Azure, Office 365, Dynamics 365, Intune, Power Platform, M365 Copilot | No separate signature for covered entity / BA customers |
| GCP | Self-service via Google Cloud Console | 100+ products incl. BigQuery, Vertex AI, Cloud Healthcare API, Gemini Enterprise | Restrict PHI to BAA-covered products |
| Google Workspace | Accept in Workspace Admin Console | Gmail, Drive, Docs, Meet, Calendar — Workspace core apps | Separate agreement from GCP — different scope |
Most large-vendor BAAs have aggressive limitation-of-liability terms that cap their breach exposure. Push back if you need higher caps for your insurance posture, but be realistic — you will not get unlimited indemnification from a hyperscaler.
Practical Provisions Beyond the Minimum
The HIPAA-required provisions are a floor, not a ceiling. Sophisticated covered entities and business associates include additional provisions to address real-world risks.
Security Standards Specification
Go beyond “appropriate safeguards” and specify minimum security standards:
- Encryption requirements (AES-256 at rest, TLS 1.2+ in transit — TLS 1.3 preferred)
- Multi-factor authentication for systems accessing PHI
- Annual penetration testing and vulnerability scanning
- SOC 2 Type II or HITRUST certification requirements
- Minimum data retention and maximum data retention periods
Insurance and Indemnification
- Minimum cyber liability insurance requirements ($1M–$5M is common)
- Indemnification for breach-related costs (notification, credit monitoring, legal fees, regulatory fines)
- Whether the business associate carries its own breach notification insurance
Audit Rights
- The covered entity’s right to audit the business associate’s security controls
- Frequency of audits (annual is standard)
- Whether the covered entity can require third-party audit reports (SOC 2, HITRUST)
Incident Response
- Joint incident response procedures
- Communication protocols during a breach investigation
- Media and public communication coordination
Common BAA Mistakes
These six recur in nearly every HIPAA audit and breach investigation.
Using a template without review. A BAA template from the internet might satisfy the minimum HIPAA requirements, but it will not address your specific risk profile, security standards, or business relationship. Every BAA should be reviewed by legal counsel familiar with HIPAA. The HHS Office for Civil Rights publishes sample BAA provisions as a starting point — minimum-floor language only.
Missing the subcontractor chain. Your BAA with a primary vendor is meaningless if that vendor’s cloud hosting provider does not also have a BAA in place. Verify the full chain. Ask your business associates to confirm their subcontractor BAAs are current.
No breach notification timeline. The HIPAA default is 60 days, which is too slow for most organizations. Negotiate a shorter window (5–15 business days) so you can meet your own notification obligations to individuals and HHS.
Vague permitted uses. A BAA that allows the business associate to use PHI for “purposes related to the agreement” is too broad. Specify the functions, the types of PHI involved, and the permitted uses precisely.
Failing to review existing BAAs. BAAs are not set-and-forget documents. Review them annually. Vendors change their services, subcontractors, and security posture. Your BAA should reflect the current state of the relationship.
No termination provisions for PHI. If you terminate a vendor relationship, what happens to the PHI they hold? If the BAA does not address this, you have no contractual mechanism to compel return or destruction.
BAA Management Checklist
Use this as a practical tracking checklist for your BAA program:
- Maintain an inventory of all business associates and their BAA status
- Verify BAA execution before any PHI is shared with a new vendor
- Confirm subcontractor BAAs are in place for all vendors in the chain
- Set annual review dates for all active BAAs
- Update BAAs when vendor services, subcontractors, or security standards change
- Track breach notification obligations and test notification procedures annually
- Document PHI return/destruction at vendor offboarding
- Retain executed BAAs for at least 6 years (§164.530(j)(2) record retention)
- Include BAA review in your annual HIPAA risk assessment process
- Train procurement and vendor management staff on BAA requirements
Frequently Asked Questions
What is a HIPAA Business Associate Agreement?
A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity and any business associate that creates, receives, maintains, or transmits PHI on the covered entity’s behalf. It binds the business associate to use appropriate safeguards, report breaches, return or destroy PHI at termination, and meet the other obligations under 45 CFR §164.504(e). Without an executed BAA, the covered entity is in violation of the Privacy Rule the moment PHI is shared.
When is a BAA required?
A BAA is required whenever a covered entity discloses PHI to a person or organization that performs functions on its behalf involving the use or disclosure of PHI. That covers cloud hosting providers, EHR vendors, billing companies, IT MSPs, consultants with system access, attorneys handling PHI, and disposal vendors — among others. The BAA must be signed before any PHI is shared.
What must a HIPAA BAA include?
§164.504(e)(2)(ii) requires eight categories of provisions: permitted uses and disclosures, appropriate safeguards, breach notification, subcontractor BAAs, individual-rights support (access, amendment, accounting of disclosures), HHS access, carry-out of CE obligations under Subpart E, and return or destruction of PHI at termination. The BAA must also include termination-for-cause language under §164.504(e)(2)(iii).
Does AWS, Azure, or Google Cloud sign a BAA?
Yes — all three offer HIPAA BAAs. AWS uses a self-service flow through AWS Artifact. Azure includes the BAA in the Microsoft Products + Services Data Protection Addendum by default (no separate signature for covered entity / BA customers). GCP uses a self-service request through the Google Cloud Console. Google Workspace has its own BAA, separate from the GCP BAA, accepted in the Workspace Admin Console.
What happens if you don't have a BAA?
Sharing PHI with a business associate without an executed BAA is a per-se violation of the HIPAA Privacy Rule. OCR has the authority to impose civil monetary penalties up to $2,190,294 per identical violation per calendar year at Tier 4 (willful neglect, not corrected). In practice, missing-BAA findings often surface during breach investigations and result in corrective action plans, multi-year monitoring agreements, and significant settlements even when a breach has not yet occurred.
HIPAA Business Associate Agreements are both a legal requirement and a practical risk management tool. A well-drafted BAA protects both parties, clarifies responsibilities, and establishes the framework for secure PHI handling. A weak or missing BAA is one of the most common findings in HIPAA audits and breach investigations.
For help with HIPAA compliance, BAA management, and security risk assessments, explore our related services:
- HIPAA Compliance Services — Risk assessments, gap analysis, and compliance programs
- Healthcare Cybersecurity — Penetration testing, vulnerability scanning, and security architecture
- Healthcare Compliance Consulting — HITRUST, SOC 2, and ISO 27001 compliance consulting
- Healthcare Cloud Security — Cloud infrastructure security and compliance
- Healthcare Security — End-to-end security architecture for healthcare organizations
- HIPAA-Compliant Software Development — The engineering side of HIPAA
- HIPAA Security Rule 2026 Update — Proposed NPRM and what it means for BA contracts