Business Associate Agreement (BAA) HIPAA Requirements: What You Need to Include

A Business Associate Agreement clarifies exactly how a vendor may access, use, protect, and return Protected Health Information (PHI). To meet HIPAA expectations, your BAA should translate the Privacy Rule, Breach Notification Rule, and HIPAA Security Rule into concrete, auditable commitments. Use the sections below to ensure nothing essential is missed.

Permitted Uses and Disclosures

State precisely what the business associate may do with PHI, tied to the services you purchase. Limitations keep use aligned with your HIPAA obligations and your risk tolerance.

• Use and disclose PHI only to perform contracted services for the covered entity, and only to the extent necessary.
• Allow disclosures for proper management and administration (e.g., legal advice, accreditation) if required by law or with reasonable assurances of confidentiality.
• Permit data aggregation to support healthcare operations when explicitly authorized.
• Allow de-identification and the use of de-identified data, if specified.
• Apply the Minimum Necessary Standard to every use, disclosure, and request for PHI.

Prohibited Uses and Disclosures

Spell out bright lines so the business associate knows where it must not go. These prohibitions help you prevent unauthorized secondary use and reputational harm.

• No uses or disclosures beyond those expressly permitted by the BAA or required by law.
• No sale of PHI, and no marketing or fundraising using PHI without valid authorization.
• No re-identification of de-identified information unless expressly authorized.
• No disclosure to third parties that cannot or will not protect PHI to HIPAA standards.

Safeguards

Require safeguards that align with the HIPAA Security Rule for ePHI and with reasonable safeguards for paper and oral PHI. Make the expectations specific and testable.

Administrative Safeguards

• Documented risk analysis and ongoing risk management.
• Workforce training, sanctions, and role-based access aligned to the Minimum Necessary Standard.
• Vendor management, incident response procedures, and contingency planning (backup and disaster recovery).

Physical Safeguards

• Facility access controls and secure workstation/device use and disposal.
• Media protection, including encryption-enabled storage and secure destruction.

Technical Safeguards

• Unique user IDs, multi-factor authentication, and timely access termination.
• Encryption in transit and at rest, integrity controls, and secure key management.
• Audit logging, log retention, and regular review with clear alerting thresholds.

Breach Reporting

Your BAA should define when and how the business associate alerts you about incidents. Separate routine Security Incident Reporting from breach notices involving unsecured PHI.

Security Incident Reporting

• Immediate notice for suspected or confirmed unauthorized access, malware, or exfiltration attempts.
• Regular summaries of low-risk or routine security events, as agreed.

Breach Notification

• Notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery.
• Provide required details: what happened, types of PHI involved, number of individuals affected, mitigation steps, and remediation actions.
• Cooperate with risk assessments and downstream notifications to individuals, regulators, and the media, as applicable.

Remedies and Termination

• Require prompt cure of violations and documented corrective action plans.
• Authorize Material Breach Termination if cure is infeasible or fails within the specified timeframe.

Compliance with Patients' Rights

Ensure the business associate supports your Privacy Rule Compliance obligations that involve patient rights. The BAA should make assistance timely and reliable.

• Access: Provide PHI in a designated record set so you can fulfill access requests within HIPAA deadlines.
• Amendment: Implement corrections as directed and propagate updates to downstream recipients when required.
• Accounting of Disclosures: Track and report non-routine disclosures for the accounting period.
• Restrictions and Confidential Communications: Honor covered-entity-imposed restrictions where they apply to the business associate’s systems.

Subcontractor Obligations

If subcontractors handle PHI, your business associate must flow down equivalent protections. Require evidence of controls and oversight—not just promises.

• Execute a Subcontractor Business Associate Agreement with the same restrictions, safeguards, and reporting duties.
• Vetting and ongoing monitoring of subcontractors’ security posture and compliance.
• Right to audit or obtain independent assurance (e.g., SOC 2 reports) where appropriate.
• Ensure subcontractors support patient rights, breach response, and PHI Return and Destruction.

Return or Destruction of PHI

At expiration or termination, the BAA should dictate how PHI is returned or irreversibly destroyed. If destruction is infeasible, continuing protections must remain in place.

• Define timelines and formats for PHI return, including secure transfer methods.
• Specify destruction methods for paper and electronic media, with written certification.
• Allow minimal retained copies only if required by law or for archival purposes, subject to ongoing protections.

Together, these provisions operationalize HIPAA within your vendor relationships. Clear permissions, strict prohibitions, robust safeguards, timely reporting, support for patient rights, subcontractor controls, and PHI Return and Destruction form a complete, defensible BAA.

FAQs.

What are the key HIPAA requirements included in a BAA?

A solid BAA defines permitted and prohibited uses of PHI; requires safeguards aligned to the HIPAA Security Rule; mandates Security Incident Reporting and breach notification; compels support for Privacy Rule Compliance, including access, amendment, and accounting; flows all duties to subcontractors via a Subcontractor Business Associate Agreement; and sets clear terms for PHI Return and Destruction and Material Breach Termination.

How must business associates report breaches under HIPAA?

They must notify the covered entity without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. The notice should describe what happened, the PHI involved, individuals affected, containment and mitigation steps, and corrective actions. Your BAA may require faster Security Incident Reporting for suspected or attempted compromises.

What safeguards are required by the HIPAA Security Rule in a BAA?

The BAA should require administrative, physical, and technical safeguards: risk analysis and management, workforce training, incident response, access controls and MFA, encryption in transit and at rest, audit logging and monitoring, secure device/media handling, and tested contingency plans. These controls should also enforce the Minimum Necessary Standard.