BAA Review Checklist: What to Look for in a HIPAA Business Associate Agreement

A well-drafted Business Associate Agreement (BAA) is the foundation of responsible data sharing between a covered entity and a vendor that touches Protected Health Information (PHI). This checklist shows you exactly what to verify so your agreement aligns with the HIPAA Privacy Rule, Security Rule, and HITECH Act Compliance requirements.

Use the sections below to confirm that PHI is used only as intended, protected with robust safeguards, and governed by clear accountability, Breach Notification Requirements, and fair risk allocation.

Identification of Business Associates

The agreement should precisely identify each party, their role, and the services requiring access to PHI. Clear scoping prevents unauthorized activities and ensures downstream obligations attach to the right organizations and people.

Checklist

• Legal names and addresses of the covered entity and each business associate (including affiliates, if applicable).
• Plain-language description of services that involve PHI and why access is needed.
• Designation of privacy and security contacts for notices and escalations.
• Statement that the BA acts only on the covered entity’s behalf and within documented instructions.
• Identification of any known subcontractors that will handle PHI and a commitment to execute Subcontractor Agreements.
• Effective date, term, and how amendments will be handled as regulations evolve.

Red flags

• Vague role definitions that could imply independent control over PHI uses.
• Silence on subcontractors despite anticipated downstream services.
• No named security contact for urgent incident communications.

Permitted Uses and Disclosures of PHI

This section anchors compliance with the HIPAA Privacy Rule by limiting how PHI may be used and shared. It should reflect the minimum necessary standard and prohibit uses unrelated to contracted services without prior authorization.

Checklist

• Explicit, narrow purposes for using or disclosing PHI tied to defined services.
• Minimum necessary requirement and prohibition on unauthorized secondary uses.
• Rules for de-identification or aggregation, if permitted, with clear controls.
• Prohibitions on marketing, sale of PHI, or other activities requiring authorization.
• Conditions for disclosures required by law, including prior notice to the covered entity where permissible.

Red flags

• Open-ended or “any lawful purpose” language.
• Implicit rights to data mining, analytics, or product development without express permission.
• No mention of the minimum necessary standard.

Safeguards Implementation

Security obligations should track the HIPAA Security Rule and specify Administrative Safeguards, as well as technical and physical protections appropriate to the sensitivity of PHI. Look for measurable controls and proof of ongoing risk management.

Checklist

• Administrative Safeguards: risk analysis, policies and procedures, workforce training, role-based access, and sanction processes.
• Technical safeguards: unique IDs, multi-factor authentication, encryption in transit and at rest, audit logs, and alerting.
• Physical safeguards: secure facilities, device/media controls, and disposal procedures.
• Documented incident response, business continuity, and disaster recovery plans tested periodically.
• Vendor oversight of third parties with equivalent security controls.
• Evidence of ongoing assessments and remediation to maintain HITECH Act Compliance.

Red flags

• High-level promises with no specific controls, metrics, or review cadence.
• Lack of encryption or logging for systems storing PHI.
• No training or sanction policy for workforce members.

Breach Notification Procedures

Your BAA must define Breach Notification Requirements so you can meet legal timelines and respond effectively. It should specify triggers, who is notified, what the notice includes, and how remediation and costs are handled.

Checklist

• Clear definitions of “security incident” and “breach,” with prompt internal notice obligations.
• BA to notify the covered entity without unreasonable delay and within a specific window, enabling compliance with federal deadlines to notify affected individuals.
• Required contents of the report: incident description, PHI elements involved, number of individuals, risk assessment, mitigation, and prevention steps.
• Allocation of responsibilities for individual and regulator notifications, credit monitoring, call centers, and mailings.
• Duty to cooperate with investigations and provide ongoing updates and root-cause analysis.
• Recordkeeping obligations to document decision-making and notifications.

Red flags

• Notice obligations that are discretionary or lack a firm timeframe.
• No requirement to share forensic findings or mitigation plans.
• All breach-related costs pushed to the covered entity regardless of fault.

Subcontractor Compliance

Any subcontractor that creates, receives, maintains, or transmits PHI must be bound by the same restrictions as the BA. Strong flow-down terms ensure consistent protections across your vendor ecosystem.

Checklist

• Written Subcontractor Agreements imposing equivalent privacy and security obligations.
• Prior notice and, where appropriate, approval rights before engaging new subcontractors.
• BA remains fully responsible for subcontractor acts and omissions.
• Security due diligence and ongoing monitoring of subcontractors with PHI access.
• Immediate termination or suspension rights for noncompliant subcontractors.

Red flags

• Silent on subcontractors or allows unrestricted downstream transfers of PHI.
• No requirement that subs notify the BA promptly about incidents.

Return or Destruction of PHI

End-of-engagement terms must ensure PHI does not linger unnecessarily. The BAA should require secure return or destruction of PHI, with limited retention only where return or destruction is infeasible and protections continue.

Checklist

• Clear timelines and formats for returning PHI to the covered entity.
• Secure destruction methods (e.g., media sanitization, certificate of destruction) and key management for encrypted data.
• Documented exceptions where destruction is infeasible, with continued protections and restricted uses.
• Obligation to purge backups and replicas as technically feasible and verify completion.

Red flags

• Indefinite retention rights without justification.
• No requirement to destroy backups or provide destruction certification.

Termination Rights

Termination language should allow you to act decisively when the BA cannot or will not comply. It should balance cure opportunities with immediate termination for serious or persistent violations.

Checklist

• Defined material breach standards and a reasonable cure period when appropriate.
• Immediate termination for egregious or repeated noncompliance impacting PHI.
• Transition assistance to return or migrate PHI safely before or after termination.
• Survival of confidentiality, indemnity, and recordkeeping obligations.

Red flags

• No termination right for noncompliance with HIPAA obligations.
• Termination conditioned on impractical or undefined prerequisites.

Compliance with HIPAA Rules

The BAA should explicitly require compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, as well as HITECH Act Compliance where applicable. It should also reflect ongoing governance, training, and cooperation duties.

Checklist

• Commitment to maintain written policies, workforce training, and sanctions for violations.
• Periodic risk analyses with remediation and documentation.
• Cooperation with audits or investigations by regulators.
• Processes for honoring individual rights requests when the BA supports those functions.

Red flags

• Silence on the Privacy Rule or Security Rule.
• No process to address individual rights requests or regulatory inquiries.

Audit Rights and Documentation

Verification is essential. The BAA should grant reasonable audit and monitoring rights and obligate the BA to maintain and provide documentation that proves ongoing compliance.

Checklist

• Right to request relevant policies, training records, risk analyses, and remediation plans.
• Reasonable on-site or remote assessments with agreed scope and frequency.
• Availability of independent assessments or certifications to evidence controls.
• Corrective action plans with deadlines and follow-up validation.
• Retention periods for security and incident records supporting compliance.

Red flags

• No audit rights or only one-time due diligence allowances.
• Denial of access to basic security documentation or logs.

Indemnification and Liability

Liability Indemnification provisions allocate financial risk if something goes wrong. Seek clarity on who defends, pays, and under what limits, with fair carve-outs tied to fault and regulatory obligations.

Checklist

• Mutual indemnification for third-party claims arising from each party’s breaches or violations.
• Clear duty to defend and cooperate, including selection of counsel and settlement controls.
• Defined scope of recoverable damages, including breach response and notification costs when caused by the BA.
• Reasonable liability caps with carve-outs for willful misconduct or gross negligence.
• Insurance requirements proportionate to PHI volume and risk profile.
• Survival of indemnity and limitation terms after termination.

Red flags

• One-sided indemnity with broad exclusions that nullify protection.
• Low liability caps that do not cover likely breach response expenses.
• Silence on insurance or refusal to provide reasonable proof of coverage.

Conclusion

Use this BAA review checklist to confirm tight scoping, lawful PHI uses, robust safeguards, practical breach playbooks, accountable subcontractor management, and balanced Liability Indemnification. When each provision works together, you reduce risk while enabling compliant, value-driven partnerships.

FAQs

What is a Business Associate Agreement?

A Business Associate Agreement is a contract that sets the privacy, security, and Breach Notification Requirements for vendors that create, receive, maintain, or transmit Protected Health Information on a covered entity’s behalf. It implements the HIPAA Privacy Rule and Security Rule and supports HITECH Act Compliance.

What are the required safeguards under a BAA?

The BAA should require Administrative Safeguards (policies, training, access governance), technical safeguards (encryption, authentication, audit logging), and physical safeguards (facility and device controls). Together, these measures protect PHI and demonstrate risk-based security consistent with HIPAA.

How should breaches be reported under a BAA?

The BA must notify the covered entity promptly, include all material facts about the incident, and cooperate on mitigation and notifications. Timely reporting enables the covered entity to meet legal Breach Notification Requirements and document investigation, remediation, and lessons learned.

When can a covered entity terminate the BAA?

A covered entity may terminate for a material breach that is not cured within the agreed period, or immediately for serious or repeated noncompliance affecting PHI. Termination clauses should also address secure return or destruction of PHI and surviving obligations such as indemnity and documentation.