Business Associate Agreement Checklist Under the HIPAA Omnibus Rule

A solid Business Associate Agreement (BAA) translates the HIPAA Omnibus Rule into clear, enforceable obligations. Use this checklist to confirm that your contracts define how Protected Health Information (PHI) is used, secured, reported on after incidents, and returned or destroyed at the end of the relationship.

Each section below maps to core expectations of the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification requirements, helping you demonstrate Subcontractor Compliance and maintain thorough Risk Analysis Documentation.

Permitted Uses and Disclosures

Your BAA must precisely state what the business associate may do with PHI and what is prohibited. Tie permissions to the services provided, apply the minimum necessary standard, and prohibit uses not expressly authorized or required by law.

Clarify limited allowances for management and administration, de-identification, and data aggregation for healthcare operations when permitted. Bar any sale of PHI and regulate marketing or fundraising consistent with the HIPAA Privacy Rule.

Checklist

• Define “Permitted Uses and Disclosures” aligned with service scope and the HIPAA Privacy Rule.
• Affirm minimum necessary use and disclosure of PHI.
• Permit management/administration disclosures only with safeguards and assurances of confidentiality.
• Allow de-identification and data aggregation only if expressly authorized in the Business Associate Agreement.
• Prohibit sale of PHI and restrict marketing/fundraising uses unless permitted by law and contract.
• Require documentation of all non-routine disclosures upon request.

Safeguards and Breach Reporting

Business associates must implement administrative, physical, and technical safeguards for ePHI consistent with the HIPAA Security Rule. Your BAA should mandate breach detection, documentation, mitigation, and timely Breach Notification to the covered entity.

Set clear timelines: notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI, including all details needed for downstream notifications.

Checklist

• Require Security Rule–aligned safeguards (access controls, encryption, auditing, integrity and transmission protections).
• Mandate incident response procedures: identify, contain, eradicate, and recover.
• Define “security incident” and “breach” and require documentation of investigations and risk assessments.
• Obligate notification to the covered entity without unreasonable delay and within 60 days of discovery.
• Specify notification content: what happened, dates, types of PHI involved, affected individuals, mitigation steps, and corrective actions.
• Require continued updates until remediation is complete and records retained for verification.

Subcontractor Agreements

Under the HIPAA Omnibus Rule, downstream vendors that create, receive, maintain, or transmit PHI on behalf of a business associate become business associates themselves. Your BAA must flow down all applicable obligations to ensure Subcontractor Compliance.

Require written agreements with each subcontractor that mirror Security and Privacy requirements, grant audit/verification rights, and impose sanctions for noncompliance.

Checklist

• Flow down the same restrictions, conditions, and safeguards to all subcontractors handling PHI.
• Require signed subcontractor BAAs before any PHI access.
• Grant rights to assess controls, receive audit reports, and request corrective action plans.
• Obligate immediate notice of subcontractor incidents affecting PHI.
• Maintain a current inventory of subcontractors and copies of their agreements.

Compliance with Privacy and Security Rules

Business associates are directly liable for impermissible uses/disclosures of PHI and for compliance with the HIPAA Security Rule. Your BAA should spell out specific duties that help the covered entity meet Privacy Rule obligations while requiring the business associate to maintain its own compliance program.

Address cooperation with regulatory reviews, timely responses to requests, and the provision of information needed for individual rights requests and accounting of disclosures.

Checklist

• Affirm direct compliance with the HIPAA Security Rule and applicable provisions of the HIPAA Privacy Rule.
• Support individual rights: access, amendments, and accounting of disclosures as applicable.
• Make internal practices, books, and records available to regulators upon lawful request.
• Apply minimum necessary, role-based access, and ongoing workforce training.
• Document sanctions for workforce violations and corrective action requirements.
• Retain required records for the applicable retention period.

Termination and Return of PHI

The BAA must describe exactly how PHI will be returned or destroyed at the end of the engagement. When return or destruction is not feasible, continuing protections must apply to any retained PHI.

Spell out acceptable destruction methods, deadlines, certificates of destruction, and final reporting so you can demonstrate full disposition of PHI and close out the relationship cleanly.

Checklist

• Trigger termination for material breach if not cured within an agreed period.
• Require prompt return or secure destruction of all PHI, including backups and archives, where feasible.
• Define acceptable destruction standards and mandate a certificate of destruction.
• If destruction is infeasible, limit further uses/disclosures and maintain safeguards indefinitely.
• Require a final accounting of disclosures and confirmation that subcontractors have also disposed of PHI.

Security Rule Risk Analysis

Business associates must perform an accurate and thorough risk analysis and implement risk management. Your BAA should require completion and maintenance of Risk Analysis Documentation and periodic re-evaluations when systems, vendors, or threats change.

Effective analyses inventory systems holding ePHI, map data flows, evaluate threats and vulnerabilities, score risks, and drive prioritized remediation with documented outcomes.

Checklist

• Define scope: systems, applications, devices, and vendors that create, receive, maintain, or transmit ePHI.
• Map data flows and storage locations, including backups and cloud services.
• Assess threats/vulnerabilities and likelihood/impact; rank risks.
• Implement risk management plans with owners, milestones, and acceptance criteria.
• Document decisions, residual risks, and validation testing; update at least annually or upon significant change.
• Align results to control improvements (encryption, logging, MFA, patching, network segmentation).

Written Security Policies

Written policies and procedures operationalize the HIPAA Security Rule and ensure consistent execution. Your BAA should require current documentation, workforce training, and evidence of policy enforcement.

Include policies for identity and access management, device and media controls, secure configuration, change control, incident response, contingency planning, and vendor risk management.

Checklist

• Maintain approved, version-controlled security policies and procedures.
• Define role-based access, authentication, and session management requirements.
• Require encryption standards for data at rest and in transit and key management practices.
• Establish secure software and configuration baselines with change management.
• Implement device/media controls: inventory, disposal, re-use, and secure wiping.
• Adopt incident response and breach handling playbooks with reporting lines and evidence retention.
• Develop contingency plans: data backup, disaster recovery, and business continuity testing.
• Provide workforce training, acknowledge policy receipt, and enforce a sanctions policy.
• Integrate vendor due diligence, ongoing monitoring, and subcontractor oversight.

Conclusion

This Business Associate Agreement checklist turns the HIPAA Omnibus Rule into contract terms you can verify: narrowly defined uses, strong safeguards, prompt Breach Notification, enforceable Subcontractor Compliance, clear end-of-term PHI disposition, ongoing risk analysis, and documented security policies. Aligning each element to your operations—and keeping rigorous records—proves due diligence and strengthens trust.

FAQs

What is required in a Business Associate Agreement under the HIPAA Omnibus Rule?

A compliant BAA defines permitted uses and disclosures of Protected Health Information, requires Security Rule safeguards, mandates breach reporting, flows down obligations to subcontractors, supports Privacy Rule rights, and sets termination, return, or destruction of PHI. It also requires ongoing Risk Analysis Documentation and written security policies.

How must Business Associates handle breach reporting?

They must investigate, mitigate, and document incidents, perform a risk assessment, and notify the covered entity without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. The notice should include what happened, when, the PHI involved, affected individuals, mitigation taken, and corrective actions.

What are the obligations regarding subcontractors under HIPAA?

Any subcontractor that creates, receives, maintains, or transmits PHI on a business associate’s behalf must sign a written agreement imposing the same HIPAA Privacy Rule and HIPAA Security Rule obligations. The business associate must verify controls, monitor performance, and ensure Subcontractor Compliance.

How should PHI be handled upon termination of a Business Associate Agreement?

The BAA should require prompt return or secure destruction of all PHI, including backups where feasible, plus a certificate of destruction. If destruction is infeasible, the business associate must continue to protect PHI, limit its use, and retain safeguards until the information is appropriately disposed of.