A HIPAA Business Associate Agreement (BAA) is a legally required contract between a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) and any business associate that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity’s behalf. Without a properly executed BAA, both parties face significant regulatory risk---including civil penalties up to $2.13 million per violation category per year and potential criminal penalties.
This HIPAA compliance checklist covers the required provisions, common oversights, and practical considerations for drafting, reviewing, and managing BAAs. Whether you are a health system vetting a new vendor, a health IT company onboarding a hospital client, or a compliance officer reviewing your existing BAA portfolio, use this as a working reference.
When You Need a BAA
A BAA is required whenever a business associate will handle PHI. The definition of “business associate” under HIPAA is broad. It includes any person or organization that performs functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. Common examples:
- Cloud hosting providers storing PHI (AWS, Azure, GCP---all offer BAAs)
- EHR vendors and health IT software companies
- Integration engine providers and interface consultants
- Medical billing and coding companies
- Data analytics firms processing clinical data
- IT managed service providers with access to systems containing PHI
- Consultants who access PHI during system implementations
- Shredding and disposal companies handling physical PHI
- Attorneys and accountants who receive PHI in the course of their services
The BAA must be signed before any PHI is shared. Not after the project starts. Not after the first data transfer. Before.
Subcontractor BAAs
If your business associate uses subcontractors who will access PHI, those subcontractors are themselves business associates under HIPAA. Your business associate must have BAAs in place with every subcontractor in the chain. This “chain-down” requirement was strengthened by the HITECH Act and the 2013 Omnibus Rule. It means the covered entity’s compliance depends on every link in the vendor chain having proper agreements.
Required BAA Provisions
The HIPAA Privacy Rule (45 CFR 164.504(e)) and Security Rule (45 CFR 164.314(a)) specify what a BAA must contain. Here is the complete list of required provisions.
1. Permitted Uses and Disclosures
The BAA must specify exactly what the business associate is allowed to do with PHI. This includes:
- The specific services or functions the business associate performs
- Whether PHI can be used for the business associate’s own management and administration
- Whether PHI can be used for data aggregation services (combining PHI from multiple covered entities for analytics)
- Whether the business associate can de-identify PHI according to 45 CFR 164.514
Checklist item: Does the BAA clearly define the permitted uses and prohibit all other uses? Avoid broad language like “any purpose related to the services.” Be specific.
2. Safeguard Requirements
The business associate must agree to use appropriate safeguards to prevent unauthorized use or disclosure of PHI. This encompasses:
- Administrative safeguards: Workforce training, access management policies, security officer designation, risk assessments
- Physical safeguards: Facility access controls, workstation security, device and media controls
- Technical safeguards: Access controls, audit controls, integrity controls, transmission security (encryption)
Checklist item: Does the BAA require the business associate to implement safeguards that are “appropriate” as defined by the HIPAA Security Rule? Does it reference compliance with 45 CFR Part 164, Subpart C?
3. Breach Notification
The business associate must report any breach of unsecured PHI to the covered entity. The HITECH Act sets specific requirements:
- Timeframe: The business associate must report a breach without unreasonable delay and no later than 60 days after discovery
- Content: The notification must include the nature of the breach, the types of PHI involved, the individuals affected, what the business associate has done to mitigate harm, and what steps individuals should take to protect themselves
- Investigation: The business associate must investigate the incident to determine whether a breach occurred
Checklist item: Does the BAA specify a breach notification timeframe? Many organizations negotiate shorter windows (e.g., 5-10 business days) than the HIPAA maximum of 60 days. Does it define what constitutes “discovery” of a breach?
Important distinction: The BAA must also require reporting of unauthorized uses or disclosures that do not rise to the level of a breach (45 CFR 164.504(e)(2)(ii)(C)). A security incident that does not meet the breach threshold---for example, an unauthorized access that was quickly contained---still must be reported to the covered entity. This reporting obligation is broader than breach notification and is frequently tested in OCR audits.
4. Subcontractor Requirements
The business associate must ensure that any subcontractors who access PHI agree to the same restrictions and conditions that apply to the business associate. In practice, this means:
- The business associate must have BAAs with all subcontractors
- The subcontractor BAAs must contain the same required provisions
- The business associate is responsible for the subcontractor’s compliance
Checklist item: Does the BAA explicitly require the business associate to obtain BAAs from all subcontractors? Does it hold the business associate accountable for subcontractor violations?
5. Individual Rights
The business associate must make PHI available to support the covered entity’s obligations to individuals under the HIPAA Privacy Rule:
- Access: The business associate must provide PHI to the covered entity (or directly to the individual) when an individual requests access to their records, within 30 days
- Amendment: The business associate must make amendments to PHI as directed by the covered entity
- Accounting of disclosures: The business associate must track disclosures of PHI and provide this information to support the covered entity’s obligation to provide an accounting of disclosures
Checklist item: Does the BAA address all three individual rights (access, amendment, accounting of disclosures)? Are timeframes specified?
6. HHS Access
The business associate must make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for compliance investigations.
Checklist item: Is the HHS access provision included? This is a non-negotiable regulatory requirement.
7. Return or Destruction of PHI
Upon termination of the BAA, the business associate must return or destroy all PHI received from or created on behalf of the covered entity. If return or destruction is not feasible (e.g., PHI embedded in backups), the BAA must specify that protections extend indefinitely to the retained PHI.
Checklist item: Does the BAA address PHI disposition at termination? Does it define what happens to PHI in backups and archives where destruction is not feasible?
8. Termination for Cause
The covered entity must have the right to terminate the BAA if it determines that the business associate has violated a material term. The BAA should specify:
- What constitutes a material breach
- A cure period (if any) for the business associate to remedy the violation
- The covered entity’s right to terminate immediately if the breach is not cured
Checklist item: Does the BAA include termination provisions? Is the cure period reasonable (typically 30 days)?
Practical Provisions Beyond the Minimum
The HIPAA-required provisions are a floor, not a ceiling. Sophisticated covered entities and business associates include additional provisions to address real-world risks.
Security Standards Specification
Go beyond “appropriate safeguards” and specify minimum security standards:
- Encryption requirements (AES-256 at rest, TLS 1.2+ in transit)
- Multi-factor authentication for systems accessing PHI
- Annual penetration testing and vulnerability scanning
- SOC 2 Type II or HITRUST certification requirements
- Minimum data retention and maximum data retention periods
Insurance and Indemnification
- Minimum cyber liability insurance requirements ($1M—$5M is common)
- Indemnification for breach-related costs (notification, credit monitoring, legal fees, regulatory fines)
- Whether the business associate carries its own breach notification insurance
Audit Rights
- The covered entity’s right to audit the business associate’s security controls
- Frequency of audits (annual is standard)
- Whether the covered entity can require third-party audit reports (SOC 2, HITRUST)
Incident Response
- Joint incident response procedures
- Communication protocols during a breach investigation
- Media and public communication coordination
Common BAA Mistakes
Using a template without review. A BAA template from the internet might satisfy the minimum HIPAA requirements, but it will not address your specific risk profile, security standards, or business relationship. Every BAA should be reviewed by legal counsel familiar with HIPAA.
Missing the subcontractor chain. Your BAA with a primary vendor is meaningless if that vendor’s cloud hosting provider does not also have a BAA in place. Verify the full chain. Ask your business associates to confirm their subcontractor BAAs are current.
No breach notification timeline. The HIPAA default is 60 days, which is too slow for most organizations. Negotiate a shorter window (5—15 business days) so you can meet your own notification obligations to individuals and HHS.
Vague permitted uses. A BAA that allows the business associate to use PHI for “purposes related to the agreement” is too broad. Specify the functions, the types of PHI involved, and the permitted uses precisely.
Failing to review existing BAAs. BAAs are not set-and-forget documents. Review them annually. Vendors change their services, subcontractors, and security posture. Your BAA should reflect the current state of the relationship.
No termination provisions for PHI. If you terminate a vendor relationship, what happens to the PHI they hold? If the BAA does not address this, you have no contractual mechanism to compel return or destruction.
BAA Management Checklist
Use this as a practical tracking checklist for your BAA program:
- Maintain an inventory of all business associates and their BAA status
- Verify BAA execution before any PHI is shared with a new vendor
- Confirm subcontractor BAAs are in place for all vendors in the chain
- Set annual review dates for all active BAAs
- Update BAAs when vendor services, subcontractors, or security standards change
- Track breach notification obligations and test notification procedures annually
- Document PHI return/destruction at vendor offboarding
- Retain executed BAAs for at least 6 years (HIPAA record retention requirement)
- Include BAA review in your annual HIPAA risk assessment process
- Train procurement and vendor management staff on BAA requirements
HIPAA Business Associate Agreements are both a legal requirement and a practical risk management tool. A well-drafted BAA protects both parties, clarifies responsibilities, and establishes the framework for secure PHI handling. A weak or missing BAA is one of the most common findings in HIPAA audits and breach investigations.
For help with HIPAA compliance, BAA management, and security risk assessments, explore our related services:
- HIPAA Compliance Services --- Risk assessments, gap analysis, and compliance programs
- Healthcare Cybersecurity --- Penetration testing, vulnerability scanning, and security architecture
- Healthcare Compliance Consulting --- HITRUST, SOC 2, and ISO 27001 compliance consulting
- Healthcare Cloud Security --- Cloud infrastructure security and compliance