HIPAA Omnibus Rule BAA Requirements: A Practical Compliance Guide

The HIPAA Omnibus Rule strengthened how organizations safeguard protected health information (PHI) and clarified the obligations that bind covered entities and their business associates. This practical compliance guide explains who qualifies as a business associate, what the rule requires in Business Associate Agreements (BAAs), how subcontractor duties “flow down,” what to do after an incident, and what penalties apply.

Use these sections to align your program with Security Rule Compliance, the Breach Notification Rule, and core Covered Entity Responsibilities while preparing for oversight by the Department of Health and Human Services.

Definition of Business Associate

A Business Associate (BA) is any person or entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity—or on behalf of another BA—to perform services such as claims processing, billing, data analysis, cloud hosting, IT support, document destruction, or patient engagement.

Vendors are BAs even when they never actually view PHI. For example, a cloud storage or backup provider that maintains encrypted ePHI is still a BA because it “maintains” PHI. Subcontractors that handle PHI for a BA are also business associates and must meet the same requirements.

Direct Liability of Business Associates

The Omnibus Rule imposes direct liability on BAs for specific HIPAA obligations rather than relying solely on contract enforcement by covered entities. In practice, a BA must:

• Implement Security Rule Compliance: conduct risk analysis and risk management; implement administrative, physical, and technical safeguards; and maintain policies, procedures, and workforce training.
• Use and disclose PHI only as permitted by the BAA or as required by law, applying the minimum necessary standard where applicable.
• Provide breach notification to the covered entity under the Breach Notification Rule and mitigate harmful effects of any impermissible use or disclosure.
• Provide individuals (through the covered entity) access to PHI, amendments, and an accounting of disclosures when required.
• Make books, records, and practices relating to PHI available to the Department of Health and Human Services upon request.
• Flow down HIPAA obligations to subcontractors and monitor compliance consistent with the BAA.

Requirement for Business Associate Agreements

Covered entities must obtain “satisfactory assurances” via a written BAA before disclosing PHI to a vendor. Likewise, a BA must execute a BAA with any subcontractor that will handle PHI. Without a BAA in place, disclosure of PHI is generally prohibited.

Covered Entity Responsibilities include maintaining an inventory of BAs, ensuring BAAs are executed and current, verifying that services requiring PHI are covered by the agreement, and coordinating incident response and breach communications defined in the contract.

Content Requirements for BAAs

A robust BAA should capture all required elements and clarify operational expectations so both parties can execute consistently. At minimum, include:

• Permitted and required uses and disclosures of PHI by the BA, including for the BA’s proper management and administration and to meet legal obligations.
• A prohibition on other uses/disclosures and a commitment to apply the minimum necessary standard.
• Security Rule Compliance obligations: risk analysis, safeguards, workforce training, and ongoing evaluations.
• Incident and breach reporting: prompt notification of any impermissible use or disclosure, security incident, or breach, with defined timelines and required details.
• Subcontractor flow-down: the BA will obtain a Subcontractor Business Associate Agreement that imposes the same restrictions and conditions.
• Individual rights support: timely assistance with access to PHI, amendments, and accounting of disclosures.
• Availability to the Department of Health and Human Services for compliance review or audit.
• Return or destruction of PHI upon termination; where infeasible, continued protections and limited use.
• Termination rights for material breach and procedures for cure, reporting, and cooperation.
• Restrictions on marketing, sale of PHI, and other uses requiring individual authorization.
• Documentation and record retention (generally six years for HIPAA-required documentation).

Subcontractor Obligations Under BAAs

The Omnibus Rule extends obligations to subcontractors that create, receive, maintain, or transmit PHI for a BA. The BA must ensure each subcontractor signs a Subcontractor Business Associate Agreement with the same protections, safeguards, and breach duties.

• Perform due diligence: assess security posture, data flows, locations, and services that implicate PHI.
• Flow down technical and administrative controls: encryption, access management, logging, vendor onboarding/offboarding, and incident handling.
• Establish monitoring and audit rights: require timely evidence of controls, penetration or risk test results, and remediation tracking.
• Align data lifecycle terms: least-privilege access, data minimization, approved subcontracting, and secure return/destruction of PHI at contract end.

Breach Notification Requirements

Under the Breach Notification Rule, a BA must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. “Discovery” occurs when the incident is known or would have been known with reasonable diligence.

What to include in a BA’s notice to the covered entity

• A brief description of what happened, including dates of the breach and discovery.
• Types of PHI involved (for example, names, SSNs, diagnoses, treatments, account numbers).
• Known or suspected number of affected individuals and any available contact information.
• Steps individuals should take to protect themselves, mitigation performed, and corrective actions.
• Contact information for follow-up and coordination.

Risk assessment and exceptions

Document the risk assessment addressing the nature and extent of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and mitigation. If the assessment shows a low probability of compromise, the incident may not be a reportable breach; retain documentation supporting the determination.

Enforcement and Penalties for Non-Compliance

The Department of Health and Human Services—through the Office for Civil Rights—investigates complaints, conducts audits, and negotiates corrective action plans. HIPAA Enforcement Actions use a tiered civil penalty structure that increases with culpability, and penalties are adjusted periodically for inflation. Serious or uncorrected violations can lead to substantial monetary settlements and mandated remediation.

Criminal penalties, enforced by the Department of Justice, can apply to knowingly obtaining or disclosing PHI in violation of HIPAA, with higher penalties for offenses committed under false pretenses or for personal gain or malicious harm. Contractual exposure also exists: failing to meet BAA obligations can trigger indemnity, termination, and reputational harm.

Key takeaways

• Identify all BAs and subcontractors that handle PHI and execute current BAAs before any disclosure.
• Embed Security Rule Compliance into operations: risk analysis, safeguards, and continuous monitoring.
• Flow down obligations via a Subcontractor Business Associate Agreement and verify performance.
• Operationalize the Breach Notification Rule with clear timelines, templates, and escalation paths.
• Prepare for oversight by the Department of Health and Human Services and document decisions defensibly.

FAQs

What is a Business Associate under HIPAA?

A Business Associate is a vendor or subcontractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity (or another BA) to perform services like billing, IT, analytics, or cloud storage. Because it handles PHI, a BA is directly subject to specific HIPAA obligations and must sign a BAA.

What must be included in a Business Associate Agreement?

A BAA must set permitted uses/disclosures; require Security Rule safeguards; mandate incident and breach reporting; impose subcontractor flow-down; support individual rights (access, amendments, accounting); allow HHS review; require return/destruction of PHI at termination; and authorize termination for material breach, among other necessary restrictions.

How does the Omnibus Rule affect subcontractors?

Subcontractors that handle PHI for a BA are themselves BAs with direct HIPAA obligations. The primary BA must execute a Subcontractor Business Associate Agreement mirroring the main BAA and verify the subcontractor’s safeguards, reporting, and ongoing compliance.

What are the penalties for HIPAA non-compliance?

Penalties range from corrective action plans and tiered civil monetary penalties (escalating with culpability and adjusted for inflation) to, in egregious cases, criminal prosecution. Enforcement is led by HHS’s Office for Civil Rights, and failure to meet BAA terms can also result in contractual damages and termination.