How to Draft a HIPAA-Compliant Business Associate Agreement

A well-drafted Business Associate Agreement (BAA) is the foundation for sharing Protected Health Information (PHI) with vendors while meeting HIPAA obligations. This guide shows you how to write a HIPAA‑compliant BAA that minimizes risk, prevents unauthorized disclosure, and clearly assigns responsibilities.

By aligning contract language with the HIPAA Security Rule, breach notification standards, and enforcement realities like direct liability, you create a practical, enforceable document that works in day-to-day operations—not just on paper.

Definition of Business Associate

A Business Associate (BA) is any person or entity, outside your workforce, that creates, receives, maintains, or transmits PHI for functions or services on your behalf. Typical examples include billing companies, cloud and data hosting providers, IT support, e‑fax and e‑signature platforms, shredding vendors, consultants, and analytics firms.

Subcontractors of a BA that handle PHI are also treated as BAs. They assume the same obligations and face direct liability for certain HIPAA violations, even if they do not contract directly with the covered entity.

“Mere conduits” that transport information without routine access to PHI (for example, the postal service) generally are not BAs. If a vendor can view, store, or manipulate PHI—even incidentally—you should treat the relationship as a BA arrangement and require a BAA.

Required Elements of a Business Associate Agreement

Your BAA should translate HIPAA’s requirements into clear, enforceable clauses. Use plain language, define timelines, and specify who does what. At minimum, include these elements:

• Permitted uses and disclosures: Specify how the BA may use and disclose PHI, limited to what is necessary to perform contracted services and consistent with the minimum necessary standard.
• Prohibition on unauthorized disclosure: Bar any use or disclosure not expressly permitted, including uses for the BA’s own purposes unless explicitly authorized.
• Safeguards: Require the BA to implement “reasonable and appropriate” administrative, physical, and technical safeguards consistent with the HIPAA Security Rule.
• Breach notification and incident reporting: Obligate the BA to notify you of any breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery, and to report security incidents as defined in the agreement.
• Access, amendment, and accounting support: Require the BA to help you meet individual rights (access, amendment, and accounting of disclosures) within required timelines.
• Subcontractor compliance: Mandate that any subcontractor with PHI agrees in writing to the same restrictions and safeguards (flow‑down obligations).
• HHS access: Permit the BA to make relevant records available to the Secretary of HHS for compliance investigations.
• Return or destruction of PHI: On termination, require prompt return or secure destruction of PHI; if infeasible, extend protections and limit further use.
• Material term violation and termination: Allow termination if the BA violates a material term and fails to cure within a defined period, or permit immediate termination if cure is infeasible.
• Direct liability acknowledgment: Note that the BA may be directly liable under HIPAA for certain violations, in addition to contractual remedies.

Safeguards Required by the Security Rule

Your BAA should do more than cite the HIPAA Security Rule—it should operationalize it. Reference a written information security program and require periodic evidence of compliance proportional to risk.

Administrative safeguards

• Risk analysis and risk management tailored to systems storing or transmitting ePHI.
• Policies for access authorization, workforce onboarding/offboarding, and sanctioning workforce violations.
• Security awareness and phishing training, plus vendor management and incident response procedures.
• Contingency planning: backup, disaster recovery, and emergency operations testing.

Physical safeguards

• Facility access controls and visitor management.
• Workstation and device security, including secure storage and disposal of media containing ePHI.
• Inventory and tracking of assets that store or process ePHI.

Technical safeguards

• Unique user IDs, strong authentication, and least‑privilege role design.
• Encryption in transit and at rest where reasonable and appropriate.
• Audit logging, log review, and alerts for anomalous behavior.
• Integrity controls, secure configuration baselines, and timely patching.

Reporting Requirements

Distinguish routine security incidents (for example, blocked malware) from reportable events and breaches. Define what must be reported, to whom, and how quickly, so you receive timely, actionable information.

For a breach of unsecured PHI, require the BA to notify you without unreasonable delay and in no case later than 60 days after discovery. The notice should include the incident timeline, a description of the PHI involved, the circumstances of the unauthorized disclosure, the number of affected individuals, mitigation steps taken, and contact information for follow‑up.

Set expectations for security incident reporting (for example, high‑severity incidents within 24–72 hours with interim updates until containment and root‑cause analysis are complete). Clarify that you, as the covered entity, handle required individual and regulator breach notifications, with BA support for investigation and documentation.

Compliance with Individual Rights

Your BAA should require the BA to help you fulfill individual rights under the Privacy Rule. This includes providing access to designated record sets in the requested format when feasible (often electronic), generally within 30 days, and supporting amendments by recording corrections or appending statements of disagreement.

For the accounting of disclosures, require the BA to log disclosures it makes (other than for treatment, payment, and health care operations, or as otherwise excluded) and to retain documentation for at least six years. The BA should also cooperate with restrictions, confidential communications, or other applicable directives you accept for an individual.

Specify a single point of contact, secure transmission methods, and service‑level expectations so requests are routed quickly and handled consistently.

Subcontractor Obligations

Flow‑down is non‑negotiable. Your BAA must require subcontractor compliance with the same privacy and security obligations whenever a subcontractor creates, receives, maintains, or transmits PHI on the BA’s behalf.

Build practical guardrails: require prior written approval of subcontractors handling PHI, documented due diligence, security addenda, right‑to‑audit or independent assurance reports, and pass‑through breach notification duties. Make clear that subcontractors, like BAs, face direct liability for certain HIPAA violations.

Termination Rights

Spell out when and how you can end the relationship. If you know of a pattern of activity or practice by the BA that constitutes a material term violation, require prompt cure within a defined period. If cure is infeasible, reserve the right to terminate immediately.

Upon termination, require return or destruction of PHI within a fixed window. If destruction is infeasible, limit further use to protections in the BAA and require ongoing safeguards and breach notification duties until PHI is securely disposed.

In summary, a strong, HIPAA‑compliant BAA ties permitted uses, security controls, breach notification, individual rights, subcontractor compliance, and termination remedies into one cohesive framework. When each clause is specific, time‑bound, and auditable, you reduce risk while enabling efficient, compliant operations.

FAQs

What is a Business Associate under HIPAA?

A Business Associate is a person or entity outside your workforce that creates, receives, maintains, or transmits PHI for functions or services on your behalf. Examples include IT providers, cloud hosts, billing firms, and consultants who can access PHI. Subcontractors that handle PHI for a BA are also treated as BAs.

What are the mandatory provisions of a HIPAA Business Associate Agreement?

Core provisions include permitted uses/disclosures, prohibitions on unauthorized disclosure, Security Rule safeguards, breach notification (with timelines), support for access/amendment/accounting, subcontractor compliance, HHS access, PHI return or destruction at termination, and termination rights for material term violation, along with acknowledgment of the BA’s direct liability.

When is a Business Associate Agreement not required?

A BAA is generally not required for “mere conduit” services that transport information without routine access to PHI (such as the postal service), or for disclosures to providers for treatment purposes where no services are being performed on your behalf. When in doubt, treat the relationship as BA and use a BAA.

How can a covered entity terminate a BAA?

If the BA violates a material term, the covered entity should provide notice and an opportunity to cure within a specified period. If the BA cannot cure—or if cure is infeasible—the covered entity may terminate the BAA immediately and require return or secure destruction of PHI, with continued protections for any PHI retained.