Best Practices for Business Associate Contracts Under HIPAA Privacy and Security Rules

Business Associate Definition

Who qualifies as a business associate

A business associate is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity for activities regulated by the HIPAA Privacy Rule or HIPAA Security Rule. The relationship is defined by functions performed, not by job title.

Common examples

• Cloud or managed service providers hosting ePHI, data centers, and IT support firms.
• Billing services, claims processors, collections agencies, and clearinghouses.
• Analytics firms, quality improvement vendors, and data aggregation partners.
• Legal, accounting, consulting, and accreditation services that access PHI.

Covered entity vs. business associate

Covered entities (providers, plans, clearinghouses) deliver care or pay for it. Business associates support those operations and access PHI to perform contracted services. If a vendor can access PHI—even if access is incidental—it likely needs a Business Associate Agreement.

Required Contract Elements

Core clauses to include in a Business Associate Agreement

• Permitted and prohibited uses/disclosures: Define authorized purposes and explicitly prohibit uses not allowed by the contract or law.
• Safeguards: Require administrative, physical, and technical safeguards appropriate to the risk, aligned with the HIPAA Security Rule.
• Minimum necessary: Limit PHI uses and disclosures to the minimum necessary to accomplish the purpose.
• Reporting obligations: Specify prompt reporting of security incidents and Breach Notification Requirements, including timelines and content of notices.
• Subcontractor Obligations: Mandate that subcontractors agree in writing to the same restrictions and conditions before accessing PHI.
• Individual rights support: Make PHI available for access, amendment, and accounting of disclosures within required timeframes.
• De-identification and data aggregation: Allow only if expressly authorized and performed in accordance with HIPAA standards.
• HHS access: Commit to make relevant books, records, and practices available to the Secretary of HHS for compliance review.
• Return or destruction of PHI: Require return or secure destruction at termination; if infeasible, continue protections indefinitely.
• Mitigation and cooperation: Obligate mitigation of harmful effects and cooperation with investigations and notifications.
• Termination for cause: Allow the covered entity to terminate for material breach if cure fails within a defined period.
• Risk allocation: Consider Indemnification Clauses and appropriate cyber liability insurance to address residual risk.

Safeguards Implementation

Administrative Safeguards

• Designate security and privacy leads; implement policies, procedures, and a sanction policy.
• Conduct initial and ongoing risk analysis and risk management tailored to systems holding ePHI.
• Vendor due diligence, access approvals, and least-privilege role design.
• Incident response and disaster recovery plans with tested playbooks.

Technical Safeguards

• Strong access controls, unique IDs, MFA, and session timeouts across all ePHI systems.
• Encryption in transit and at rest for ePHI, including backups and portable media.
• Audit logging, monitoring, and alerting; promptly investigate anomalies.
• Integrity controls, secure software development practices, and timely patching.

Physical Safeguards

• Facility access controls, visitor management, and environmental protections.
• Workstation and device protections, including MDM, screen locks, and secure media disposal.

Operational validation

Document how safeguards operate, test them regularly, and remediate gaps quickly. Evidence of implementation is essential when demonstrating compliance under a Business Associate Agreement.

Breach Notification Procedures

Trigger and timelines

Define a “breach” and require notification to the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Many contracts set shorter internal deadlines (for example, 5–15 days) for preliminary notice and facts as they are learned.

Content of notice

• What happened, including dates of breach and discovery and attack vector if known.
• Types of PHI involved (for example, names, diagnoses, payment data) and the number of affected individuals.
• Actions taken to contain, mitigate, and prevent recurrence; recommended steps for the covered entity.
• Point of contact, forensics status, and law enforcement delay documentation if applicable.

Investigation and cooperation

Require prompt investigation, preservation of evidence, root-cause analysis, and full cooperation with the covered entity’s decision-making and notifications. Allocate responsibilities for individual notices, call centers, and remediation services in the contract.

Security incidents vs. breaches

Not all security incidents are breaches. Build in a risk assessment process to evaluate probability of compromise and document the rationale, while meeting Breach Notification Requirements when the threshold is met.

Subcontractor Compliance

Flow-down of requirements

Impose the same privacy and security obligations on subcontractors that create, receive, maintain, or transmit PHI. Flow-down clauses should mirror your Business Associate Agreement terms and explicitly address Subcontractor Obligations.

Due diligence and oversight

• Pre-contract security questionnaires, evidence reviews, and reference checks.
• Right-to-audit provisions, performance metrics, and remediation timelines.
• Contractual breach and incident reporting pathways that escalate to you immediately.

Termination and transition

Plan for secure return or destruction of PHI at subcontract end, including verification of destruction and migration support to prevent operational gaps.

Security Risk Assessment

Scope and method

Inventory systems and data flows that touch ePHI, then evaluate threats, vulnerabilities, likelihood, and impact. Prioritize risks using a consistent scoring method and tie each risk to specific controls.

Execution steps

• Identify where ePHI resides, who can access it, and how it is transmitted and stored.
• Assess control effectiveness against common threats (phishing, ransomware, insider misuse, third-party failures).
• Document findings, assign owners, and build a time-bound remediation plan.
• Verify fixes through retesting and update residual risk ratings.

Cadence and triggers

Perform a comprehensive assessment at least annually and whenever systems, vendors, or business processes materially change. Treat risk management as an ongoing program, not a one-time exercise.

Training and Documentation Requirements

Workforce training

Provide role-based training on privacy, security, phishing awareness, incident reporting, and minimum necessary practices. Train at onboarding and periodically thereafter, documenting attendance and comprehension.

Required documentation

• Policies and procedures covering Privacy Rule and Security Rule obligations.
• Risk analyses, risk management plans, incident and breach logs, and audit trails.
• Executed Business Associate Agreements, subcontractor agreements, and due diligence records.
• Training materials, rosters, and acknowledgment forms.

Retention and readiness

Maintain required documentation for at least six years from creation or last effective date. Conduct internal audits and mock assessments so you can demonstrate compliance on demand.

Strong business associate contracts work best when paired with disciplined safeguards, proactive risk assessments, and evidence-backed training and documentation. Together, these practices reduce risk while enabling compliant, efficient data sharing.

FAQs.

What is a business associate under HIPAA?

A business associate is a person or organization that performs services for a covered entity and, in doing so, creates, receives, maintains, or transmits PHI. Because they handle PHI or ePHI, they must sign a Business Associate Agreement and meet applicable HIPAA Privacy and Security Rule requirements.

How should breaches of PHI be reported in business associate contracts?

The contract should require the business associate to notify the covered entity without unreasonable delay and within a specified outside limit (no later than 60 calendar days after discovery). It should also detail the Breach Notification Requirements—what information the notice must contain, interim updates, cooperation, and any shorter internal timelines.

What are the required safeguards for protecting PHI?

Contracts should mandate administrative, physical, and technical safeguards consistent with the HIPAA Security Rule. This includes access controls and MFA, encryption in transit and at rest, audit logging, workforce training, incident response, secure disposal, and documented policies that enforce the minimum necessary standard.

How must subcontractors comply with HIPAA in business associate agreements?

Any subcontractor that handles PHI on the business associate’s behalf must sign a written agreement imposing the same restrictions and conditions. Flow-down clauses should cover permitted uses, safeguards, breach reporting, cooperation, termination rights, and secure return or destruction of PHI.