Are Business Associate Agreements Still Required Under HIPAA in 2025?

Overview of Business Associate Agreements

Yes—Business Associate Agreements (BAAs) are still required under HIPAA in 2025. A BAA is a written contract between a covered entity and a business associate that sets the rules for how Protected Health Information (PHI) is used, disclosed, safeguarded, and returned or destroyed.

Business associates include vendors and partners that create, receive, maintain, or transmit PHI or electronic PHI on your behalf. Typical examples are cloud service providers, billing companies, EHR vendors, eFax and email hosts, data analytics firms, and specialized consultants who access PHI.

A well-drafted BAA clarifies permitted uses and disclosures, assigns security and privacy responsibilities, establishes breach notification duties, and defines oversight and termination rights. It is the operational bridge that turns HIPAA’s legal requirements into day‑to‑day controls.

HIPAA Requirements for BAAs

HIPAA requires BAAs whenever a covered entity shares PHI with a business associate, and when business associates engage subcontractors that handle PHI. The BAA must ensure Business Associate Compliance with the HIPAA Privacy Rule and HIPAA Security Rule, especially for Electronic PHI Safeguards.

Core clauses every BAA must include

• Permitted and required uses and disclosures of PHI, tied to the minimum necessary standard.
• Obligations to implement administrative, physical, and technical safeguards for ePHI consistent with the HIPAA Security Rule.
• Prompt reporting of security incidents and breaches, including details needed for risk assessments and required notifications.
• Flow‑down: subcontractors that create, receive, maintain, or transmit PHI must agree to the same restrictions and safeguards.
• Individual rights support: assistance with access, amendment, and accounting of disclosures when requested by the covered entity.
• Availability to the Department of Health and Human Services for compliance review and audit.
• Return or destruction of PHI at termination, or ongoing protections if return/destruction is infeasible.
• Termination rights for material breach, plus continuing obligations for retained PHI.

These provisions ensure that downstream partners uphold the same protections that apply to covered entities, closing the loop on PHI stewardship.

Role of Business Associates in PHI Handling

Business associates operationalize HIPAA controls where PHI actually resides—in apps, networks, and hosted services. You should expect them to run risk analyses, apply role-based access controls, encrypt data in transit and at rest, log activity, and maintain incident response and disaster recovery capabilities.

They must use or disclose PHI only as permitted by the BAA and the underlying services agreement, adhere to minimum necessary, and promptly report incidents. When subcontractors are used, the business associate must impose equivalent safeguards and monitor performance to maintain end‑to‑end protection.

Proposed Updates to HIPAA Security Rule

The Department of Health and Human Services has signaled stronger baseline Cybersecurity Requirements for the healthcare sector. Proposed updates to the HIPAA Security Rule emphasize concrete controls and clearer expectations for both covered entities and business associates.

Themes you should anticipate in proposals

• Stronger identity and access management, such as multi-factor authentication and least‑privilege enforcement.
• Encryption of ePHI at rest and in transit, backed by key management and certificate lifecycle practices.
• Asset inventory, vulnerability management, and timely patching to reduce exploitable attack surface.
• Security logging, centralized monitoring, and documented incident response with defined timeframes.
• Third-party risk management, including due diligence, continuous oversight, and subcontractor flow‑down.
• Alignment with recognized security practices to demonstrate maturity and mitigate enforcement risk.

While these updates refine expectations, they do not remove the BAA requirement. Instead, they raise the bar for how your agreements describe and evidence Electronic PHI Safeguards.

Compliance Strategies for BAAs in 2025

To keep pace with evolving threats and regulatory focus, align BAA language and vendor oversight with practical, testable controls. Tie obligations to outcome‑oriented measures so you can verify Business Associate Compliance rather than accept checkbox attestations.

Practical actions

• Map BAA security obligations to internal policies and control frameworks you already use, then require equivalent or stronger controls from vendors.
• Tier vendors by PHI volume and criticality, applying deeper diligence, logging, and reporting to high‑risk partners.
• Require periodic evidence—such as penetration test summaries, SOC 2/ISO certifications, or vulnerability metrics—instead of one‑time questionnaires.
• Set measurable breach notification timeframes and clarity on investigation cooperation, forensic access, and cost allocation.
• Document recognized security practices adopted by the vendor to support defensibility during audits or investigations.

Impact of Enhanced Cybersecurity Measures

Enhanced controls reduce breach likelihood and impact, but they also change economics and accountability. You may see higher costs for secure hosting, monitoring, and 24/7 incident response, offset by fewer disruptions and lower regulatory exposure.

Sharper contractual terms drive better hygiene: vendors who handle more PHI must prove maturity, while smaller partners may need shared services or phased roadmaps. The net effect is stronger resilience and clearer lines of responsibility when events occur.

Steps to Revise Existing BAAs

Preparation

• Inventory all BAAs and rank each vendor by PHI sensitivity, criticality, and cyber risk.
• Perform a gap analysis comparing current contract terms against your security baseline and recent regulatory expectations.
• Align legal, privacy, security, procurement, and operations on the target control set and acceptable evidence.

Key updates to draft

• Permitted uses/disclosures: reaffirm minimum necessary and explicitly prohibit secondary use without written approval.
• Security obligations: require specific HIPAA Security Rule controls, including MFA, encryption, segmentation, backups, and tested restoration.
• Monitoring and evidence: mandate security logging, retention periods, and delivery of agreed artifacts (e.g., audit logs, test reports, remediation plans).
• Breach and incident handling: define discovery, initial notice (e.g., within 24–72 hours), investigative cooperation, and root‑cause remediation timelines.
• Third‑party flow‑down: ensure subcontractors sign equivalent terms and are continuously overseen.
• Audit and assessment rights: permit reasonable reviews, with confidentiality protections and remediation checkpoints.
• Data lifecycle: specify data minimization, retention limits, secure return or destruction, and verifiable sanitization.
• Liability and insurance: align indemnities with risk, require cyber insurance, and set caps that reflect PHI exposure.
• Termination assistance: ensure continuity plans and secure transition support without service gaps.

Governance and maintenance

• Set an annual review cadence to update BAAs as threats and regulations evolve.
• Track vendor performance with metrics tied to Cybersecurity Requirements and escalate chronic nonconformance.
• Train stakeholders so contract promises match operational reality across Covered Entities and vendors.

Conclusion

BAAs remain mandatory in 2025 and are central to safeguarding PHI. Strengthen them with precise security expectations, measurable evidence, and firm incident‑response obligations so both covered entities and business associates can prove resilience and compliance.

FAQs

Are Business Associate Agreements mandatory under HIPAA in 2025?

Yes. If a vendor or partner creates, receives, maintains, or transmits PHI for you, a BAA is required, including for subcontractors that handle PHI downstream.

What changes are proposed for BAAs in the updated HIPAA Security Rule?

Proposals focus on clearer, testable security expectations—such as MFA, encryption, logging, incident response timelines, vulnerability management, and stronger third‑party risk oversight. These would refine, not replace, BAA requirements.

How should covered entities update existing BAAs to remain compliant?

Reassess vendor risk, tighten permitted uses, specify concrete ePHI safeguards, set rapid breach‑reporting windows, require evidence of controls, enforce subcontractor flow‑down, and establish audit rights and remediation timelines.

What cybersecurity protections must be included in BAAs?

At minimum, require safeguards aligned to the HIPAA Security Rule: access controls with MFA, encryption in transit and at rest, monitoring and logging, vulnerability management and patching, incident response, backups and recovery, and continuous oversight of subcontractors.