HIPAA BAA Requirements Explained: What Your Business Associate Contract Must Include

Definition of Business Associate

A business associate is any non-workforce person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity. This includes vendors, consultants, cloud and billing providers, analytics firms, and others handling PHI to perform services.

Subcontractors that handle PHI for a business associate are also business associates. They must meet the same obligations through written flow-down terms, ensuring end‑to‑end subcontractor compliance across your vendor chain.

Typical examples

• IT hosting, EHR, or cloud storage providers handling ePHI.
• Revenue cycle, claims processing, and medical transcription services.
• Data aggregation, analytics, or quality improvement partners.
• Legal, accounting, and consulting firms accessing PHI for services.

What counts as PHI

PHI includes any individually identifiable health information in any form or medium. Names, dates, account numbers, diagnosis codes, device IDs, or full-face photos linked to health data are PHI under the HIPAA Privacy Rule.

Requirement for Business Associate Agreement

Before a business associate may access PHI, the covered entity must execute a Business Associate Agreement (BAA). The BAA contractually binds the associate to use and disclose PHI only as permitted, comply with the HIPAA Privacy Rule and HIPAA Security Rule, and support regulatory oversight by the Department of Health and Human Services.

Core contractual promises

• Use and disclose PHI only as the BAA permits or as required by law, applying the minimum necessary standard.
• Implement administrative, physical, and technical safeguards for ePHI and reasonable safeguards for all PHI.
• Report breaches, security incidents, and impermissible uses or disclosures to the covered entity as specified.
• Ensure subcontractor compliance through written agreements with the same restrictions and conditions.
• Make internal practices and records relating to PHI available to the Secretary of HHS for compliance review.
• Support individual rights (access, amendment, accounting) and return or destroy PHI at termination.
• Include contract termination clauses allowing cure or termination for a material breach.

Permitted Uses and Disclosures of PHI

A BAA should precisely describe what the business associate may do with PHI. Uses must be necessary to perform contracted services and must align with HIPAA’s minimum necessary requirement.

Typical permitted purposes

• Performing the contracted services for, or on behalf of, the covered entity.
• Proper management and administration, including disclosures required by law or with assurances of confidentiality.
• Data aggregation for the covered entity’s health care operations.
• De-identification of data consistent with HIPAA standards before external use or disclosure.

Prohibited uses include marketing, sale of PHI, or any use not expressly permitted without a valid authorization. The BAA should require prior written approval for any novel use case that may implicate PHI.

Safeguards Implementation

The HIPAA Security Rule requires business associates to implement risk-based administrative, physical, and technical safeguards for ePHI. The Privacy Rule also requires reasonable safeguards for PHI in any form.

Administrative safeguards

• Formal risk analysis, risk management, and written policies and procedures.
• Workforce training, role-based access, and sanction policies.
• Vendor oversight and documented subcontractor compliance.

Physical safeguards

• Facility access controls and workstation/device security.
• Device and media controls, including secure disposal and re-use procedures.

Technical safeguards

• Unique user IDs, strong authentication, and access controls.
• Encryption in transit and at rest, audit logging, and integrity monitoring.
• Contingency planning, backups, and disaster recovery for availability.

Your BAA should require periodic assessments, prompt remediation of identified risks, and documentation demonstrating Security Rule compliance.

Reporting Obligations for Unauthorized PHI Use

The BAA must require the business associate to report any impermissible use or disclosure, suspected or confirmed breach of unsecured PHI, or security incident without unreasonable delay and within the contract’s stated deadline.

Breach notification essentials

• Timely notice to the covered entity, including what happened, dates, and discovery details.
• Types of PHI involved and the number of affected individuals.
• Mitigation steps taken and recommended actions for the covered entity.
• Ongoing cooperation with investigation, risk assessment, and regulatory response under the Breach Notification requirements.

The BAA may assign responsibilities for individual and media notifications; however, reporting to the covered entity remains mandatory, and documentation of all incidents must be retained.

Access to PHI for Individual Rights

Business associates must help covered entities meet individual rights under HIPAA. Your BAA should obligate the associate to respond promptly to requests routed by the covered entity and to provide information in the requested electronic format when feasible.

Supported rights

• Access to PHI within a designated record set, including ePHI in a readily producible format.
• Amendment of PHI with appropriate review, documentation, and version control.
• Accounting of disclosures, including tracking and furnishing required details.

Set clear turnaround times that allow the covered entity to meet HIPAA deadlines, and require the associate to maintain records proving timely compliance.

Return or Destruction of PHI Upon Termination

At contract end, the business associate must return or destroy all PHI received, created, or maintained for the covered entity. If return or destruction is infeasible, the BAA must restrict retained PHI to uses that make return infeasible and require ongoing protections.

Key end-of-term requirements

• Inventory and certify return or secure destruction of PHI, including backups and media.
• Document why destruction is infeasible (for example, legal retention) and apply perpetual protections.
• Cease all other uses and disclosures and continue breach reporting obligations for any retained PHI.
• Invoke contract termination clauses for any uncured material breach involving PHI.

Conclusion

A strong BAA clearly limits PHI uses, embeds Security Rule safeguards, mandates rapid breach reporting, enforces subcontractor compliance, supports individual rights, and dictates PHI return or destruction at termination. These provisions align operations with the HIPAA Privacy Rule and enable credible oversight by the Department of Health and Human Services.

FAQs.

What is the role of a business associate under HIPAA?

A business associate performs services for a covered entity that involve PHI and, through a BAA, agrees to use and disclose PHI only as permitted, safeguard it, support individual rights, report incidents, ensure subcontractor compliance, and cooperate with oversight.

What must a HIPAA BAA include regarding PHI safeguards?

It must require risk-based administrative, physical, and technical safeguards for ePHI, reasonable safeguards for all PHI, workforce training, access controls, encryption and logging where appropriate, contingency planning, vendor oversight, and documentation demonstrating HIPAA Security Rule compliance.

How should unauthorized PHI disclosures be reported?

The associate must notify the covered entity without unreasonable delay within the contract’s set timeframe, provide incident details, assist with risk assessment and mitigation, and support Breach Notification activities, including required regulatory and individual notices if assigned.

What happens to PHI after BAA termination?

The associate must return or securely destroy all PHI. If destruction is infeasible, the associate must keep only the minimal PHI necessary for the stated reason, maintain protections indefinitely, limit further uses, and continue to meet reporting and safeguard obligations.