Business Associate Agreement under HIPAA: Complete Guide and Sample Clauses
A Business Associate Agreement under HIPAA is the contract that governs how a Business Associate may create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a Covered Entity. This guide explains the essential elements you must include, when and how PHI may be used or disclosed, and offers sample contract clauses you can adapt to your organization’s needs.
Key Definitions
Protected Health Information (PHI)
PHI is individually identifiable health information in any form or medium, including electronic PHI (ePHI). It covers data that relates to an individual’s health status, provision of health care, or payment for care and that can reasonably identify the person.
Covered Entity
A Covered Entity is a health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with standard transactions. Covered Entities are primarily responsible for patient privacy under the HIPAA Privacy Rule.
Business Associate
A Business Associate is any person or entity that performs functions or activities involving PHI on behalf of a Covered Entity, other than as a member of the Covered Entity’s workforce. Common examples include billing companies, IT vendors, cloud service providers, and consultants.
Business Associate Agreement (BAA)
A BAA is the legally required contract that imposes privacy, security, and Breach Notification obligations on the Business Associate, flowing from the HIPAA Privacy Rule and HIPAA Security Rule. It sets Data Use Restrictions, safeguards, reporting duties, and termination steps.
Minimum Necessary and Data Use Restrictions
Minimum Necessary means limiting uses, disclosures, and requests for PHI to the least amount needed to accomplish the intended purpose. Data Use Restrictions further confine PHI handling to specified services and prohibit unauthorized secondary uses such as sale or targeted marketing.
Permitted Uses and Disclosures
Use and disclosure to perform services
A Business Associate may use or disclose PHI only as necessary to perform the contracted services for the Covered Entity, or as required by law. Any other use requires express, documented permission in the BAA or a separate authorization.
Minimum necessary standard
Both parties must implement role-based access and workflow controls so your teams view, use, and disclose only what is needed. The BAA should require data minimization throughout ingestion, processing, storage, and outputs.
Management, administration, and legal compliance
Limited disclosures are permitted for a Business Associate’s internal management and administration or to fulfill legal obligations, provided PHI is protected through confidentiality agreements or allowed by law with reasonable assurances of safeguarding.
Data aggregation and de-identification
A BAA can allow data aggregation to help a Covered Entity perform health care operations, and may permit de-identification where PHI is transformed so individuals are no longer identifiable. Once properly de-identified, information is no longer PHI.
Prohibited uses
Unless expressly authorized, the Business Associate may not sell PHI, use it for targeted marketing, or disclose it for purposes not required to deliver the contracted services. All uses must align with the HIPAA Privacy Rule and the BAA’s Data Use Restrictions.
Safeguards and Security Measures
Administrative safeguards
Conduct a risk analysis, implement risk management plans, designate a security official, and establish policies for workforce training, sanctions, and contingency planning. Maintain documentation and review it periodically.
Physical safeguards
Control facility access, secure workstations and devices, and manage media handling and disposal. Limit physical access to areas where PHI is stored or processed, and track hardware that stores ePHI.
Technical safeguards
Implement access controls (unique IDs, least privilege), encryption in transit and at rest, automatic logoff, audit logging and monitoring, and integrity controls to prevent improper alteration or destruction of ePHI.
Organizational measures
Adopt vendor management procedures, ensure subcontractor BAAs are in place, and conduct periodic assessments. Align security controls with the HIPAA Security Rule and document all configurations, exceptions, and approvals.
Reporting Obligations for Breaches
Security incidents vs. breaches
A security incident is an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security unless an exception applies.
Discovery and timing
Upon discovery of a breach of unsecured PHI, the Business Associate must notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery. The BAA should define expedited internal timelines for initial and follow-up reports.
Notification content
Reports should include a description of what happened, the date of the breach and discovery, the types of PHI involved, known or suspected recipients, the number of affected individuals (if known), mitigation steps taken, and contact information for follow-up.
Risk assessment and mitigation
Evaluate the nature and extent of PHI involved, the unauthorized person who used or received it, whether the PHI was actually viewed or acquired, and the extent to which the risk has been mitigated. Use the assessment to guide containment, remediation, and Breach Notification.
Coordination with the Covered Entity
The Business Associate must cooperate with the Covered Entity regarding individual notifications, notice to regulators, and, if applicable, media notifications. If delegated, the Business Associate may issue notices on the Covered Entity’s behalf, following agreed scripts and timelines.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Subcontractor Requirements
Flow-down obligations
Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate must sign a written agreement imposing the same restrictions, conditions, and safeguards required by the BAA.
Due diligence and oversight
Perform vendor risk assessments, review security documentation, and validate controls before onboarding. The BAA should reserve audit and inspection rights and require timely remediation of findings.
Incident reporting and cooperation
Subcontractors must promptly report security incidents and suspected breaches to the Business Associate, who then notifies the Covered Entity per the BAA. Cooperation clauses should require evidence preservation and coordinated investigations.
Termination and transition
If a subcontractor fails to cure material noncompliance, the Business Associate must terminate the subcontract or cease PHI sharing. Ensure transition assistance and secure return or destruction of PHI.
Termination Conditions
Termination for cause
The Covered Entity may terminate the BAA if the Business Associate materially breaches the agreement and fails to cure within a specified period. Immediate termination may be permitted where cure is not feasible or continued performance would pose unacceptable risk.
Return or destruction of PHI
Upon termination, the Business Associate must return or destroy all PHI, including backups and derivatives. If return or destruction is infeasible, the Business Associate must extend BAA protections, limit further uses and disclosures, and safeguard retained PHI.
Survival and record retention
Obligations concerning confidentiality, security, mitigation, cooperation, and records typically survive termination for as long as PHI is retained. The BAA should specify retention periods for books and records relevant to compliance.
Transition support
Include provisions for reasonable transition assistance so services can be wound down or transferred without interrupting patient care or compromising privacy and security.
Sample Contract Clauses
Definitions
“Protected Health Information” or “PHI” has the meaning set forth under HIPAA, including electronic PHI. “Covered Entity,” “Business Associate,” “Breach,” and “Security Incident” carry the meanings assigned by applicable regulations.
Permitted Uses and Disclosures
Business Associate shall use and disclose PHI solely to perform the services described in the underlying agreement for or on behalf of Covered Entity, consistent with the Minimum Necessary standard, and as required by law. No sale of PHI or targeted marketing is permitted without prior written authorization.
Management and Administration
Business Associate may use PHI for its proper management and administration and disclose PHI if required by law or if it obtains reasonable assurances from the recipient to maintain confidentiality and to notify Business Associate of any breach or security incident.
Safeguards
Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI. Controls shall include access management, encryption in transit and at rest, audit logging, vulnerability management, and workforce training.
Reporting
Business Associate shall report to Covered Entity any security incident upon discovery and any breach of unsecured PHI without unreasonable delay and in no case later than 60 calendar days after discovery. Reports shall include the information necessary for Breach Notification obligations.
Subcontractors
Business Associate shall ensure that any subcontractor to whom it provides PHI agrees in writing to the same restrictions and conditions that apply to Business Associate with respect to PHI, including timely incident reporting and cooperation.
Access, Amendment, and Accounting
To enable Covered Entity’s compliance with the HIPAA Privacy Rule, Business Associate shall assist with individual requests for access to PHI, amendments, and accounting of disclosures within agreed timelines.
Minimum Necessary and Data Use Restrictions
Business Associate shall limit uses, disclosures, and requests for PHI to the Minimum Necessary and implement Data Use Restrictions preventing unauthorized secondary use, profiling, or sale of PHI.
Return or Destruction of PHI
Upon termination of this Agreement, Business Associate shall return or destroy all PHI that it or its subcontractors maintain. If infeasible, Business Associate shall extend all protections hereunder and limit further uses and disclosures to those that make return or destruction infeasible.
Term and Termination
Covered Entity may terminate this Agreement upon material breach by Business Associate if such breach is not cured within the specified cure period, or immediately if cure is not feasible. Termination remedies are in addition to other rights and remedies at law or equity.
Audit and Records
Business Associate shall maintain documentation evidencing compliance and make such records available to Covered Entity upon reasonable notice. Business Associate shall cooperate with audits and assessments and promptly remediate identified deficiencies.
Conclusion
A well-drafted Business Associate Agreement under HIPAA translates Privacy, Security, and Breach Notification requirements into clear, enforceable obligations. Use the clauses above as a starting point, tailor them to your services and risk profile, and ensure operational controls match the promises in the contract.
FAQs.
What is a Business Associate Agreement under HIPAA?
It is a contract between a Covered Entity and a Business Associate that defines how PHI may be created, received, maintained, or transmitted, and it maps HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification requirements into binding obligations.
What are the required safeguards in a BAA?
The BAA should require administrative, physical, and technical safeguards—such as access controls, encryption, audit logging, workforce training, vendor oversight, and contingency planning—that reasonably protect the confidentiality, integrity, and availability of ePHI.
How should breaches be reported under HIPAA?
The Business Associate must notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery, providing details about what happened, what PHI was involved, mitigation steps, and contacts for follow-up. The Covered Entity then handles individual and regulatory notices or may delegate that task.
When can a BAA be terminated?
A BAA can be terminated for cause if the Business Associate materially breaches the agreement and fails to cure within the stated period, or immediately if cure is infeasible. Upon termination, PHI must be returned or destroyed, or protected if destruction is not feasible.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
