How to Draft a Compliant HIPAA Business Associate Agreement, Step-by-Step

A well-crafted Business Associate Agreement (BAA) is essential for Business Associate Agreement Compliance and for protecting patient privacy under the HIPAA Privacy Rule. Use this step-by-step guide to draft a clear, enforceable agreement that defines responsibilities, limits risk, and keeps Protected Health Information (PHI) safe.

Identify the Parties

Clarify roles and legal identities

Precisely name the Covered Entity and the Business Associate, including any affiliates bound by the BAA. State whether the covered entity is a hybrid entity and whether the business associate engages subcontractors that will create, receive, maintain, or transmit PHI on its behalf.

List points of contact and scope

• Provide legal addresses and designate privacy and security contacts for each party.
• Record the effective date, services in scope, data environments (systems, locations, cloud regions), and onboarding timelines.
• Reference Covered Entity Obligations that the business associate must follow, including any stricter, organization-specific privacy rules.

Key definitions

• Define “PHI,” “ePHI,” “minimum necessary,” “breach,” “security incident,” and “subcontractor” exactly as used throughout the agreement.
• Confirm that “subcontractor” includes downstream vendors who must sign written agreements mirroring this BAA.

Define Protected Health Information

Set the boundaries of PHI

Describe the PHI categories the business associate will handle (for example, claims data, clinical notes, images, billing records). Distinguish PHI from de-identified data, and specify whether limited data sets are used. State formats (paper, voice, ePHI) and where PHI will be stored and processed.

Minimum necessary and data mapping

• Require the business associate to access, use, or disclose only the minimum necessary PHI to perform contracted services.
• Include a current data map: data elements, systems, integrations, and retention periods for Protected Health Information Safeguards planning.
• Prohibit combining PHI with unrelated datasets unless expressly approved by the covered entity.

Outline Permitted Uses and Disclosures

What the business associate may do

• Use and disclose PHI solely to perform services for the covered entity or as required by law.
• Allow internal uses for management, legal, and auditing, provided PHI is protected and disclosures are limited.
• Permit de-identification consistent with HIPAA standards when authorized, with no re-identification or sale of de-identified data unless expressly allowed.

What requires authorization or is prohibited

• Marketing, sale of PHI, or other non-treatment activities require PHI Disclosure Authorization from the individual or explicit written instruction from the covered entity.
• Prohibit any use or disclosure inconsistent with the BAA, the service agreement, Covered Entity Obligations, or applicable law.
• Mandate adherence to the minimum necessary standard for all requests and disclosures.

Documentation and oversight

• Maintain logs for disclosures that require an accounting and support audits by the covered entity or regulators.
• Flow down all restrictions to subcontractors to ensure Subcontractor Compliance.

Implement Safeguards

Align with the Security Rule

• Administrative safeguards: risk analysis, risk management plan, workforce training, access provisioning, vendor management, and sanctions for violations.
• Technical safeguards: unique user IDs, role-based access, multi-factor authentication, encryption in transit and at rest, endpoint protection, secure software development, and audit logging with regular review.
• Physical safeguards: facility access controls, device/media controls, secure disposal, and environmental protections for data centers.

Program and assurance measures

• Maintain an incident response plan, disaster recovery and business continuity plans, and documented change management.
• Conduct periodic security evaluations and share executive summaries or attestation reports with the covered entity upon request.
• Require Subcontractor Compliance via written agreements with security and privacy terms at least as protective as this BAA.

Report Unauthorized Uses or Disclosures

Breach Notification Requirements and timing

• Define “discovery” of a breach and require notice to the covered entity without unreasonable delay.
• Set a contractual outer limit for the business associate to notify the covered entity (for example, within 5–10 days) so the covered entity can meet regulatory deadlines, which generally require individual notification without unreasonable delay and no later than 60 days after discovery.

Risk assessment and content of notices

• Require a documented four-factor risk assessment to determine if an impermissible use or disclosure constitutes a reportable breach.
• Notice to the covered entity must include: incident timeline, types of PHI involved, number of individuals affected, whether PHI was acquired or viewed, mitigation steps, and corrective actions.
• Specify who drafts and sends individual, media, and HHS notices, and how costs are allocated if the breach is attributable to the business associate.

Ongoing duties

• Mitigate harmful effects, cooperate with investigations, and preserve logs and evidence.
• Report and manage security incidents that are not breaches, with trend reporting to the covered entity.
• Retain breach-related documentation for at least six years.

Ensure Compliance with Patient Rights

Right of access

• Support the covered entity in providing individuals access to PHI in a designated record set within required timeframes, in the requested format if readily producible.
• Transmit ePHI to a third party at the individual’s direction when instructed by the covered entity.

Amendments and accounting

• Process amendment requests, apply approved corrections, and notify relevant downstream recipients.
• Maintain disclosure records to support an accounting of disclosures within required timelines.

Restrictions and confidential communications

• Honor restrictions, opt-outs, and confidential communication requests communicated by the covered entity.
• Escalate any individual rights requests received directly to the covered entity unless the BAA authorizes the business associate to act.

These provisions operationalize the HIPAA Privacy Rule while keeping responsibilities clear and auditable.

Address Termination Procedures

Termination for cause and cure

• Allow termination if a material breach is not cured within a defined period after notice.
• Permit immediate suspension of PHI access if there is a serious risk to privacy or security.

Return, destruction, and survival

• Upon termination, return or securely destroy all PHI, including backups and test data. If destruction is infeasible, continue protections and limit uses to those that make return/destruction infeasible.
• Ensure subcontractors also return or destroy PHI and certify completion.
• Specify post-termination duties that survive (confidentiality, breach cooperation, record retention).

Transition and verification

• Define transition assistance, data migration formats, key escrow, and timeline for the covered entity to retrieve PHI.
• Allow the covered entity to audit PHI disposition and receive a final attestation from the business associate.

Conclusion

By identifying the parties, defining PHI, limiting uses and disclosures, enforcing robust safeguards, establishing swift breach reporting, honoring patient rights, and planning clean termination steps, you create a practical BAA that advances Business Associate Agreement Compliance and protects patients’ data throughout the relationship.

FAQs

What is a HIPAA Business Associate Agreement?

A BAA is a contract between a covered entity and a business associate that defines how PHI will be used, disclosed, safeguarded, and returned or destroyed. It operationalizes the HIPAA Privacy Rule and Security Rule, assigns responsibilities, and requires Subcontractor Compliance through written flow-down terms.

How do you ensure PHI protection under a BAA?

Specify Protected Health Information Safeguards across administrative, technical, and physical controls; enforce minimum necessary access; require encryption and logging; mandate incident response and Breach Notification Requirements; and conduct periodic risk assessments. Flow down identical protections to all subcontractors.

What are the termination requirements for a BAA?

Provide for termination for cause if violations are not cured; require return or secure destruction of PHI (with continued protections if destruction is infeasible); ensure subcontractors do the same; and preserve surviving obligations like confidentiality, cooperation on breach response, and record retention.

Can a BAA include subcontractor obligations?

Yes. The BAA must require Subcontractor Compliance via written agreements that impose the same privacy, security, and breach reporting duties. Subcontractors should notify the business associate promptly about incidents so the covered entity can meet all regulatory deadlines.